Hello,
I seem to have a problem to understand how exactly the security constraints
regarding webpages work. I want several pages of my webapp to be only
available using HTTPS (sign up or payment pages). So I have set up my
web.xml as follows (almost exactly as shown at Sun's J2EE 5 tutorial):
<security-constraint>
<display-name>Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/faces/jsp/ssl/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>all</role-name>
</auth-constraint>
</security-constraint>
Now, that seems to work half way. Usign Firefox, I am asked to accept the
certificate. As soon as I accept, I get an "
HTTP Status 403 - Access to the requested resource has been denied" error.
The URL points to the right page and also using HTTPS. I assume, that I did
something wrong with the role-name. And that's the point that I don't really
understand. I left the <auth-contraint> out of web.xml but still same error.
I don't understand what value this tag should have. I don't have a role
configuered and I also don't know where I should do this. I trie out puttin
the role names in that I can see in the access.log file but with no success.
I understand the J2EE tutorial about login in some one to https protected
pages. But to sign up on a website, there simply is no login (that's why you
have to sign up 8} ).
Can anyone see, what I am doing wrong or point me to a tutorial, that shows
how to protect a simple webpage (no login, no fuzz)?
Thanks for any reply!
Cheers,
Joerg