0 Replies Latest reply on Oct 4, 2005 11:38 AM by iwadasn

    Setting default security-constraint in conf/web.xml disables

    iwadasn Newbie


      If you place a default security setting in conf/web.xml, for instance this one...

      <security-constraint >
      <web-resource-collection >
      <web-resource-name >Protected Context</web-resource-name>
      <url-pattern >/*</url-pattern >
      </web-resource-collection >
      <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
      <auth-constraint>
      <role-name>user</role-name>
      </auth-constraint>
      </security-constraint>

      <!-- Define the login configuration for this application -->
      <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>General Web domain</realm-name>
      </login-config>

      <!-- Security roles referenced by this web application -->
      <security-role>

      The role that is required to log into the web system.

      <role-name>user</role-name>
      </security-role>


      Then it works correctly. If you then want to tighten security on another area, like this....

      <!-- A security constraint that restricts access to the HTML JMX console
      to users with the role JBossAdmin. Edit the roles to what you want and
      uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
      secured access to the HTML JMX console. -->
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Protected Context</web-resource-name>
      An example security config that only allows users with the
      role JBossAdmin to access the HTML JMX console web application

      <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
      <role-name>ml_backoff-dev</role-name>
      </auth-constraint>
      </security-constraint>

      <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>JBoss JMX Console</realm-name>
      </login-config>

      <security-role>
      <role-name>ml_backoff-dev</role-name>
      </security-role>

      and correctly setup the jboss-web.xml file, like so...

      <!-- Uncomment the security-domain to enable security. You will
      need to edit the htmladaptor login configuration to setup the
      login modules used to authentication users. -->
      <security-domain>java:/jaas/highbridge</security-domain>


      Nothing happens.


      If however, you use a different security domain (not the one used in the default configuration), then it also works properly, like so...


      <!-- Uncomment the security-domain to enable security. You will
      need to edit the htmladaptor login configuration to setup the
      login modules used to authentication users. -->
      <security-domain>java:/jaas/jmx-console</security-domain>


      How do I fix this?