It seems that my problem was that I was forgetting the servlet mapping for my JSP.  I added that in and it seems to work just fine.  N00b mistake :)

On 8/12/06, Nathan Mittler < nathan.mittler@gmail.com > wrote:
I have a very simple web app (just a single JSP) and I seem to be unable to restrict access to it.  I am fairly new to J2EE so it is entirely possible (and likely) that I'm doing something wrong.

Here's the content of my web.xml:

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Protected</web-resource-name>
          <url-pattern>/SimpleSecureWebApp/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>admin</role-name>
    </auth-constraint>
  </security-constraint>
  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Ch14Realm</realm-name>
  </login-config>
  <security-role>
    <role-name>admin</role-name>
  </security-role>

and here's my geronimo-web.xml:

  <context-root>SimpleSecureWebApp</context-root>
  <security-realm-name>Ch14Realm</security-realm-name>
  <security>
    <default-principal>
      <principal name="normal_users" class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"/>
    </default-principal>
    <role-mappings>
      <role role-name="admin">
        <principal name="admin_users" designated-run-as="true" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/>
      </role>
    </role-mappings>
   </security>

I had previously deployed an SQL realm named Ch14Realm and had tested the logins successfully.

When I go to <geronimo>/SimpleSecureWebApp/index.jsp, I am expecting to be prompted for a username and password.  Instead, I am just brought directly to my index.jsp page.

Any help would be greatly appreciated!

Thanks,
Nathan Mittler