• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

BASIC Authentication

 
Nick Bour
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,

I'm trying to do a BASIC Authentication for one of my webapp. I put that code in the web.xml of my webapp :

<security-constraint>
<display-name>logs</display-name>
<web-resource-collection>
<web-resource-name>application</web-resource-name>
<url-pattern>/*</url-pattern> //applicable to all urls in the application
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>HEAD</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>logs</role-name>
</auth-constraint>
</security-constraint>

This is working great. But as soon as I add that code in the global web.xml to redirect everyone to https it stop working. The webapp is working but it is not asking me for user / password anymore :

<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

What can I do to have a BASIC Authentication on a specific webapp with a redirect to https on all webapp.

Thank you very much,
Nicholas
 
Tim Holloway
Saloon Keeper
Posts: 18302
56
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
BASIC authentication isn't actually all that great. Most of us use form-based authentication most of the time. BASIC authentication is considered less secure and logging out of apps may require shutting down the client app (browser), which isn't something I want to do considering how many tabs I typically have open.

One thing to note is transport security and authentication are 2 different things. You don't actually need any sort of authentication just to get TLS (https).

I can't see anything that rings alarm bells in your samples (hint: use the Code button to format stuff like this). Which is why I waited to see if anyone else did. About the only other thing that I can think of is that you check your server.xml connectors. I got burned a while back because a form-based connector was being used when a basic connector should have been (or maybe the other way around. I forget).
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic