Details
-
Bug
-
Resolution: Cannot Reproduce
-
Major
-
None
-
JBossAS-4.0.3 SP1, JBossAS-3.2.8 Final, JBossAS-3.2.8.SP1
-
None
Description
My WAR is configured to use FORM auth method.
<login-config>
<auth-method>FORM</auth-method>
<realm-name></realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/LoginErrorPage.jsp</form-error-page>
</form-login-config>
</login-config>
i have also a security constraint:
<security-constraint>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<url-pattern>/index.html</url-pattern>
<auth-constraint>
<role-name>everyone</role-name>
</auth-constraint>
</security-constraint>
So when a user try to connect to every JSP or index.html the login form is open. and this works fine.
The problem occurs when credential is not valid.
The Web container must call the form-error-page so in my case LoginErrorPage.jsp.
But seem that web container check apply thesecurity contraint and so call again the form-login-page (login.jsp).
i try also to add the run-as role for login jsps.
<servlet-name>login</servlet-name>
<display-name>Login</display-name>
Login
<jsp-file>/login.jsp</jsp-file>
<run-as>
<role-name>everyone</role-name>
</run-as>
<servlet-name>loginError</servlet-name>
<display-name>Login Error</display-name>
Login Error
<jsp-file>/LoginErrorPage.jsp</jsp-file>
<run-as>
<role-name>everyone</role-name>
</run-as>
<servlet-mapping>
<servlet-name>login</servlet-name>
<url-pattern>/login.jsp</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>loginError</servlet-name>
<url-pattern>/LoginErrorPage.jsp</url-pattern>
</servlet-mapping>
the role everyone is well declared...
Any idea?
or it's a bug?
I think it's a bug because in every case the LoginErrorPage.jsp must run as the role name "everyone" and also because under WebSphere the same configuration works fine.
Maybe someone can reply that the problem is that i have added a security constraint to my LoginErrorPage.jsp page. So the container is behaving exactly as i have asked it to. So If i do not want my LoginErrorPage.jsp covered by this constraint then i should remove it. But... the same is for the Login.jsp... i put ALL jsp under security contraint...
Thank You