HiWe have a wicket application which should be completely secured by FORM authentication by the webserver.
For that, we have the following in web.xml:
<security-constraint>
<display-name>Secured pages</display-name>
<web-resource-collection>
<web-resource-name>All Pages</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>someRole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Secure Everything</realm-name>
<form-login-config>
<form-login-page>/login</form-login-page>
<form-error-page>/login/login-error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>User security role</description>
<role-name>someRole</role-name>
</security-role>
<security-role>
<description>User security role</description>
<role-name>someOtherRole</role-name>
</security-role>
Unfortunately, it seems that every user having ANY role gets access to
the wicket pages.
For example a user with role someOtherRole will get access to the main
page, as its url is for example:
http://localhost:7001/app/?wicket:interface=:2::::When he tries to access a mounted page though, he gets the Error 403--Forbidden as expected. But he should also get this error when trying to access the home page of the wicket app. I suspect it has something to do with the /* url-pattern not catching the /?wicket:interface=:2:::: ???
Thanks for your help!! Matt -- [email protected] +41 44 268 83 98 Ergon Informatik AG, Kleinstrasse 15, CH-8008 Zürich http://www.ergon.ch ______________________________________________________________ e r g o n smart people - smart software
smime.p7s
Description: S/MIME Cryptographic Signature
