7 Replies Latest reply on Mar 21, 2008 4:53 AM by Antoine Herzog

    Best practice: secure direct web app access

    Carsten Rudat Novice

      Hi all,

      I'd like to know how I secure the access to a web app that runs as a portlet. I have the portlet secured by a <security-constraint> in the *-object.xml, but if I call http(s)://server:port/my-web-app-context-root/folder-in-war/resource I get the content delivered without being logged in.

      Now, if I configured a <security-constraint> in my web.xml (with the same user role and security-domain as for the portlet) JBoss asks for a username and password (BASIC-auth). That's quite good, but it asks for username and password for the portlet, too - even if I logged in.

      What are the best practices for that?

      Thanks,
      Carsten