2 Replies Latest reply on Feb 24, 2003 3:44 AM by Shane

    welcome- file security bug ? WebLogic works - JBoss doesn;t

    Shane Newbie

      We are getting to our welcome page (index.jsp), by typing in the context-root in the browser, which is secured, without being asked to login. This is a security risk. However, if we type in the full url i.e. http://localhost:8080/SmartESWeb/private/index.jsp when are then asked to login, but not when we use http://localhost:8080/SmartESWeb.
      We have tried everything and this will not work and it needs to! This does work in WebLogic however. The xml files are below.

      The web directory looks like this :-
      /login.jsp
      /loginerror.jsp
      /logout.jsp
      /private/index.jsp
      /private/accounts.jsp

      application.xml snippet
      -----------------------


      <web-uri>SmartESWeb.war</web-uri>
      <context-root>SmartESWeb</context-root>



      web.xml snippet
      ---------------
      <web-app>
      .
      .
      .
      <session-config>
      <session-timeout>5</session-timeout>
      </session-config>
      <welcome-file-list>
      <welcome-file>statements/test.html</welcome-file>
      </welcome-file-list>
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>SmartESWeb</web-resource-name>
      <url-pattern>/private/*</url-pattern>
      <url-pattern>/FrontController</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>SmartESUser</role-name>
      <role-name>Tester</role-name>
      </auth-constraint>
      <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>
      <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>OpenLDAPRealm</realm-name>
      <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
      <form-error-page>/loginerror.jsp</form-error-page>
      </form-login-config>
      </login-config>
      <security-role>
      <role-name>SmartESUser</role-name>
      </security-role>
      <security-role>
      <role-name>Tester</role-name>
      </security-role>
      </web-app>

      jboss-web.xml
      -------------
      <jboss-web>
      <security-domain>java:/jaas/OpenLDAPRealm</security-domain>
      </jboss-web>

      jboss.xml
      ---------

      <security-domain>java:/jaas/OpenLDAPRealm</security-domain>

      What are we missing or doing wrong? Can anybody help?

      Shane.