I need to apply security constraints to our new web application. I tried setting the auth-method to DIGEST in web.xml, but Chrome still showed that Basic was used (Authorization:Basic xxxxx). I checked the log files, but that showed the following:
####<23-jun-2014 13:49:33 uur CEST> <Warning> <HTTP> <PC0075> <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <63a28fec-54a7-4362-bf8d-a275eeada121-000006c8> <1403524173403> <BEA-101317> <The Web application: ServletContext@20973321[app:test module:test path:null spec-version:3.0] has specified "DIGEST" as the auth-method in web.xml, which is not implemented. Will default to BASIC.>
Is is true that WebLogic 12.1.2.1 (the latest one) does not even support one of the four required authentication methods? If so, how can it have been
JEE certified?
(I guess it helps that Oracle owns Java now...)
FYI, the login config from web.xml:
This does work with an auth-method of FORM (with the proper login and error pages), but that's just as secure as Basic (as in, not secure at all).