• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

security-constraint without login-config?

 
JohnWilliam Fitz
Ranch Hand
Posts: 80
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi.

If a security-constraint section exists in web.xml, and it specifies resources to constrain and specific roles to be given access, but there is NO login-config section specifying the authentication method, does authentication still take place? And if so, what authentication method is used?

Thanks!
John
 
Bosun Bello
Ranch Hand
Posts: 1511
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Authentication will not take place. What happened when you tried?
 
JohnWilliam Fitz
Ranch Hand
Posts: 80
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Bosun.

It SEEMS that without a login-config section the container rejects all requests right away by sending a "HTTP Status 403 - Access to the requested resource has been denied" right away instead of a status 401.

I took this web.xml sample...



...and authentication/authorization works as expected.

Then when I take out the login-config section from the above sample, every request is answered immediately with "HTTP Status 403 - Access to the requested resource has been denied" and gives no possibility of authentication.

However, in none of my three test prep books (Bates/Sierra, Lyons, Bridgewater) is this behaviour mentioned. So I wonder if it is container-specific or part of the specification.

Oh well, some things maybe aren't meant to be known...

John
 
Bosun Bello
Ranch Hand
Posts: 1511
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes. You are correct. That's my experience with tomcat. So, bottom line make sure you have login-config. If you want it to work.

Here is the tomcat error:


message Configuration error: Cannot perform access control without an authenticated principal

description Access to the specified resource (Configuration error: Cannot perform access control without an authenticated principal) has been forbidden.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic