Setting default security-constraint in conf/web.xml disables
iwadasn Oct 4, 2005 11:38 AM
If you place a default security setting in conf/web.xml, for instance this one...
<security-constraint >
<web-resource-collection >
<web-resource-name >Protected Context</web-resource-name>
<url-pattern >/*</url-pattern >
</web-resource-collection >
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<!-- Define the login configuration for this application -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>General Web domain</realm-name>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
The role that is required to log into the web system.
<role-name>user</role-name>
</security-role>
Then it works correctly. If you then want to tighten security on another area, like this....
<!-- A security constraint that restricts access to the HTML JMX console
to users with the role JBossAdmin. Edit the roles to what you want and
uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
secured access to the HTML JMX console. -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ml_backoff-dev</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>JBoss JMX Console</realm-name>
</login-config>
<security-role>
<role-name>ml_backoff-dev</role-name>
</security-role>
and correctly setup the jboss-web.xml file, like so...
<!-- Uncomment the security-domain to enable security. You will
need to edit the htmladaptor login configuration to setup the
login modules used to authentication users. -->
<security-domain>java:/jaas/highbridge</security-domain>
Nothing happens.
If however, you use a different security domain (not the one used in the default configuration), then it also works properly, like so...
<!-- Uncomment the security-domain to enable security. You will
need to edit the htmladaptor login configuration to setup the
login modules used to authentication users. -->
<security-domain>java:/jaas/jmx-console</security-domain>
How do I fix this?