WLS Web Fragment Security Constraint Not Correctly Applied
(Doc ID 2454312.1)
Last updated on JUNE 10, 2024
Applies to:
Oracle WebLogic Server - Version 12.1.3.0.0 and laterInformation in this document applies to any platform.
Symptoms
On : 12.1.3.0.0 version, WLS-WebServices
Web Fragment Security Constraint not correctly applied
In an enterprise application packaged as an EAR file enclosing a WAR module. The WAR module defines some JAX-RS resources and the related Security Constraints in the web.xml descriptor.
It also has a JAR dependency (packaged in WEB-INF/lib folder) which has some JAX-RS resources and a META-INF/web-fragment.xml file with the SecurityConstraint defined.
If you define in the web-fragment.xml a SecurityConstraint the allows a free access to a JAX-RS resource defined in the JAR file, it won't be interpreted correctly as it will require authentication (HTTP error 401).
If you define the same SecurityConstraint in the web.xml for a JAX-RS resource defined in the JAR file, it will be interpreted correctly as it will allow you to access without authentication.
Changes
Below is sample filter fragment:
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Symptoms |
Changes |
Cause |
Solution |
References |