Hello,
I'm having some problems using security constraints in my webapp. My entry
in the web.xml looks like this (generated by Netbeans 6.1):
<security-constraint>
<display-name>Constraint</display-name>
<web-resource-collection>
<web-resource-name>protected</web-resource-name>
<description/>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>administrators</role-name>
</auth-constraint>
<user-data-constraint>
<description>const</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>userauth</realm-name>
</login-config>
<security-role>
<description/>
<role-name>users</role-name>
</security-role>
<security-role>
<description/>
<role-name>administrators</role-name>
</security-role>
Now, when I enter the URL in my browsers, I get asked for username and
password and the connection is also ssl encrypted. If I enter wrong
username/password or cancel login, I get a 401 error. That's what I
expected.
In my webfolder, I do have another folder called "pages" and in this folder
there is a subfolder called "ssl". The ssl folder is the one I want to be
protected. So I change the URL pattern to /pages/ssl/*. However, I know get
strange a behaviour in several webbrowsers. 1. The text elements of the
protected pages are displayed (but no css or graphics) first AND THEN the
the basic login popup window comes on asking for username and password.
Shouldn't the login window come on first before anything of the protected
page is displayed? 2. Same behaviour but now I try to cancel login window:
Now it takes up to 4 clicks on the "cancel" button to cancel the login
procedure. No 401 error is displayed and still half the page shows up (only
text, no css or gfx) and the page is also not ssl encrypted anymore.
I'm only using JSF, no other frameworks or additional security frameworks. I
have also a JDBC realm where the users are stored and looked up. Can anybody
explain this behaviour and what I am doing wrong? Any help is greatly
appreciated!
Regards,
Jörg
[Message sent by forum member 'jgippert' (jgippert)]
http://forums.java.net/jive/thread.jspa?messageID=279063