The subject sort of says it all. I have a .war file that is successfully deployed, it contains a security constraint to restrict everything under a certain directory to an admin role. When I access those resources, I am not presented with a dialog box to enter a username or password. The auth-method is set to BASIC, and my users.properties and roles.properties files are located in $JBOSS_HOME/server/default/conf
I have not changed anything else. It is my understanding that authentication should default to org.jboss.security.auth.spi.UsersRolesLoginModule. At the very least, if I have specified a security-constraint, shouldn't JBoss disallow access to the url-pattern even if it can't find an authorization mechanism?
I should also mention that I have tried placing the users.properties and roles.properties files in various places which I will list here, but JBoss gives me no indication of ever finding them, or looking for them in any of the logged output, list follows:
$JBOSS_HOME/lib
$JBOSS_HOME/server
$JBOSS_HOME/server/default
$JBOSS_HOME/server/default/deploy
$JBOSS_HOME/server/default/conf
My system classpath
under WEB-INF/classes in the deployed .war
Thanks for reading,
Matt
Answering own question... I didn't have a jboss-web.xml file.