users@glassfish.java.net

Glassfish seems to be ignoring auth-constraint and realm.

From: <glassfish_at_javadesktop.org>
Date: Sun, 08 Jul 2007 01:20:04 PDT

I have a custom realm set-up, and web.xml and sun-web.xml specified to demand basic auth, but glassfish serves up files without ever requesting login. I've switched to the standard file realm to check out my setup, and I get the same happy ignorance of my auth-constraint. So maybe its my config, maybe something else, any help appreciated. I just want the server to refuse access and prove that the constraints are in force. I've got the url of the web resource set to /*, so any access should require authorization, but it never asks. There are no servlets or jsp pages in this simple test set-up, just some static html pages. Does not seem to matter what realm-name I use, they are equally inconsequential and all files get served.

Thanks,
David

web.xml
------------------------

<?xml version="1.0" encoding="UTF-8"?>

<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

   <display-name>Project Beta</display-name>
   <description>
      My Project
   </description>

   <welcome-file-list>
      <welcome-file>
         index.html
      </welcome-file>
   </welcome-file-list>

   <security-constraint>
      <web-resource-collection>
         <web-resource-name>Private Site</web-resource-name>
         <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
         <role-name>authorized</role-name>
      </auth-constraint>
      <user-data-constraint>
         <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
   </security-constraint>

   <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>myrealm</realm-name>
   </login-config>

   <security-role>
      <role-name>authorized</role-name>
   </security-role>

</web-app>

sun-web.xml
-----------------------

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 9.0 Servlet 2.5//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_2_5-0.dtd">
<sun-web-app>
   <security-role-mapping>
      <role-name>authorized</role-name>
      <group-name>authorized</group-name>
   </security-role-mapping>
</sun-web-app>
[Message sent by forum member 'dberkman' (dberkman)]

http://forums.java.net/jive/thread.jspa?messageID=225634
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.