users@glassfish.java.net

Re: Why isn't the login popup not triggered for secured page

From: <glassfish_at_javadesktop.org>
Date: Mon, 08 Mar 2010 08:21:50 PST

there are a lot of different, and perhaps inconsistent facets to the posts below, so it is hard to say exactly what is going on.

In the first post, note that according to the login-config element of the web.xml, you have configured Form Based Login (not Basic Auth), and the app has been configured to use a realm named "deliverySecurity".

since we don't have the entire configuration, we can't see the context-root under which the app is deployed, but from the security-constraint, we can see that only resources at context-root/security/* will require authentication.

it would help to see the specific request url that you are testing with, but my guess is that you are testing with some requests that are actually being servere by other apps, that the app for which you have provided the web.xml.

Regarding the second post (as mentioned above), the trace suggests you are comparing requests that are mapped to different apps, which themselves are configured to use different realms. For better or worse, the default config of the admin-realm contains an admin user with a zero-length password. As an ease-of-use feature, the admin application does not require that you provide a username and passwor. you must change the password of the admin user if you want to force a password collection during web based accesses to the admin app).

the second example in the second post, would indicate that you issued a request to authenticate with perhaps a third application since it indicates that the app was configured to use the
realm *emsSecurity*. I can only guess why a password would not be required, but it may be that this app was configured to use BASIC AUTH (in its login-config). In BASIC AUTH the browser caches collected credentials, and returns them in response to authentication challenges from the servlet container. As such, it looks like no password is being provided, even though the browser is providing them for you. A Browser typically dumps its cache of BASIC AUTH credentials when you quit browser. You might try quitting your browser and reissuing the request to see if that causes you to be prompted for creds. fwiw, these properties of BASIC AUTH have nothing to do with Glassfish, they are indemic to HTTP BASIC auth.
[Message sent by forum member 'monzillo' (ronald.monzillo_at_sun.com)]

http://forums.java.net/jive/thread.jspa?messageID=390667
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.