geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <>
Subject Re: Problem deploying web applications that have security-constraints in web.xml but use no authentication and security roles
Date Sun, 06 Aug 2006 07:30:20 GMT

On Aug 5, 2006, at 11:09 PM, Vamsavardhana Reddy wrote:

> Hi,
> I have a web application that has the following security-constraint  
> in the web.xml
>    <security-constraint>
>      <web-resource-collection>
>        <web-resource-name>Secure</web-resource-name>
>        <url-pattern>/secure/AuthorizationServlet</url-pattern>
>      </web-resource-collection>
>      <user-data-constraint>
>        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>      </user-data-constraint>
>    </security-constraint>
> My application does not use any security roles and does not  
> authenticate against any security realm.  All this security- 
> constraint does is that the requests are forwarded to HTTPS port  
> (enabled for ClientAuth) and the application uses Client  
> Certifcates for authorization.  In G1.0, I could deploy this  
> application without using a geronimo-web.xml and the application  
> runs fine.
> G1.1 does not allow me to deploy this application without a  
> deployment plan.  Even with a deployment plan, G1.1 comes back with  
> errors that there are no security elements in the deployment plan.   
> The following messages are displayed in the console.
> Deployer operation failed: web.xml for web app tutorial/cert-auth- 
> sample/1.0/war
>  includes security elements but Geronimo deployment plan is not  
> provided or does
>  not contain <security-realm-name> element necessary to configure  
> security accor
> dingly.
> org.apache.geronimo.common.DeploymentException: web.xml for web app  
> tutorial/cer
> t-auth-sample/1.0/war includes security elements but Geronimo  
> deployment plan is
>  not provided or does not contain <security-realm-name> element  
> necessary to con
> figure security accordingly.
> Clearly, I can not put any security-realm-name and role-mapping  
> elements in geronimo-web.xml .  If I put a security-realm-name tag  
> and/or role-mappings to get past the deployment, access to the  
> resource will be denied since I have not put any auth-constraint  
> tags web.xml

Did you check this?  I'd expect that everything would work as  
expected if you supply a security-realm-name and that you will be  
able to access pages without logging in.
> Any suggestions on how to get past this problem?  Or is this a bug  
> in G1.1?

I have to regard it as a bug in G1.1, although if supplying a  
security-realm-name works its a fairly minor bug.  I'm very curious  
about whether G1.0 actually enforced the CONFIDENTIAL user-data- 
constraint: my guess is that it did not.

david jencks

> Thanks and regards,
> Vamsi

View raw message