|
Problem |
Why am I not prompted for a user id and password after
securing a servlet, and yet I still can gain access? |
|
Solution |
The most common mistake is adding the "context root" to
the URL you are trying to protect. To confirm you have secured the proper
URL, check the following settings:
- From the Application Assembly Tool (AAT) open your existing enterprise
archive (EAR) file containing your servlet.
- Click Web Modules.
- In the General tab, confirm the context name and make sure it
starts with a "/" slash (for example: /schedule).
- Expand your Web module, then Security Constraints, then
navigate all the way to the area where you define the HTTP methods and URL
Patterns.
- In the URL pattern field you should have just the last part of
your uri without the context root (for example: /application/*
not /schedule/application/*).
- Also confirm the HTTP methods you wish to secure are defined in the
HTTP method field.
- There are two Security Roles objects in the left frame of the
AAT tool:
- One is under your own Web module which is used for just
defining roles.
- The other is under the object called Web Modules
which is used for defining roles and binding them to users and groups.
- Select Security Roles under the object, Web Modules.
- In the right pane scroll down to the bottom and make sure you do not
have Special subjects with Everyone defined.
- If you had to make changes to this EAR file, you will have to save it
and exit.
- Remove the enterprise application in the administrative console and
reinstall the updated enterprise application.
- You will also have to stop and restart the application server to pick
up the new changes.
|
|
|
|
|
|
|