users@glassfish.java.net

Web user security not working in Glassfish 3.1.1

From: <forums_at_java.net>
Date: Wed, 9 Nov 2011 09:13:57 -0600 (CST)

I just upgraded to Glassfish 3.1.1 from Glassfish 3.1 and I am having issues
with web user security. To simply reproduce the issue, I created a very
simple web project with just one content /index.html file in it, the files
for form based login, and the required web descriptors.

My web.xml contains the seucrity constraints (shown below) and I am using
Default Principal to Role Mapping, as I was in Glassfish 3.1. I have a user
in the group "user". When I try to access the test web page, the login form
page /login.html correctly asks for a login and password. If I enter a wrong
password, the failed authenticaiton /noauth.hml page shows up, but when I
enter the correct username and password, the /login.html shows up again. This
suggests that the authentication is working but the role based authorization
is failing. I have even tried to add the mapping of role to group explicitly
in the glassfish-web.xml but that does not work either.

Any help/suggestions would be most appreciated: I am hoping I am making some
simple mistake and this is not a bug...

 I am attaching the war file I have created to present the test case.

...


<

security-constraint>

 

<web-resource-collection>
 

<web-resource-name>test</web-resource-name>
 

<url-pattern>/index.html</url-pattern>
 

</web-resource-collection>
 

<auth-constraint>
 

<role-name>user</role-name>
 

</auth-constraint>
 

</security-constraint>
 

 

<login-config>
 

<auth-method>FORM</auth-method>
 

<realm-name>file-realm</realm-name>
 

<form-login-config>
 

<form-login-page>/login.html</form-login-page>
 

<form-error-page>/noauth.html</form-error-page>
 

</form-login-config>
 

</login-config>
 

 

<security-role>
 

<role-name>user</role-name>
 

</security-role>
...

 


--
[Message sent by forum member 'goblue2003']
View Post: http://forums.java.net/node/861990