users@glassfish.java.net

Re: Strange behaviour on security-constraint's URL pattern

From: Joerg Gippert <jgippert_at_online.de>
Date: Tue, 10 Jun 2008 20:46:29 +0200

Hi Ron,

thank you for your reply. I was playing around with the config again and it
was pretty much, what you assumed. Since I have mapped the JSF servlet to
"/faces/*" anything that I had put into my security constraint did not
really work. Now I changed my security constraint's url pattern to
"/faces/pages/ssl/*" and the correct pages (those in the ssl folder) are
protected. But I find the reaction of the server still quite confusing since
it partially does protect at least some parts of the webpage. That's the
case, if I only put "/pages/ssl/*" into the security constraint. But it
seems to work now. Thanks for the help!

Regards,
Joerg


----- Original Message -----
From: <glassfish_at_javadesktop.org>
To: <users_at_glassfish.dev.java.net>
Sent: Monday, June 09, 2008 11:18 PM
Subject: Re: Strange behaviour on security-constraint's URL pattern


>> Shouldn't the login window come on first before
>> anything of the protected
>> page is displayed?
>
> yes. I presume you have an appropriate mapping of login id's to your
> administrator role.
> what does your request uri look like? maybe it is being mapped outside of
> the protected space, prior to the access checks. for example, in
> Glassfish, the constraints are checked on the request uri, resulting from
> any welcome file mapping. in your case, maybe the uri that is being
> checked is not the one that you are entering (do to some welcome or jsf
> mapping).
>
> by default, we don't log failed webresourcepermission checks, or it would
> be easy to see the permission checks and their results. one way to see
> what is being checked woul be to turn on FINE security login, and look at
> the access ontraol failure messages printed to the server.log. You should
> see checks of webuserdata and webresourcepermission objects.
>
> I am alos not sure why you are seeing different behavior form different
> browsers, but maybe the browsers are acting differently wrt to resending
> the basic authenticator, on a subsequent session.
>
> Ron
> [Message sent by forum member 'monzillo' (monzillo)]
>
> http://forums.java.net/jive/thread.jspa?messageID=279263
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>