1 Reply Latest reply on Aug 28, 2005 1:54 PM by starksm64

J2EE Authentication & Authorization

vkdasari Aug 19, 2005 11:51 AM

Hi,
We are using LDAP server for authentication and authorization.
We configured JBoss to use LDAP server(using our own login module).

Does anybody know, how to configure either the Web Application or the server to use only Authentication but not Authorization.

In our web application, we want to allow access to any authenticated user, no matter which roles the user belong.

Is there any way, we can configure in web.xml to allow access to url's for any authenticated user.

I tried using this authconstaint
<security-constraint>
<display-name>All</display-name>
<web-resource-collection>
<web-resource-name>AllResources</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>TRACE</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>

But the above configuration allows access to non-authenticated users aswell, which is not intended.

Any help is appreciated.

Thanks,
Vijay.

1. Re: J2EE Authentication & Authorization

starksm64 Aug 28, 2005 1:54 PM (in response to vkdasari)

Use of the role-name=* works fine for me to only allow authenticated users. More debugging is needed.
Actions