Accessing a secure servlet without being prompted for user id and password
 Technote (FAQ)
 
Problem
Why am I not prompted for a user id and password after securing a servlet, and yet I still can gain access?
 
Solution
The most common mistake is adding the "context root" to the URL you are trying to protect. To confirm you have secured the proper URL, check the following settings:
  1. From the Application Assembly Tool (AAT) open your existing enterprise archive (EAR) file containing your servlet.

  2. Click Web Modules.

  3. In the General tab, confirm the context name and make sure it starts with a "/" slash (for example: /schedule).

  4. Expand your Web module, then Security Constraints, then navigate all the way to the area where you define the HTTP methods and URL Patterns.

  5. In the URL pattern field you should have just the last part of your uri without the context root (for example: /application/* not /schedule/application/*).

  6. Also confirm the HTTP methods you wish to secure are defined in the HTTP method field.

  7. There are two Security Roles objects in the left frame of the AAT tool:
    • One is under your own Web module which is used for just defining roles.
    • The other is under the object called Web Modules which is used for defining roles and binding them to users and groups.

  8. Select Security Roles under the object, Web Modules.

  9. In the right pane scroll down to the bottom and make sure you do not have Special subjects with Everyone defined.

  10. If you had to make changes to this EAR file, you will have to save it and exit.

  11. Remove the enterprise application in the administrative console and reinstall the updated enterprise application.

  12. You will also have to stop and restart the application server to pick up the new changes.
 
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Security
Operating system(s): HP-UX
Software version: 4.0.7
Software edition:
Reference #: 1047356
IBM Group: Software Group
Modified date: Apr 9, 2004