1

My application is running on Websphere application server 9.0.0.9. I have the following security constraints added in the web.xml file of my application. The intention is to secure every request irrespective of whether it needs to be authenticated or not.

<security-constraint>
    <web-resource-collection>
        <web-resource-name>All</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
            <description>Ensure to allow only confidential communication</description>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>
<!-- For FORM authentication -->
    <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/login.jsp?error=true</form-error-page>
        </form-login-config>
    </login-config>

Next in one of the servlet filters I am calling:

 if (CommonUtils.isNullOrEmpty(user)) {
  response.setHeader( "auth-msg", "auth-required");
  request.authenticate(response);
  return;
}

In the browser, upon hitting the /home url, I am always getting a 200 OK response with the above "auth-msg" header set in the response and a blank page. The expected behavior is to take the user to the login page but that doesn't happen. The "Enable application security" is also checked in the WAS console. What else could be missing here? The only workaround here is to explicitly hit the login.jsp page. The login page shows up and I can login from there and things work. But the automatic redirection to login page isn't happing. The same setup works fine in WAS liberty.

user3724707
  • 13
  • 3
  • This is strange, if you have security constraints like `/*` access to all resources should be protected and you should have automatic redirection without any filters. I'd suggest to actually remove the filter and see if you will be redirected to login page. Ah.. one more thing do you have security role defined and associated with your associated with security constraint, as I dont see it in your xml. You need `role...`. – Gas Jun 11 '20 at 10:05
  • @Gas I have security roles defined.I tried the solution of adding in the above but then the login page itself becomes protected. Next,I tried adding another to relax the access to login-page.jsp by not adding any but it resulted in too many redirections between /home and /login.jsp. No matter, what order I keep the s in, it resulted the same. The login.jsp page to appear in secure mode is also one of the requirements. – user3724707 Jun 11 '20 at 11:50
  • The thing is apart from container authentication our product also delegates authentication to 3rd party services. Depending upon on the authentication type set by the admin, either we delegate the authentication to 3rd party service in the filter written or we call the authenticate() method in the same filter to delegate the authentication to the container. – user3724707 Jun 11 '20 at 11:51
  • login page is never protected, even if you have constraint for `/*` so something wrong is in your setup. – Gas Jun 12 '20 at 00:13

0 Answers0