From: <glassfish_at_javadesktop.org>
Date: Tue, 10 Jul 2007 22:36:37 PDT

I have a very simple web application which exists only to test security constraints in Glassfish. It's been driving me crazy because Glassfish refuses to enforce the constraint, and simply serves the pages unhindered by what's in web.xml. So I downloaded Tomcat version 6.0, installed it, and uploaded the exact same war file. Tomcat enforces the security constraint as specified. The realm doesn't even exist in Tomcat, so you can't log-in, but Tomcat does demand the login and refuses to serve the protected resources without it. Shutdown Tomcat, started up Glassfish, uploaded the same war file to check it one last time, and Glassfish ignores the security still. I'm thinking this must be a bug, but I can't believe nobody else has complained about it. Can some kind person try this application in their Glassfish installation and tell me if it recognizes the security constraint?

web.xml
-------------------
<?xml version="1.0" encoding="UTF-8"?>

<web-app xmlns="http://java.sun.com/xml/ns/javaee" version="2.5"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">

   <display-name>My Project</display-name>
   <description>
      A project
   </description>

   <welcome-file-list>
      <welcome-file>
         index.html
      </welcome-file>
   </welcome-file-list>

   <security-constraint>
      <web-resource-collection>
         <web-resource-name>Private Site</web-resource-name>
         <url-pattern>/private/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
         <role-name>authorized</role-name>
      </auth-constraint>
      <user-data-constraint>
         <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
   </security-constraint>

   <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>file</realm-name>
   </login-config>

   <security-role>
      <role-name>authorized</role-name>
   </security-role>

</web-app>

index.html
--------------------------
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
        "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
  <title>Test Index Page</title>
</head>
<body>
Try this <a href="private/notouch.html">secret page</a>
</body>
</html>

private/notouch.html
-----------------------------------------
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
   <title>Test Private Page</title>
</head>
<body>
Can't touch this!
</body>
</html>
[Message sent by forum member 'dberkman' (dberkman)]

http://forums.java.net/jive/thread.jspa?messageID=226107