JDBC Realm authentication with single table - glassfish

I tried to make jdbc realm authentication with single table, but it always redirect me to loginerror page.
Here is my settings:
Table (korisnici):
idkorisnika
korIme (it is username)
sifra (it is password)
tipKor (it is role)
Role type's are: admin, radnik and klijent
Password in database is hashed as SHA-256
glassfish-resources.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE resources PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Resource Definitions//EN" "http://glassfish.org/dtds/glassfish-resources_1_5.dtd">
<resources>
<jdbc-resource enabled="true" jndi-name="jdbc/rentacarDatasource" object-type="user" pool-name="jdbcRealmPool">
<description/>
</jdbc-resource>
<jdbc-connection-pool allow-non-component-callers="false" associate-with-thread="false" connection-creation-retry-attempts="0" connection-creation-retry-interval-in-seconds="10" connection-leak-reclaim="false" connection-leak-timeout-in-seconds="0" connection-validation-method="auto-commit" datasource-classname="com.mysql.jdbc.jdbc2.optional.MysqlConnectionPoolDataSource" fail-all-connections="false" idle-timeout-in-seconds="300" is-connection-validation-required="false" is-isolation-level-guaranteed="true" lazy-connection-association="false" lazy-connection-enlistment="false" match-connections="false" max-connection-usage-count="0" max-pool-size="32" max-wait-time-in-millis="60000" name="jdbcRealmPool" non-transactional-connections="false" pool-resize-quantity="2" res-type="javax.sql.ConnectionPoolDataSource" statement-timeout-in-seconds="-1" steady-pool-size="8" validate-atmost-once-period-in-seconds="0" wrap-jdbc-objects="false">
<property name="URL" value="jdbc:mysql://localhost:3306/rentacar?zeroDateTimeBehavior=convertToNull"/>
<property name="User" value="root"/>
<property name="Password" value=""/>
</jdbc-connection-pool>
</resources>
glassfish-web.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
<glassfish-web-app error-url="">
<security-role-mapping>
<role-name>admin</role-name>
<group-name>admin</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>klijent</role-name>
<group-name>klijent</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>radnik</role-name>
<group-name>radnik</group-name>
</security-role-mapping>
<class-loader delegate="true"/>
<jsp-config>
<property name="keepgenerated" value="true">
<description>Keep a copy of the generated servlet class' java code.</description>
</property>
</jsp-config>
</glassfish-web-app>
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>faces/index.xhtml</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>AdminConstraint</display-name>
<web-resource-collection>
<web-resource-name>admin</web-resource-name>
<description/>
<url-pattern>/faces/admin/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<description/>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<display-name>RadnikConstraint</display-name>
<web-resource-collection>
<web-resource-name>radnik</web-resource-name>
<description/>
<url-pattern>/faces/radnik/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>radnik</role-name>
</auth-constraint>
<user-data-constraint>
<description/>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<display-name>KlijentConstraint</display-name>
<web-resource-collection>
<web-resource-name>klijent</web-resource-name>
<description/>
<url-pattern>/faces/klijent/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>klijent</role-name>
</auth-constraint>
<user-data-constraint>
<description/>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>jdbc-realm</realm-name>
<form-login-config>
<form-login-page>/faces/login.xhtml</form-login-page>
<form-error-page>/faces/loginerror.xhtml</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description/>
<role-name>admin</role-name>
</security-role>
<security-role>
<description/>
<role-name>radnik</role-name>
</security-role>
<security-role>
<description/>
<role-name>klijent</role-name>
</security-role>
</web-app>
persistance.xml
<?xml version="1.0" encoding="UTF-8"?>
<persistence version="2.1" xmlns="http://xmlns.jcp.org/xml/ns/persistence" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/persistence http://xmlns.jcp.org/xml/ns/persistence/persistence_2_1.xsd">
<persistence-unit name="RentacarPU" transaction-type="JTA">
<jta-data-source>jdbc/rentacarDatasource</jta-data-source>
<exclude-unlisted-classes>false</exclude-unlisted-classes>
<properties/>
</persistence-unit>
</persistence>
login form
<p:panel header="Login From">
<form method="POST" action="j_security_check">
Username: <input type="text" name="j_username" />
Password: <input type="password" name="j_password" />
<input type="submit" value="Login" />
<input type="reset" value="Reset" />
</form>
</p:panel>
Here is properties for jdbc-realm in glassfish console:
JAAS Context: jdbcRealm
JNDI: jdbc/rentacarDatasource
User Table: korisnici
User Name Column: korIme
Password Column: sifra
Group Table: korisnici
Group Table User Name Column: korIme
Group Name Column: tipKor
Password Encryption Algorithm: AES
Charset: UTF-8
Everytime when i try to log as any type of user it redirect me to loginerror.xhtml
Can someone help me how to solve this problem?

