try in a different servlet container -igor
On Tue, May 26, 2009 at 4:56 AM, Matthias Keller <[email protected]> wrote: > Hi > > We have a wicket application which should be completely secured by FORM > authentication by the webserver. > For that, we have the following in web.xml: > > <security-constraint> > <display-name>Secured pages</display-name> > <web-resource-collection> > <web-resource-name>All Pages</web-resource-name> > <url-pattern>/*</url-pattern> > <http-method>GET</http-method> > <http-method>POST</http-method> > </web-resource-collection> > <auth-constraint> > <role-name>someRole</role-name> > </auth-constraint> > </security-constraint> > > <login-config> > <auth-method>FORM</auth-method> > <realm-name>Secure Everything</realm-name> > <form-login-config> > <form-login-page>/login</form-login-page> > <form-error-page>/login/login-error.jsp</form-error-page> > </form-login-config> > </login-config> > > <security-role> > <description>User security role</description> > <role-name>someRole</role-name> > </security-role> > <security-role> > <description>User security role</description> > <role-name>someOtherRole</role-name> > </security-role> > > Unfortunately, it seems that every user having ANY role gets access to the > wicket pages. > For example a user with role someOtherRole will get access to the main > page, as its url is for example: > http://localhost:7001/app/?wicket:interface=:2:::: > When he tries to access a mounted page though, he gets the Error > 403--Forbidden as expected. > But he should also get this error when trying to access the home page of the > wicket app. > I suspect it has something to do with the /* url-pattern not catching the > /?wicket:interface=:2:::: ??? > > Thanks for your help!! > > Matt > > -- > [email protected] +41 44 268 83 98 > Ergon Informatik AG, Kleinstrasse 15, CH-8008 Zürich > http://www.ergon.ch > ______________________________________________________________ > e r g o n smart people - smart software > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
