In the Application Assembly Tool (AAT), when securing web
resources, you configure security constraints and associated web resource
collections to protect your web content. In the web resource collections,
you define HTTP methods and URLs that will be part of the web resources to
be constrained. The URLs defined are not an absolute path, but are
relative to any context root that may be defined for the web module. If an
incorrect or absolute path is entered in the URL, then you will not get
prompted for a login/password as expected when you run your application,
nor will you receive any errors.
For example, in the Petstore application shipped with WebSphere®
Application Server, the application is run from a browser by typing:
http://hostname/estore
If you open the petstore.ear in the AAT and attempt to secure the URL by
creating a security constraint and web resource collection with a URL of
"estore" or "/estore" or "estore*", when you run the application you will
not get a login prompt at all. This is because the context root for
"WebTier" is "estore". So the URL you are actually securing in this case
would be:http://hostname/estore/estore which does not exist.
The correct web resource collection URL needed to secure
http://hostname/estore would be "*" or "/*" or even left
blank, as blank defaults to all urls within the root context.
You must also make sure to recycle the application server, and not just
the enterprise application, after reinstalling the application in order to
pick up any changes in the enterprise application.
|