0

My welcome screen is kind of home screen of any website (should be unprotected resource).

Say http://domain:port/myApp which redirects to the jsp file configured in welcome-file-list of web.xml say welcome.jsp.

But on click of any link present on welcome.jsp, those resources must be protected and corresponding urls will be like http://:port/myApp/someRequest

I have used below changes in deployment descriptor :

<security-constraint>
        <web-resource-collection>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>SuperUser</role-name>
        </auth-constraint>
        <user-data-constraint>
            <description>Encryption is not required for the application in general.
            </description>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
</security-constraint>
<security-constraint>
        <web-resource-collection>
            <url-pattern>/styles/*</url-pattern>
            <url-pattern>/welcome.jsp</url-pattern>
        </web-resource-collection>
    </security-constraint>


<login-config>
        <auth-method>FORM</auth-method>
        <realm-name>MyRealm</realm-name>
        <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/loginerror.jsp</form-error-page>
        </form-login-config>
    </login-config>

The issue is still my home page i.e. welcome.jsp is protected and application redirecting to login screen for WebSphere Application server but working fine in tomcat and Wildfly.

how to make http://:port/myApp unprotected in WebSphere.

Technogix
  • 77
  • 13
  • Hi, Can you confirm if it prompts even when you specify the welcome.jsp in the URL explicitly (http://host:port/myApp/welcome.jsp) or only when you access w/o welcome.jsp (http://host:port/myApp)? – Ajay Jan 12 '18 at 00:06
  • host:port/myApp/welcome.jsp is working fine i.e coming up without any authentication. – Technogix Jan 12 '18 at 03:11

1 Answers1

1

the WebContainer does not determine if it needs to use a welcome page for a specific request until the request is processed by the default servlet. When the WebContainer determines that there are no servlets mapped to this request, it will set the default servlet as the target which will then check if a welcome page is needed. Before servicing the default servlet, the WebContainer invokes the security checks, which is where the request URI will be compared against the defined security constraints. The request URI in this scenario (/myApp) matches the /* constraint defined, so the authentication process will be triggered.

This is working as designed. In order to get the desired behavior, the security constraints will need to be made more specific instead of just /*. One possibility is to keep all static resources intended to be secured in a separate directory and define a constraint for that directory, for example /secured/*. For servlets you can define a servlet mapping pattern to use for secured servlets and add a more specific constraint to your security configuration to match that pattern similarly to the static resource example above.

ZRoman
  • 180
  • 6
  • All the above points are valid, strange that there is a so much difference in terms of security aspect in Wildfly and WebSphere. Thanks @ZRoman – Technogix Jan 17 '18 at 03:50