Authentication/Security Constraint problem

I have a simple web app on WAS 4.0.5 which is set up to use Basic Login. I have listed the main controller servlet (not the main index.html page) as a protected resource by defining a security constraint, in which the resource is accessible to AllAuthenticatedUsers. I have also enabled security in the Security Center.
However, when I try accessing the app, I do not get the basic login dialog box. Instead access goes straight to the controller servlet, which attempts to call getUserPrincipal and this of course fails, since authentication was not carried out.
I have tried all manner of URL pattern names:
[CODE}
/*
servlet/Controller
/servlet/Controller
/App/Controller
/Controller
Controller
[/CODE]
but to no avail.
Anyone have an idea what the problem is?
thanks

How do you access your subcontrollers? Are you using HTML parameters, (e.g. /servlet/mycontroller?subcontrollername=someothercontroller) or are you using the rest of the URI (e.g. /servlet/mycontroller/someothercontroller)?
Kyle

Well, I managed to get around this specific problem by defining a role/group that has something other than AllAuthenticatedUsers in it. (All though I am not sure why. It seems WAS is confusing authentication with authorization). However, when I type in a userid + password that I know is in the CustomRegistry (because it is accepted by the Security Center in the Administration Concole. However, I get an exception stack trace and the following error messages in the stdout log file:
[1/2/03 18:11:46:859 CST] 40cce9d2 SystemOut U JSAS0454E: Could not create local credentials. Check the sas.server.props com.ibm.CORBA.PrincipalName, com.ibm.CORBA.UserID, and com.ibm.CORBA.Password properties to ensure they are valid. For the com.ibm.CORBA.PrincipalName, ensure the correct realm is specified in front of the userid (realm/userid). If you do not see any problems with these properties, contact support for assistance. [1/2/03 18:11:47:234 CST] 40cce9d2 SystemOut U 8> [2003-01-02 18:11:47.234], [ServerID: 1115241540], [LoginHelperImpl.request_login_controlled]: [1/2/03 18:11:47:234 CST] 40cce9d2 SystemOut U JSAS0240E: Login failed. Verify the userid/password is correct. Check the properties file to ensure the login source is valid. If this error occurs on the server, check the server properties to ensure the principalName has a valid realm and userid. [1/2/03 18:11:47:250 CST] 40cce9d2 SystemOut U 9> [2003-01-02 18:11:47.234], [ServerID: 1115241540], [VaultImpl.setServerCred]: [1/2/03 18:11:47:250 CST] 40cce9d2 SystemOut U Failed to set the server ltpa credentials.
Any light you can shed would be most appreciated!
thanks

Are you trying to authenticate of a true WAS server or WSAD? Also, are you trying to authenitcate of the local OS?
As far as any other problems go, I have done some fooling with authentication. Start of easy, map your control servlet say with the name controlServlet to /controlServlet and /secure/controlServlet. Then in your security constraints throw in /secure/* as a protected resource. Define whats protected to that resource and try to logon using basic authentication. Once that works as planned, add in the getUserbyRole programmatic authorization code and test that. Remember, in order to authorize EJBs programmatic authorization code doesn't neccessarily have to be there.

Hi
I am authenticating using WAS. I don't have WSAD. My current implementation uses Custom Registry. I have also tried the OS based registry option. However, I am unable to restart the admin service (as it tells you to do) with that option, so I have given up on that one.
The problem is no longer with the login dialog not coming up (see my other post). Rather the authentication mechanism is somehow rejecting the attempts at logging in. I am not sure why. The if and password that I am using are present in the registry, as verified by the Security Console
thanks

Well I think I've dicovered the source of the problem (but not the cure )
When you use LocalOS as the Registry, after you've made your changes, and restarted the admin server, you see that the changes have been propagated to sas.server.props. In particular, it sets the ibm...CORBA.securityEnabled flag to true.
However, with CustomRegistry, WAS Admin does not do this. This looks like a bug to me, but can anyone from IBM confirm?
thanks