Java security issue - if web.xml has <login-config> app avail w/ no log in
BBellDec 12 2012 — edited Jan 16 2013I am trying to use Java EE security. Following the docs ( [http://docs.oracle.com/cloud/CSJSU/dev_app.htm#BCEHFDFC] ).
The problem is, if a web app has <login-config> in web.xml, then users are not sent to the Cloud login screen when they access the app with its URL. Even if the entry is <login-config/>!
(I did a test with a very small web app. When I leave <login-config/> out of web.xml, then when I access the app URL, I first have to log in (when I Whitelist test it, I get a warning about that tag is missing). When I put <login-config/> in web.xml (the Whitelist warning goes away), but I can access the web app via its URL WITHOUT logging in at all.)
If users haven't logged in, then of course you don't know who they are and what their role is, so you cannot use normal web app security with protected resources.