问题
I created a very simple Weblogic 10.3.5 web application with BASIC Authentication that for some reason doesn't prompt for the username and password. I believe the web.xml and weblogic.xml are created properly. The entire application is below.
It consists of two files:
- index.html -- that anyone should be able to load
- remoteuser.jsp -- that only people in 'group' should be able to load
I added an <auth-constraint> for all JSPs (*.jsp), such that only users in 'group' should be able to load them. However, when I load the url "/remoteuser.jsp", it displays "The remote user is null", and doesn't prompt for a username and password. The causes the JSP to also print out null instead of the remote user's name.
The <auth-method> is, of course, set to BASIC.
I currently don't even have any groups defined in Weblogic's Security Realm, because I want to watch it fail first.
According to this Weblogic documentation (http://docs.oracle.com/cd/E15051_01/wls/docs103/security/thin_client.html#wp1037337), I believe that I'm doing everything correctly.
Do I have to modify the Weblogic Security Realm's Authentication Provider? Or some other setting?
I know that I'm doing something silly, but can't see it. Please help!
SOURCE FILES
web.xml
<web-app>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>JSPs</web-resource-name>
<url-pattern>*.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>group</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>group</role-name>
</security-role>
</web-app>
weblogic.xml
<weblogic-web-app>
<security-role-assignment>
<role-name>group</role-name>
<principal-name>group</principal-name>
</security-role-assignment>
</weblogic-web-app>
remoteuser.jsp
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Remote User</title>
</head>
<body>
<p>
Only users in "group" should be able to load this page.
</p>
<p>
The remote user is <%= request.getRemoteUser() %>
</p>
</body>
</html>
index.html
<html>
<head><title>WebLogic Test</title></head>
<body>
<h1>Everyone should be able to see this.<br>
</body>
</html>
回答1:
Well...it's working now, but I'm not completely sure exactly what I did to cause that.
I do know that it works when deploying the application using a Security Model of "DD Only" or "Custom Roles".
However it fails when deployed with "Custom Roles and Policies", which seems extremely confusing to me since the description on this is Use only roles and policies that are defined in the Administration Console. And that is exactly where I am defining the roles and policies!! Sigh.
回答2:
you are defining the roles and policies on the web.xml / weblogic.xml.
if u want to use custom roles and policies u can configure then from the console in the application roles n policies.
来源:https://stackoverflow.com/questions/13755195/weblogic-server-basic-authentication-not-prompting-for-username