-
|
Hi, I upgraded an app to deploy on Glassfish 7.0.25 (coming from payara 5); The following snippet in web.xml leads to an basic auth requirement even on the root path of the app: I expected only path to trigger it, but it also triggers on Has there anything changed in that config part? i can access my app under the |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 3 replies
-
|
Hello, @kbachl , would you contact us at https://omnifish.ee/contact-us ? I’d like to know more about your decision to move from Payara to GlassFish and see how we can help you. |
Beta Was this translation helpful? Give feedback.
-
|
This is a known behavioral change related to security constraint evaluation in Jakarta EE 10 (Servlet 6.0). Let me break down what is happening and provide the standard solutions. Why This Is Happening1. Servlet 6.0 StrictnessBetween Servlet 4.0 (Java EE 8) and Servlet 6.0 (Jakarta EE 10), there were major clarifications regarding security constraint matching. In newer containers like GlassFish 7, if a 2. Welcome File InteractionWhen you access SolutionsSolution 1: Explicitly Mark Root as Unprotected (Recommended)The most robust way in Jakarta EE to ensure a path is public is to define a security constraint with NO <!-- 1. Mark Root and Static Assets as Public -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Public Area</web-resource-name>
<url-pattern>/</url-pattern>
<url-pattern>/index.html</url-pattern>
<url-pattern>/css/*</url-pattern>
<url-pattern>/js/*</url-pattern>
</web-resource-collection>
<!-- NO auth-constraint here makes this section public -->
</security-constraint>
<!-- 2. Protect OData Path -->
<security-constraint>
<web-resource-collection>
<web-resource-name>OData access Path</web-resource-name>
<url-pattern>/odata/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Users</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>file</realm-name>
</login-config>
<security-role>
<role-name>Users</role-name>
</security-role>Solution 2: Check your web.xml NamespaceWhen migrating to GlassFish 7, ensure your Correct Jakarta EE 10 Header: <web-app xmlns="https://jakarta.ee/xml/ns/jakartaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/web-app_6_0.xsd"
version="6.0">Solution 3: Avoid
|
Beta Was this translation helpful? Give feedback.
This is a known behavioral change related to security constraint evaluation in Jakarta EE 10 (Servlet 6.0). Let me break down what is happening and provide the standard solutions.
Why This Is Happening
1. Servlet 6.0 Strictness
Between Servlet 4.0 (Java EE 8) and Servlet 6.0 (Jakarta EE 10), there were major clarifications regarding security constraint matching. In newer containers like GlassFish 7, if a
<login-config>is present, the container may apply a stricter posture. If a resource (like/) isn't explicitly defined as "Unprotected", the container might fallback to requiring authentication because it doesn't want to leave "uncovered" resources exposed by accident.2. Welcome File Int…