I have a problem with authentication on tomcat. I use
RoleAuthorizationStrategy and formbased container managed authentication.
What happens is that tomcat always asks the user to authenticate twice.
I have looked into it a little further and essentially the first login is
the wicket login and the second is when tomcat is happy the user has access.
Wicket ignores the second login.
Here is a snippet from my web.xml:
<security-constraint>
<!-- give the world access to the stylesheets -->
<display-name>images and css</display-name>
<web-resource-collection>
<web-resource-name>images and css</web-resource-name>
<url-pattern>/css/*</url-pattern>
<url-pattern>/images/*</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<!-- restrict access to the webapp -->
<display-name>security constraint</display-name>
<web-resource-collection>
<web-resource-name>all resources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>Admins, users and internal users, see
RTROLES</description>
<!-- role name refers to group in ldap-->
<role-name>ADMIN</role-name>
<role-name>USER</role-name>
<role-name>INTERNAL</role-name>
</auth-constraint>
</security-constraint>
If i remove the security contstraint where i give the world access to the
css & images folders i do not only lose the formatting on the login-form but
also on the app. But only untill the user logs in the second time, when the
stylesheets become accesible.
I can use the credentials of any user for the second login, Wicket will
ignore them and i remain logged in as the original user.
Am i missing something obvious?
--
View this message in context:
http://apache-wicket.1842946.n4.nabble.com/Measure-once-login-twice-tp3042978p3042978.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
