Why asked to authenticate multiple times?
kdolan1 Jun 13, 2012 12:52 PMIn JBoss 7.1.1 Final, I have an EAR that contains multiple WAR files. When I hit my application for the first time, I get a login screen, enter a valid user name and password and click OK. This brings me to the main screen in my application. I next click a link to go to another screen and am prompted again to authenticate (this time via the standard basic authentication dialog).
Additional Facts:
* The standalone.xml file includes <security-domain name="MyCompany"> referencing a custom login module. My assumption is this is configured correctly since when I do enter a user name and password, it is validated correctly.
* MyWar1.war contains:
-- web.xml w/ the following
<security-constraint>
<web-resource-collection>
<web-resource-name>Main</web-resource-name>
<url-pattern>/user</url-pattern>
<url-pattern>/user/</url-pattern>
<url-pattern>/user/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
...
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/WEB-INF/login.jsp</form-login-page>
<form-error-page>/WEB-INF/denied.jsp</form-error-page>
</form-login-config>
</login-config>
...
<security-role>
<role-name>*</role-name>
</security-role>
-- jboss-web.xml w/ the following
<security-domain>MyCompany</security-domain>
* MyWar2.war contains:
-- web.xml w/ the following
<security-constraint>
<web-resource-collection>
<web-resource-name>Service</web-resource-name>
<url-pattern>/LibraryService</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>
-- jboss-web.xml w/ the following
<security-domain>MyCompany</security-domain>
* MyEar.ear
-- application.xml w/ the following
<module>
<web>
<web-uri>MyWar1.war</web-uri>
<context-root>MyApp</context-root>
</web>
</module>
...
<module>
<web>
<web-uri>MyWar2.war</web-uri>
<context-root>MainLibrary</context-root>
</web>
</module>
When I log into the application, the URL is http://ip:port/MyApp/user. Since MyApp is actually MyWar1.war and /user is configured w/ a security constraint, I expect to get the custom login page and I do.
When I click on the next link, the URL posted is http://ip:port/MainLibrary/LibraryService. Since MainLibrary is actually MyWar2.war and /LibraryService is configured w/ a security constraint, I expect it to require authentication BUT I expected it to be covered by the initial authentication request. Instead, the URL response was HTTP 401 Unauthorized and I received the Basic authentication dialog that said "A username and password are being requested by http://ip:port. The site says: "Realm"".
This worked in JBoss 4.0.1sp1 which is the version of JBoss I'm trying to upgrade from. Is there something I'm missing? I've read various JBoss articles, documentation, posts and do not see what might have changed or what I'm doing wrong.
BTW - I don't really understand the cache-type attribute on the <security-domain> element and the impact it has on authentication but I thought I'd try adding it (set to default) but it did not change a thing.
Thanks,
Kelly