My Oracle Support Banner

WLS Web Fragment Security Constraint Not Correctly Applied (Doc ID 2454312.1)

Last updated on SEPTEMBER 25, 2020

Applies to:

Oracle WebLogic Server - Version 12.1.3.0.0 and later
Information in this document applies to any platform.

Symptoms

On : 12.1.3.0.0 version, WLS-WebServices

Web Fragment Security Constraint not correctly applied

In an enterprise application packaged as an EAR file enclosing a WAR module. The WAR module defines some JAX-RS resources and the related Security Constraints in the web.xml descriptor.

It also has a JAR dependency (packaged in WEB-INF/lib folder) which has some JAX-RS resources and a META-INF/web-fragment.xml file with the SecurityConstraint defined.

If you define in the web-fragment.xml a SecurityConstraint the allows a free access to a JAX-RS resource defined in the JAR file, it won't be interpreted correctly as it will require authentication (HTTP error 401).
If you define the same SecurityConstraint in the web.xml for a JAX-RS resource defined in the JAR file, it will be interpreted correctly as it will allow you to access without authentication.

Changes

Below is sample filter fragment - 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.