Today I came along a strange problem in Geronimo: I wanted to grant access to everyone (even to those who are not logged in) to a URL which is protected by a <security-constraint>. So I defined a <default-principal> in my geronimo-web.xml and assigned this user to my role which is required to access the URL. To my surprise the login form appeared every time I tried to access the URL.
After some research in the net I found the Geronimo bug 2564 which describes my problem pretty precise. I also found the blog entry Inconsistency between Servlet specification implementations which reveals different implementations of the security part of J2EE. In a foil about J2EE security I spotted the following phrase which would explain my problems:
Authorization-constraint imposes authenticationSo I removed the <security-constraint> from my URL and accepted that J2EE (or its implementations?) are not perfect in every way...
0 comments:
Post a Comment