0 Replies Latest reply: Mar 25, 2013 11:18 AM by 999025 RSS

    Is it possible bypass basic file authentication in glassfish using default

      I have a glassfish application with basic authentication enabled and a single user setup in the file security realm wth a single group named 'internal'.

      My web.xml is setup with an auth-constraint limited to 'internal' role, my glassfish-web.xml maps the group 'internal' to the role 'internal'

      I have one cluster with an app ('api') running that is already accessed internally without the need for authentication.

      I am trying to set up a standalone instance with a seperate config (publicapi) that runs the same app but can only access functionality of the publicapi rather than the api

      My approach has been to add basic authentication to api with a default principal (internal) in its config. The principal is mapped to a user (internal) in the file security realm that has a single group in its list of 'internal'. My understanding was this would be able to bypass the basic authentication when using this config but it has not.

      This is my config within the api project: glassfish-web.xml

      <glassfish-web-app error-url="">
      <class-loader delegate="true"/>
      <property name="keepgenerated" value="true">
      <description>Keep a copy of the generated servlet class' java code.</description>


      <?xml version="1.0" encoding="UTF-8"?>
      <web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
      <display-name>Limit non-internal principals</display-name>
      <web-resource-name>Secure Application</web-resource-name>
      <realm-name>Secure Area</realm-name>
      <description>Only accssible to internal roles</description>

      and sun-web.xml

      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 9.0 Servlet 2.5//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_2_5-0.dtd">
      <sun-web-app error-url="">

      So is my understanding of being able to bypass the basic authentication using glssfish default principal flawed? Do default principals match to a user / group list that is added in the Glassfish control panel and therefore assocated with the same roles / groups? Any other info on how to correctly map the default principal to a security group and bypass authentication would be very useful. Thank you