Hi,
I'm trying to secure a portlet application. So I have added the
"security-constraint" section to its web.xml (btw, environment is
JBoss-4.0.4, i.e. Tomcat 5.5.x).
Invoking the portlet still works (I suspect that security constraints
aren't checked in the cross context invocation from the portal to the
portlet). But my portlet application also includes a servlet for
resource delivery. When the browser tries to load these resources (while
rendering the portlet's content) access to the resource servlet fails
(403 access denied).
I have checked that the browser uses the same session cookie when
requesting the portal page and when requesting the resources from the
portlet application.
Obviously, the security context established in the initial portal
request is not used when accessing the resource servlet, although the
session is the same.
Is this a bug? a feature? Any help appreciated.
Regards,
Michael
--
Dr. Michael N. Lipp
Solution Architect
Danet GmbH, Gutenbergstraße 10, 64331 Weiterstadt, Germany
Phone: +49 6151 868-476, Fax: +49 6151 868-264
eMail: [EMAIL PROTECTED], URL: www.danet.com
-----------------------------------------------------------------------
Managing Board: Dr. Reiner Nickel (CEO), Dr. Burkhard Austermühl (CFO);
Chairman of the Supervisory Board: Jaques Bentz; Address of Record:
Weiterstadt; Commercial Register: Amtsgericht Darmstadt HRB 6450;
Tax Number: DE 172 993 071
