Hi Ray, sorry for the delay.

On Sep 19, 2009, at 5:35 PM, Ray Clough wrote:

In my web.xml file I have a security constraint which is intended simply to block direct access to the jsp, jspx, xhtml files directly. Here is the snippet from web.xml Unavailable_Raw_Pages RawPages *.xhtml *.jsp *.jspx *.tiles POST GET PUT DELETE Since no roles are defined, the content is completely blocked. When I deploy the app as a WAR file to geronimo, this works well.

I'm quite surprised at this.  I would expect you would get the same message as you get with an ear.

Now when I'm trying to deploy as an EAR, it won't deploy with message "web.xml for web app XXX.war includes security elements but Geronimo deployment plan is not provided or does not contain element necessary to configure security accordingly." I have tried various different contents in geronimo-application.xml, but I always get the same error. The app uses custom security, and I do not have any security realm defined on Geronimo. Can I do this, and if so, how? Thanks, - Ray Clough

I'm pretty sure you need the <security/> element but I don't think you need anything inside.  I don't recall if you need a security realm or not.  As you say, you shouldn't really.  I think I remember making this scenario work in 2.2 some time ago: it may not work in 2.1.x.

I don't suppose you have a simple app to demonstrate the behavior?

david jencks

View this message in context: security constraint question
Sent from the Apache Geronimo - Users mailing list archive at Nabble.com.