2 Replies Latest reply: Jul 16, 2014 2:42 AM by 547639 RSS

    Security rule in web.xml not honoured

    547639

      Hello,

       

      Created and deployed a WAR on Weblogic. Please see weblogic.xml and web.xml below:

       

      <?xml version="1.0" encoding="windows-1252" ?>

      <weblogic-web-app xmlns="http://www.bea.com/ns/weblogic/90" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

           <security-role-assignment>

               <role-name>mobile</role-name>

               <principal-name>Mobile</principal-name>

           </security-role-assignment>

      </weblogic-web-app>

       

      <?xml version="1.0" encoding="UTF-8"?>

      <web-app version="2.5"

               xmlns="http://java.sun.com/xml/ns/javaee"

               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

               xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee

                   http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">

       

              <security-constraint>

                      <web-resource-collection>

                              <web-resource-name>Test</web-resource-name>

                              <url-pattern>/OA_HTML/RF.jsp?function_id=function</url-pattern>

                              <http-method>GET</http-method>

                              <http-method>POST</http-method>

                      </web-resource-collection>

                      <auth-constraint>

                        <role-name>mobile</role-name>

                      </auth-constraint>

              </security-constraint>

       

              <login-config>

                      <auth-method>BASIC</auth-method>

              </login-config>

              <security-role>

                <role-name>mobile</role-name>

              </security-role>

      </web-app>

       

      On doing an HTTP call to above url (ie /OA_HTML/RF.jsp?function_id=function) with an invalid user, the request goes through successfully.

       

      Can you see anything wrong here?

       

      Thanks in advance,

      Vikas