Mantis Bugtracker

Viewing Issue Simple Details Jump to Notes ] View Advanced ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0003333 [Resin] trivial always 02-09-09 12:59 03-18-09 12:14
Reporter stbu View Status public  
Assigned To ferg
Priority normal Resolution fixed  
Status closed   Product Version 3.1.9
Summary 0003333: Snapshot 3.1.s090206: <secure/> cause ignoring of login-config and security-constraint
Description When <secure/> is specified in a <web-app>, the configured BASIC Authentication is not applied.
When a non SSL Request is performed, Resin will respond with 403 Forbidden.
But when an SSL Request is performed, the application is accessable without authentication.

The documentation [^] contains:
The <secure> flag requires that the web-app only be accessed in a secure/SSL mode. Equivalent to a <security-constraint>.

But this does not imply that <login-config> and other <security-constraint> is ignored, right? Maybe I just don't understand that part of the documentation, but that behavior was not expected.

However, I prefer to use
This is similar to <secure/>, but the Authentication is still requested.
Additional Information My testcase is using a simple resin-web.xml, here is the content.

<web-app xmlns="" [^]
         xmlns:resin=""> [^]

     - [^]
     - The <secure> flag requires that the web-app only be accessed
     - in a secure/SSL mode. Equivalent to a <security-constraint>.
     - When <secure/> is specified, the following BASIC Authentication
     - is not applied. When the request is an SSL request, the
     - Application is served.
     - Comment out <secure/> and the SSL request will require the
     - Authentication.

  <login-config auth-method="basic"/>
  <authenticator type="">
    <auth-constraint role-name='mytest'/>


The attached WAR can be used to reproduce it.

Resin must be configured with an SSL Port, such as

      <http port="8443">

from [^] a test server certificate
Attached Files  test-secure.war [^] (1,810 bytes) 02-09-09 12:59

- Relationships

- Notes
03-18-09 12:14


- Issue History
Date Modified Username Field Change
02-09-09 12:59 stbu New Issue
02-09-09 12:59 stbu File Added: test-secure.war
02-09-09 12:59 stbu Issue Monitored: stbu
03-18-09 12:14 ferg Note Added: 0003891
03-18-09 12:14 ferg Assigned To  => ferg
03-18-09 12:14 ferg Status new => closed
03-18-09 12:14 ferg Resolution open => fixed
03-18-09 12:14 ferg Fixed in Version  => 4.0.0

Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
31 total queries executed.
26 unique queries executed.
Powered by Mantis Bugtracker