tags:

views:

48

answers:

1
Q: 

Basic Authentication in Glassfish

I am having trouble getting BASIC authentication to work with Glassfish. I am developing an application and I need to be prompted for a username and password. I have gotten the application to prompt me for a password when I attempt to access the application, but after entering the correct login information, I get HTTP Status 403 - Access to the requested resource has been denied.

I have gone into the Glassfish Admin Console and created a few sample users in the file realm and enabled the Security Manager.

Next, in my web.xml file, I have added the following:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Secure Application</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>

    <auth-constraint>
        <role-name>User</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>file</realm-name>
</login-config>

<security-role>
    <role-name>User</role-name>
</security-role>

I'm not exactly sure what to do next. I have searched for several hours with no luck. The authentication works because if I enter incorrect login information, it prompts again, but after successfully authenticating, I get the access denied message shown above.

If it helps, I am running Glassfish Open Source 3.0.1 and using Netbeans 6.9 for development.

+2  A: 

I'm not sure if defaults apply but you may need to create sun-web.xml and set a mapping for role "User":

<sun-web-app error-url="">
  ... 
  <security-role-mapping>
    <role-name>User</role-name>
    <group-name>filerealm-group-name</group-name>
  </security-role-mapping>
  ...
</sun-web-app>
chrome  2010-10-11 10:17:17
It appears that even if the `role-name` in *web.xml* matches a group in Glassfish, it still needs to be mapped in *sun-web.xml*. Thanks for your help!
Jared  2010-10-12 18:23:55

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security