1 Reply Latest reply on May 7, 2002 3:12 PM by Matt

    JBoss 3.0 RC1 ignores my .war file's security-constraint

    Matt Newbie

      The subject sort of says it all. I have a .war file that is successfully deployed, it contains a security constraint to restrict everything under a certain directory to an admin role. When I access those resources, I am not presented with a dialog box to enter a username or password. The auth-method is set to BASIC, and my users.properties and roles.properties files are located in $JBOSS_HOME/server/default/conf

      I have not changed anything else. It is my understanding that authentication should default to org.jboss.security.auth.spi.UsersRolesLoginModule. At the very least, if I have specified a security-constraint, shouldn't JBoss disallow access to the url-pattern even if it can't find an authorization mechanism?

      I should also mention that I have tried placing the users.properties and roles.properties files in various places which I will list here, but JBoss gives me no indication of ever finding them, or looking for them in any of the logged output, list follows:

      $JBOSS_HOME/lib
      $JBOSS_HOME/server
      $JBOSS_HOME/server/default
      $JBOSS_HOME/server/default/deploy
      $JBOSS_HOME/server/default/conf
      My system classpath
      under WEB-INF/classes in the deployed .war

      Thanks for reading,
      Matt