Images, stylesheets, and other items referenced in a Form Based Login Page do not appear
 Technote (troubleshooting)
 
Problem(Abstract)
After enabling Global Security on the Administrative Console using SAF authorization, the images, and styelsheets referenced in the html of a Form Based Login page do not appear when accessing a secure page.
 
Cause
In this scenario, the application was setup to use SAF authorization (com.ibm.security.SAF.authorization=true), and had a security constraint in the web.xml with a URL pattern of "/*".

Their was also a second URL pattern that covered the images and stylesheets that the Form Based Login page referenced, and the role called Everyone with a security constraint that protected that URL was mapped to the "Everyone" special subject in the Administrative Console.

After invoking a secure page, and being redirected to the Form Based Login Page, the images and stylesheets referenced in the Form Based Login page would not load because they were secured under the URL pattern of "/*", and the user had not been authenticated.

The special subject "Everyone" did not take affect.

The web.xml looked like the following:


<security-constraint>
<display-name>AppName</display-name>
<web-resource-collection>
<web-resource-name>App</web-resource-name>
<description></description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>TRACE</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint>
<description></description>
<role-name>User</role-name>
</auth-constraint>
<security-constraint>

<security-constraint>
<display-name>Authpage</display-name>
<web-resource-collection>
<web-resource-name>Authpage</<web-resource-name>
<description></description>
<url-pattern>/image.gif</url-pattern>
<url-pattern>/Master.css</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>TRACE</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint>
<description></description>
<role-name>Everyone</role-name>
</auth-constraint>
</security-constraint>

 
Resolving the problem
The above web.xml will allow images and stylesheets to load when SAF authorization is not used because the "Everyone" special subject will take affect.

com.ibm.security.SAF.authorization=false

When using com.ibm.security.SAF.authorization=true the bindings such as "Everyone" and "All Authenticated" seen on the Administrative Console are not used.

To obtain the desired result, a more specific URL pattern was used in the web.xml .

For example, all the secured pages were placed in a directory called "secure" and the following example URL pattern was used.


<security-constraint>
<display-name>AppName</display-name>
<web-resource-collection>
<web-resource-name>App</web-resource-name>
<description></description>
<url-pattern>/secure</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>TRACE</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint>
<description></description>
<role-name>User</role-name>
</auth-constraint>
<security-constraint>

Since the images and stylesheets were not contained in the "secure" directory within the WAR file, the form based Login Page was able to load the images and stylesheets.

 
 
 


Document Information


Current web document: swg21231253.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS > Security
Operating system(s): z/OS
Software version: 6.0.2
Software edition:
Reference #: 1231253
IBM Group: Software Group
Modified date: Feb 28, 2006