Hello!
I am trying to figure out how authentication is enabled in Glassfish (Sun Java App server 9.1) and have read through the descriptions at these locations:
http://blogs.sun.com/manveen/entry/ldap_based_user_authentication_in
http://weblogs.java.net/blog/tchangu/archive/2007/01/ldap_security_r.html
https://glassfish.dev.java.net/javaee5/docs/DG/beabg.html#beabr
I believe that I've done all the necessary changes, but no matter what settings I put into web.xml or sun-web.xml for the "hello" sample application, I can't get any authentication to occur when I go to the "hello" test page. It is as if all the configs I put in are being totally ignored. If I go to the administration console and and display the descriptors for the hello app, I see the changes I've put into the files, but it doesn't seem to take, even if I restart the server. I don't see any error messages in the server.log to indicate that the files are incorrect.
It looks like I'm missing something really basic, but I can't figure it out. Here are the the contents of my $GLASSFISH/domains/domain1/applications/j2ee-modules/hello/WEB-INF/web.xml file:
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright 2004-2005 Sun Microsystems, Inc. All rights reserved.
Use is subject to license terms.
-->
<web-app version="2.4" xmlns="
http://java.sun.com/xml/ns/j2ee" xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="
http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>hello</display-name>
<security-constraint>
<web-resource-collection>
<web-resource-name>Testing</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>admin-realm</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
</web-app>
And here's the sun-web.xml from the same directory:
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright 2004-2005 Sun Microsystems, Inc. All rights reserved.
Use is subject to license terms.
-->
<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 8.1 Servlet 2.4//EN" "
http://www.sun.com/software/appserver/dtds/sun-web-app_2_4-1.dtd">
<sun-web-app>
<context-root>/hello</context-root>
<security-role-mapping>
<role-name>admin</role-name>
<principal-name>admin</principal-name>
<group-name>asadmin</group-name>
</security-role-mapping>
</sun-web-app>
I've tried to re-use the admin-realm, because I know that adminstrative authentication is working properly. The application is in question is the "Hello" form input app that has Duke waving. It was autodeployed by dropping it into the autodeployment directory.
The app works fine, I just can force any kind of authentication. Obviously I'm missing something really obvious - can someone spare a clue?
Thanks.
[Message sent by forum member 'sychan' (sychan)]
http://forums.java.net/jive/thread.jspa?messageID=248042