Joerg Gippert wrote:
> Hello,
>
> I seem to have a problem to understand how exactly the security
> constraints regarding webpages work. I want several pages of my webapp
> to be only available using HTTPS (sign up or payment pages). So I have
> set up my web.xml as follows (almost exactly as shown at Sun's J2EE 5
> tutorial):
>
> <security-constraint>
> <display-name>Security Constraint</display-name>
> <web-resource-collection>
> <web-resource-name>Protected Area</web-resource-name>
> <url-pattern>/faces/jsp/ssl/*</url-pattern>
> <http-method>DELETE</http-method>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> <http-method>PUT</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>all</role-name>
> </auth-constraint>
> </security-constraint>
>
To enforce the usage of SSL a user-data-constraint-element:
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
Also the value for all is the asterisk (*) - but then again it would be
better to omit this element.
> Now, that seems to work half way. Usign Firefox, I am asked to accept
> the certificate. As soon as I accept, I get an "
> HTTP Status 403 - Access to the requested resource has been denied"
> error. The URL points to the right page and also using HTTPS. I assume,
> that I did something wrong with the role-name. And that's the point that
> I don't really understand. I left the <auth-contraint> out of web.xml
> but still same error. I don't understand what value this tag should
> have. I don't have a role configuered and I also don't know where I
> should do this. I trie out puttin the role names in that I can see in
> the access.log file but with no success. I understand the J2EE tutorial
> about login in some one to https protected pages. But to sign up on a
> website, there simply is no login (that's why you have to sign up 8} ).
>
Since I missed it once myself: Do you redeploy war-files or do you work
with a directory-based delpoyment? If you are using the latter you must
always undeploy the app and then redeploy it. Otherwise configuration
changes (like changing lines in the web.xml) do not apply.
--
Wolfram Rittmeyer
> Can anyone see, what I am doing wrong or point me to a tutorial, that
> shows how to protect a simple webpage (no login, no fuzz)?
>
> Thanks for any reply!
>
> Cheers,
> Joerg
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>