Re: Problem deploying web applications that have security-constraints in web.xml but use no authentication and security roles

[David Jencks]

On Aug 5, 2006, at 11:09 PM, Vamsavardhana Reddy wrote:
Hi,

I have a web application that has the following security-constraint  
in the web.xml

   <security-constraint>
     <web-resource-collection>
       <web-resource-name>Secure</web-resource-name>
       <url-pattern>/secure/AuthorizationServlet</url-pattern>
     </web-resource-collection>
     <user-data-constraint>
       <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
   </security-constraint>

My application does not use any security roles and does not  
authenticate against any security realm.  All this security- 
constraint does is that the requests are forwarded to HTTPS port  
(enabled for ClientAuth) and the application uses Client  
Certifcates for authorization.  In G1.0, I could deploy this  
application without using a geronimo-web.xml and the application  
runs fine.

G1.1 does not allow me to deploy this application without a  
deployment plan.  Even with a deployment plan, G1.1 comes back with  
errors that there are no security elements in the deployment plan.   
The following messages are displayed in the console.

Deployer operation failed: web.xml for web app tutorial/cert-auth- 
sample/1.0/war
 includes security elements but Geronimo deployment plan is not  
provided or does
 not contain <security-realm-name> element necessary to configure  
security accor
dingly.
org.apache.geronimo.common.DeploymentException: web.xml for web app  
tutorial/cer
t-auth-sample/1.0/war includes security elements but Geronimo  
deployment plan is
 not provided or does not contain <security-realm-name> element  
necessary to con
figure security accordingly.

Clearly, I can not put any security-realm-name and role-mapping  
elements in geronimo-web.xml .  If I put a security-realm-name tag  
and/or role-mappings to get past the deployment, access to the  
resource will be denied since I have not put any auth-constraint  
tags web.xml

Did you check this?  I'd expect that everything would work as  
expected if you supply a security-realm-name and that you will be  
able to access pages without logging in.

Any suggestions on how to get past this problem?  Or is this a bug  
in G1.1?

I have to regard it as a bug in G1.1, although if supplying a  
security-realm-name works its a fairly minor bug.  I'm very curious  
about whether G1.0 actually enforced the CONFIDENTIAL user-data- 
constraint: my guess is that it did not.

thanks
david jencks


Thanks and regards,
Vamsi