WLS Web Fragment Security Constraint Not Correctly Applied
(Doc ID 2454312.1)
Last updated on JUNE 04, 2021
Applies to:Oracle WebLogic Server - Version 184.108.40.206.0 and later
Information in this document applies to any platform.
On : 220.127.116.11.0 version, WLS-WebServices
Web Fragment Security Constraint not correctly applied
In an enterprise application packaged as an EAR file enclosing a WAR module. The WAR module defines some JAX-RS resources and the related Security Constraints in the web.xml descriptor.
It also has a JAR dependency (packaged in WEB-INF/lib folder) which has some JAX-RS resources and a META-INF/web-fragment.xml file with the SecurityConstraint defined.
If you define in the web-fragment.xml a SecurityConstraint the allows a free access to a JAX-RS resource defined in the JAR file, it won't be interpreted correctly as it will require authentication (HTTP error 401).
If you define the same SecurityConstraint in the web.xml for a JAX-RS resource defined in the JAR file, it will be interpreted correctly as it will allow you to access without authentication.
Below is sample filter fragment:
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document