A: 

Could you please post all the relevant parts of your web.xml because I did a test with this web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"&gt;

  <display-name>Archetype Created Web Application</display-name>

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Protected Area</web-resource-name>
      <url-pattern>/jsp/security/protected/*</url-pattern>
      <http-method>PUT</http-method>
      <http-method>DELETE</http-method>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>role1</role-name>
    </auth-constraint>
  </security-constraint>

  <!-- Security roles referenced by this web application -->
  <security-role>
    <role-name>role1</role-name>
  </security-role>
  <login-config>
    <auth-method>BASIC</auth-method>
  </login-config>
</web-app>

And requesting a protected resource (http://localhost:8080/mywebapp/jsp/security/protected/ here) does prompt me for a user name and password. In other words, I can not reproduce the problem (I was using GlassFish v3).

Update: I finished to secure my sample webapp with a jdbc realm and confirm that things are working fine. So, as I said, please provide your web.xml and your sun-web.xml. Also, please set the logging level to FINEST for security stuff:

alt text

And join relevant traces.

Update: I think that the traces you're showing are for the login of the admin user in the admin console. If not, did you set the jdbc realm as the default realm (database is my jdbc realm in the following capture)?

alt text

BTW, I thought you were using BASIC authentication. But according to the descriptor you provided, you are using FORM. So, could you clarify what you are actually using and what the problem exactly is (like: "GlassFish doesn't redirect to the login form page and access to restricted resources is not restricted")?

Pascal Thivent  2010-03-06 18:59:17
A: 

If you are using NetBeans 6.8, you may want to verify that that the 'Preserve Sessions Across Redeployment' property is unchecked.

The Server properties dialog from NetBeans 6.8 for GlassFish v3

Why? It sounds like you have tested the 'lock all' case first (and were able to login successfully). When you changed the web.xml to use /security/*, your old session was still valid and logged in, so... you go straight to the page, instead of being challenged to authenticate.

The server adapter for Eclipse has this feature, too.

vkraemer  2010-03-06 22:59:39
Hi,I'm using Netbeans 6.5.1 because Netbeans 6.8 does not support jsf visual development. And also Glassfish v2.
cadii  2010-03-07 04:44:05
Also The problem is still there even if I restart both the browser and Netbeans and directly set the restrictions to /security/* folder.Thanks a lot.
cadii  2010-03-07 05:04:18
A: 

Hi,

Fist of all thank you very much for your efforts. I'm still stuck with the problem. I'm posting here the xml files.

sun-web.xml

<security-role-mapping>
<role-name>Employee</role-name>
<group-name>Employee</group-name>

web.xml

    <security-constraint>
    <display-name>Login Constraint</display-name>
    <web-resource-collection>
        <web-resource-name>User Redirect page</web-resource-name>
        <description/>
        <url-pattern>/security/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
        <http-method>HEAD</http-method>
        <http-method>PUT</http-method>
        <http-method>OPTIONS</http-method>
        <http-method>TRACE</http-method>
        <http-method>DELETE</http-method>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>Employee</role-name>
        </auth-constraint>
    </security-constraint>
<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>deliverySecurity</realm-name>
    <form-login-config>
        <form-login-page>/Login.jsp</form-login-page>
        <form-error-page>/index.jsp</form-error-page>
        </form-login-config>
    </login-config>
<security-role>
    <description/>
    <role-name>Employee</role-name>
</security-role>

Also there is no stack trace. No exception.. The user is just redirected to the secured page as if there is no authentication requirements. This is a jsf visual web development project using Netbeans 6.5.1 and Glassfish v2. Thanks a lot.

cadii  2010-03-07 04:51:10
Hi, Stackoverflow is an Q)
BalusC  2010-03-07 05:06:03
ok. I'm sorry. Will do :)
cadii  2010-03-07 05:39:29

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security