The above web.xml will allow images and stylesheets to
load when SAF authorization is not used because the "Everyone" special
subject will take affect.
com.ibm.security.SAF.authorization=false
When using com.ibm.security.SAF.authorization=true the bindings such as
"Everyone" and "All Authenticated" seen on the Administrative Console are
not used.
To obtain the desired result, a more specific URL pattern was used in
the web.xml .
For example, all the secured pages were placed in a directory called
"secure" and the following example URL pattern was used.
<security-constraint>
<display-name>AppName</display-name>
<web-resource-collection>
<web-resource-name>App</web-resource-name>
<description></description>
<url-pattern>/secure</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>TRACE</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint>
<description></description>
<role-name>User</role-name>
</auth-constraint>
<security-constraint>
Since the images and stylesheets were not contained in the "secure"
directory within the WAR file, the form based Login Page was able to load
the images and stylesheets.
|