401 Unauthorized when failing security constraint of servlet?

Hi,

I have a servlet with a security constraint in its web.xml deployed on
GlassFish.
Works great, clients with a trusted certificate can access the
servlet, and those without see nothing (no response).

But I'd like to play nice and respond with a 401 Unauthorized instead
of an empty response to those without, how can I do that?
(I do not want to provide a custom error-page, in fact I don't care
about the body at all, just the response code.)


Thanks in advance:

Gabor Szokoli

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Gabor Szokoli wrote:
Not sure if  you have hit some bug. Can you provide a testcase so i can
reproduce this.

Thanks.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

On Tue, Jul 15, 2008 at 11:40 AM, V B Kumar Jayanti
<Vbkumar.Jayanti@...> wrote:
>
> Not sure if  you have hit some bug. Can you provide a testcase so i can
> reproduce this.
>

Sure thing.

I'll strip it down a bit, might take a day or two to get to it.

In the meantime I can copy-paste the relevant parts of my domain.xml
and web.xml.
Other than the group name assigned to the certificate realm, it's an
out of the box "development" installation of 9.1_02 (build b04-fcs) on
a debian etch x86, sun java 1.5.0_14. The servlet is the Jersey
servlet container from version 0.7, but that shouldn't matter I guess.

XXXX domain.xml XXXX
 <auth-realm classname="com.sun.enterprise.security.auth.realm.certificate.CertificateRealm"
name="certificate">
          <property name="assign-groups" value="authorized"/>
        </auth-realm>
XXXX

XXXX web.xml XXXX
<login-config>
                <auth-method>CLIENT-CERT</auth-method>
        </login-config>

        <security-role>
                <description />
                <role-name>authorized</role-name>
        </security-role>


        <security-constraint>
                <display-name>CCF-REST</display-name>
                <web-resource-collection>
                        <web-resource-name>CCF_REST</web-resource-name>
                        <description></description>
                        <url-pattern>/</url-pattern>
                        <http-method>GET</http-method>
                        <http-method>POST</http-method>
                        <http-method>HEAD</http-method>
                        <http-method>PUT</http-method>
                        <http-method>OPTIONS</http-method>
                        <http-method>TRACE</http-method>
                        <http-method>DELETE</http-method>
                </web-resource-collection>
                <auth-constraint>
                        <description/>
                        <role-name>authorized</role-name>
                </auth-constraint>
                <user-data-constraint>
                        <description/>
                        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
                </user-data-constraint>
        </security-constraint>


XXXX

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Well, the rubber duck method worked, trying to reproduce on a minimal
example helped me solve the problem:

In my web.xml, I had the security-role and login-config elements
outside the security-constraint element.
Oh well, thanks anyway :-)


Szocske

On Tue, Jul 15, 2008 at 1:54 PM, Gabor Szokoli <szocske@...> wrote:
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...