This week's book giveaway is in the Android forum.
We're giving away four copies of Head First Android and have Dawn & David Griffiths on-line!
See this thread for details.
The moose likes Websphere and the fly likes Authentication/Security Constraint problem Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Head First Android this week in the Android forum!
JavaRanch » Java Forums » Products » Websphere
Bookmark "Authentication/Security Constraint problem" Watch "Authentication/Security Constraint problem" New topic

Authentication/Security Constraint problem

srinivas nedunuri

Joined: Dec 11, 2002
Posts: 16
I have a simple web app on WAS 4.0.5 which is set up to use Basic Login. I have listed the main controller servlet (not the main index.html page) as a protected resource by defining a security constraint, in which the resource is accessible to AllAuthenticatedUsers. I have also enabled security in the Security Center.
However, when I try accessing the app, I do not get the basic login dialog box. Instead access goes straight to the controller servlet, which attempts to call getUserPrincipal and this of course fails, since authentication was not carried out.
I have tried all manner of URL pattern names:
but to no avail.
Anyone have an idea what the problem is?

<i>Truth is one; the wise call it by many names</i> (Rig Veda I.64.46)
Kyle Brown
Ranch Hand

Joined: Aug 10, 2001
Posts: 3892
How do you access your subcontrollers? Are you using HTML parameters, (e.g. /servlet/mycontroller?subcontrollername=someothercontroller) or are you using the rest of the URI (e.g. /servlet/mycontroller/someothercontroller)?

Kyle Brown, Author of Persistence in the Enterprise and Enterprise Java Programming with IBM Websphere, 2nd Edition
See my homepage at for other WebSphere information.
srinivas nedunuri

Joined: Dec 11, 2002
Posts: 16
Well, I managed to get around this specific problem by defining a role/group that has something other than AllAuthenticatedUsers in it. (All though I am not sure why. It seems WAS is confusing authentication with authorization). However, when I type in a userid + password that I know is in the CustomRegistry (because it is accepted by the Security Center in the Administration Concole. However, I get an exception stack trace and the following error messages in the stdout log file:

Any light you can shed would be most appreciated!
Mitan Chandihok

Joined: Dec 31, 2002
Posts: 15
Are you trying to authenticate of a true WAS server or WSAD? Also, are you trying to authenitcate of the local OS?
As far as any other problems go, I have done some fooling with authentication. Start of easy, map your control servlet say with the name controlServlet to /controlServlet and /secure/controlServlet. Then in your security constraints throw in /secure/* as a protected resource. Define whats protected to that resource and try to logon using basic authentication. Once that works as planned, add in the getUserbyRole programmatic authorization code and test that. Remember, in order to authorize EJBs programmatic authorization code doesn't neccessarily have to be there.
srinivas nedunuri

Joined: Dec 11, 2002
Posts: 16
I am authenticating using WAS. I don't have WSAD. My current implementation uses Custom Registry. I have also tried the OS based registry option. However, I am unable to restart the admin service (as it tells you to do) with that option, so I have given up on that one.
The problem is no longer with the login dialog not coming up (see my other post). Rather the authentication mechanism is somehow rejecting the attempts at logging in. I am not sure why. The if and password that I am using are present in the registry, as verified by the Security Console
srinivas nedunuri

Joined: Dec 11, 2002
Posts: 16
Well I think I've dicovered the source of the problem (but not the cure )
When you use LocalOS as the Registry, after you've made your changes, and restarted the admin server, you see that the changes have been propagated to sas.server.props. In particular, it sets the ibm...CORBA.securityEnabled flag to true.
However, with CustomRegistry, WAS Admin does not do this. This looks like a bug to me, but can anyone from IBM confirm?
I agree. Here's the link:
subject: Authentication/Security Constraint problem
It's not a secret anymore!