Could you please post all the relevant parts of your web.xml
because I did a test with this web.xml
:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<display-name>Archetype Created Web Application</display-name>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/jsp/security/protected/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>
<!-- Security roles referenced by this web application -->
<security-role>
<role-name>role1</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
</web-app>
And requesting a protected resource (http://localhost:8080/mywebapp/jsp/security/protected/ here) does prompt me for a user name and password. In other words, I can not reproduce the problem (I was using GlassFish v3).
Update: I finished to secure my sample webapp with a jdbc
realm and confirm that things are working fine. So, as I said, please provide your web.xml
and your sun-web.xml
. Also, please set the logging level to FINEST for security stuff:
And join relevant traces.
Update: I think that the traces you're showing are for the login of the admin user in the admin console. If not, did you set the jdbc realm as the default realm (database is my jdbc realm in the following capture)?
BTW, I thought you were using BASIC authentication. But according to the descriptor you provided, you are using FORM. So, could you clarify what you are actually using and what the problem exactly is (like: "GlassFish doesn't redirect to the login form page and access to restricted resources is not restricted")?