Pergunta
Good day!
I try to secure my web application via a role security in a web.xml:
https://stackoverflow.com/questions/17424818
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian<security-constraint>
<web-resource-collection>
<web-resource-name>RESTRICTED</web-resource-name>
<description>Resources to be placed under security control</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>ACCESS ROLE</description>
<role-name>manager</role-name>
</security-role>
and as far as I use Weblogic there is a weblogic-application.xml with the following lines:
<security>
<security-role-assignment>
<role-name>manager</role-name>
<principal-name>manager</principal-name>
</security-role-assignment>
</security>
The idea is if a user is already authenticated (Web SSO), he has a role and the application must provide an access for such a user.
The problem is even if a user has the required role, an application provides a basic login form.
I've tried to add such a line:
<login-config/>
in the web.xml, relying on the fact in the article it is said that this line makes all pages public (I thought it would remove the login form, but leave the role security), but that haven't worked.
Does anybody know how to remove the login form leaving the role security?
UPDATE: Inside my WebLogic there is a handwritten identity asserter that checks a user's token. If the token presents the asserter creates a principal and lets the user in the system.
An interesting fact: if I use Firefox browser there is no any login form, but in Chrome the basic login form is always here...
Solução
Ok, finally I've found a solution that actually is described in this article in the 'Using Identity Assertion for Web Application Authentication' section: I've added these lines into the web.xml:
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
and that worked.
