I'm using WebSphere 7. I have a simple example set up with web.xml as shown below.
This is how I test it:
I start with no user and no group in WebSphere
I try to access the page (/restricted/topsecret.html) I'm prompted to log in. I cannot.
I add a user/password "rob/password" using the WebSphere admin console. I can now log in, but I cannot see the page. I get a "403: AuthorizationFailed" error.
I add a group called "ROLE1" and I assign that group to user "rob" using the WebSphere admin console. I restart firefox, I can still log in but I still get the "403" error.
I wrote a little JSP (below) to output the logged in username, but even after logging the username is still null.
Any idea what I'm doing wrong?? Thanks!
Rob
<security-constraint>
<web-resource-collection>
<web-resource-name>page test 1</web-resource-name>
<url-pattern>/restricted/topsecret.html</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>ROLE1</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
usertest.jsp
<%@ page session="true" %>
Logged in username = '<%= request.getRemoteUser() %>' // is always null
<p/>
Logged in username = '<%= request.getUserPrincipal() %>' // is always null
There are three levels of security
I am assuming you have turned on Application level (it sounds like you have it turned on but I would want to check)
Is the usertest.jsp secured?
Did you restart the application after mapping Roles to users?
The code in the JSP (the first line doesn't look good syntactically. I am assuming a typo)