security-constraint always triggers login process - Weblogic

This is a discussion on security-constraint always triggers login process - Weblogic ; It appears that WebLogic always triggers the login process whenever there is a security constraint defined in web.xml, even when the security-constraint doesn't contain an auth-constraint. That doesn't seem like the correct behavior. For instance, let's suppose I have the ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: security-constraint always triggers login process

  1. security-constraint always triggers login process

    It appears that WebLogic always triggers the login process whenever there is a security constraint defined in web.xml, even when the security-constraint doesn't contain an auth-constraint. That doesn't seem like the correct behavior.

    For instance, let's suppose I have the following web.xml deployment descriptor.

    [pre]

    ...


    SSL

    all pages
    /*


    CONFIDENTIAL




    Login

    login page
    /login.action


    *


    CONFIDENTIAL




    CLIENT-CERT


    ...

    [/pre]

    In this scenario, I simply want to make sure that users are required to establish SSL connections to view any page in my application. Additionally, I want to require that users present a client certificate when they visit the login page.

    The problem with this scenario is that anytime a user attempts to visit one of the SSL-required pages other than the login page, WebLogic attempts to authenticate them by requiring a certificate. I don't want a user to have to present a certificate to simply browse the site.

    It seems to me that a security-constraint that does not define an auth-constraint should not cause the login process defined by the login-config element to be triggered.

    What is the correct behavior?

  2. Re: security-constraint always triggers login process

    hi,

    from what I understand you have understood it correctly. The web.xml should as far as I can see give the desired behaviour.

    I aknowledge that I am no SSL-expert and for what I know, the client-cert needs to be exchanged upon creating an SSL-session.

    BTW:
    Have you tried to disable the http - port, removing the user-data constraints and the security-constraint named SSL?

    I have not tested this and have no clue as to wether this will work.

    - Anders M.

  3. Re: security-constraint always triggers login process

    Thanks for your reply. I have successfully tried turning off the http port and removing the SSL security constraint but that has the undesired effect of requiring every other application in the domain to only be available over HTTPS.

    From your understanding, does it appear that there is a bug in WebLogic?

+ Reply to Thread