My Oracle Support Banner

WLS Web Fragment Security Constraint Not Correctly Applied (Doc ID 2454312.1)

Last updated on JUNE 06, 2022

Applies to:

Oracle WebLogic Server - Version and later
Information in this document applies to any platform.


On : version, WLS-WebServices

Web Fragment Security Constraint not correctly applied

In an enterprise application packaged as an EAR file enclosing a WAR module. The WAR module defines some JAX-RS resources and the related Security Constraints in the web.xml descriptor.

It also has a JAR dependency (packaged in WEB-INF/lib folder) which has some JAX-RS resources and a META-INF/web-fragment.xml file with the SecurityConstraint defined.

If you define in the web-fragment.xml a SecurityConstraint the allows a free access to a JAX-RS resource defined in the JAR file, it won't be interpreted correctly as it will require authentication (HTTP error 401).
If you define the same SecurityConstraint in the web.xml for a JAX-RS resource defined in the JAR file, it will be interpreted correctly as it will allow you to access without authentication.


Below is sample filter fragment:


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.