Java Web Application Role Only Security

Question

Good day!

I try to secure my web application via a role security in a web.xml:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>RESTRICTED</web-resource-name>
        <description>Resources to be placed under security control</description>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>manager</role-name>
    </auth-constraint>
</security-constraint>

<security-role>
    <description>ACCESS ROLE</description>
    <role-name>manager</role-name>
</security-role>

and as far as I use Weblogic there is a weblogic-application.xml with the following lines:

<security>
    <security-role-assignment>
        <role-name>manager</role-name>
        <principal-name>manager</principal-name>
    </security-role-assignment>
</security>

The idea is if a user is already authenticated (Web SSO), he has a role and the application must provide an access for such a user.

The problem is even if a user has the required role, an application provides a basic login form.

I've tried to add such a line:

<login-config/>

in the web.xml, relying on the fact in the article it is said that this line makes all pages public (I thought it would remove the login form, but leave the role security), but that haven't worked.

Does anybody know how to remove the login form leaving the role security?

UPDATE: Inside my WebLogic there is a handwritten identity asserter that checks a user's token. If the token presents the asserter creates a principal and lets the user in the system.

An interesting fact: if I use Firefox browser there is no any login form, but in Chrome the basic login form is always here...

What exactly is this Web SSO and how does the session/authentication token created by that system integrate with Weblogic? IOW, how does Weblogic know who the user is and what roles the user has? Do you have any WLS SSPI providers defined for this integration? — parry, Jul 02 '13 at 14:14
Actually, there is a handwritten identity asserter inside a Weblogic that creates a principal. That is why when a previously authenticated user (by some other system) wants to use my application I need to get the Principal object from a HttpServletRequest and do the processing... The problem is the basic login form is always appear which is not what I (and the user) want. I only need to get the principal (user group) — Dmitry, Jul 02 '13 at 14:21

score 0 · Accepted Answer · answered Jul 03 '13 at 08:27

Ok, finally I've found a solution that actually is described in this article in the 'Using Identity Assertion for Web Application Authentication' section: I've added these lines into the web.xml:

    <login-config>
        <auth-method>CLIENT-CERT</auth-method>
    </login-config>

and that worked.

Java Web Application Role Only Security

1 Answers1