2 Replies Latest reply on Feb 24, 2003 3:44 AM by tentacle

welcome- file security bug ? WebLogic works - JBoss doesn;t

tentacle Feb 21, 2003 2:46 AM

We are getting to our welcome page (index.jsp), by typing in the context-root in the browser, which is secured, without being asked to login. This is a security risk. However, if we type in the full url i.e. http://localhost:8080/SmartESWeb/private/index.jsp when are then asked to login, but not when we use http://localhost:8080/SmartESWeb.
We have tried everything and this will not work and it needs to! This does work in WebLogic however. The xml files are below.

The web directory looks like this :-
/login.jsp
/loginerror.jsp
/logout.jsp
/private/index.jsp
/private/accounts.jsp

application.xml snippet
-----------------------

<web-uri>SmartESWeb.war</web-uri>
<context-root>SmartESWeb</context-root>

web.xml snippet
---------------
<web-app>
.
.
.
<session-config>
<session-timeout>5</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>statements/test.html</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>SmartESWeb</web-resource-name>
<url-pattern>/private/*</url-pattern>
<url-pattern>/FrontController</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>SmartESUser</role-name>
<role-name>Tester</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>OpenLDAPRealm</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginerror.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>SmartESUser</role-name>
</security-role>
<security-role>
<role-name>Tester</role-name>
</security-role>
</web-app>

jboss-web.xml
-------------
<jboss-web>
<security-domain>java:/jaas/OpenLDAPRealm</security-domain>
</jboss-web>

jboss.xml
---------

<security-domain>java:/jaas/OpenLDAPRealm</security-domain>

What are we missing or doing wrong? Can anybody help?

Shane.

1. Re: welcome- file security bug ? WebLogic works - JBoss does

l.g. Feb 21, 2003 1:19 PM (in response to tentacle)

if you want to secure http://localhost:8080/SmartESWeb
then replace
<web-resource-name>SmartESWeb</web-resource-name>
<url-pattern>/private/*</url-pattern>
with
<web-resource-name>SmartESWeb</web-resource-name>
<url-pattern>/*</url-pattern>
Actions
2. Re: welcome- file security bug ? WebLogic works - JBoss does

tentacle Feb 24, 2003 3:44 AM (in response to tentacle)

Yes, I agree that this secures the whole of SmartESWeb, but what if I only wanted to secure a particular directory? Also, if I attempt to login with the incorrect details, an authentication exception is thrown, but JBoss continues and tries to access server side classes, without showing the login error page specified in the web.xml file.
Any ideas?
Actions

Go to original post