users@glassfish.java.net

Re: Authentication realm settings being ignored

From: <glassfish_at_javadesktop.org>
Date: Sat, 01 Dec 2007 18:14:00 PST

Ooh. HTTP Basic Auth. Browsers behave differently (and maybe mysteriously) with it.

So, first of all, if you have tightened the security on all the pages, what should have
happened is server should have sent you a "WWW:Authenticate" challenge which
makes the browser to pop up a user-name/password window. In this case, since your
web.xml shows that ALL the resources are protected, you must have gotten the
user-name/password window. Since you haven't gotten it (that's what seems to be
your experience), browser has sent the credentials as request header!

If my suspicion soundsreasonable, I'd suggest the following:
- Use Firefox 2.x.
- Install https://addons.mozilla.org/en-US/firefox/addon/60 -- the web-developer
  extension and clear the HTTP-Basic Auth information from browser cache.

Now, you should get the expected behavior in that challenge window should pop-up.

Then comes the question of using the admin-realm for this application. I don't think
it is possible by following the procedure you have done. You need to do more :)

More as we make progress ...

Regards,
Kedar
[Message sent by forum member 'km' (km)]

http://forums.java.net/jive/thread.jspa?messageID=248153