Related

How to create authorization roles from OIDC token in WebSphere Liberty server application using social login feature?

I am trying to implement role based authorization in an application running on WebSphere / Open Liberty server. Authentication is implemented using OIDC token & socual-login feature & it is workig fine. I am struggling to create roles from JWT token & depending on that authorizing access to different servlets.
My server.xml -
<server description="new server">
<!-- Enable features -->
<featureManager>
<feature>appSecurity-3.0</feature>
<feature>socialLogin-1.0</feature>
<feature>microProfile-4.1</feature>
<feature>jsp-2.3</feature>
<feature>localConnector-1.0</feature>
</featureManager>
<logging traceSpecification="*=info" consoleLogLevel="INFO"/>
<oidcLogin clientId="${clientId}"
clientSecret="${clientSecret}"
discoveryEndpoint="${oAuthServerUrl}/.well-known/openid-configuration"
id="liberty-aad-oidc-javaeecafe" signatureAlgorithm="RS256"
userNameAttribute="email" groupNameAttribute="role"/>
<authFilter id="myAuthFilter">
<requestUrl id="myRequestUrl" matchType="contains"
urlPattern="/*" />
</authFilter>
<keyStore id="defaultKeyStore"
password="${env.keystore_password}" />
<keyStore id="mytruststore"
location="${server.config.dir}/mytruststore.jks" password="****" />
<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore"
trustDefaultCerts="true" trustStoreRef="mytruststore" />
<applicationManager autoExpand="true" />
<httpEndpoint host="*" httpPort="9080" httpsPort="9443"
id="defaultHttpEndpoint" />
<mpJwt id="myMpJwt"
jwksUri="${oAuthServerUrl}/publickeys"
issuer="${oAuthServerUrl}"
authFilterRef="myAuthFilter" groupNameAttribute="role"/>
<applicationMonitor updateTrigger="mbean" />
<applicationMonitor dropinsEnabled="false"/>
<webApplication contextRoot="/" id="oidcsampleapp"
location="oidcsampleapp-1.0.0.war" name="oidcsampleapp" >
<application-bnd>
<security-role name="admin-role">
<group name="admin" />
</security-role>
<!-- <security-role name="admin">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role> -->
</application-bnd>
</webApplication>
</server>
When using request is forwarded to application, otherwise access is denied. I am trying to create the security principal role "admin-role" which is coming along with the JWT token.
Web.xml security configuration -
<security-role>
<role-name>admin-role</role-name>
</security-role>
<security-role>
<role-name>user-role</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>AdminServlet</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin-role</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
Roles defined above are part of the JWT token from OIDC server & mentioned in server.xml.
<security-role>
<role-name>admin-role</role-name>
</security-role>
<security-role>
<role-name>appuser-role</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>AdminServlet</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin-role</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
JWT token received:
{
"iss": https://xxxxx.xxxxx,
"exp": 1665245032,
"aud": [
"931280e3-xxxx-xxxx-xxxxx-xxxxxxx"
],
"sub": "xxxxx-xxxx-xxxxxxx-xxxx-xxxxxxxxx",
"amr": [
"saml"
],
"iat": 1665241432,
"tenant": "xxxxxxxxx",
"scope": "openid appid_default appid_readuserattr appid_readprofile appid_writeuserattr appid_authenticated",
"role": "admin-role",
"surname": "Basu",
"groups": [
"014a0054-942f-4c20-a6e0-235dd906ca1c"
],
"entityID": https://sts.windows.net/81fa766e-a349-4867-8bf4-ab35e250a08f/
}

Ldap Authentication via Glassfish 4 gives forbidden access

When trying to login as a registered user in LDAP Server, wrong username or password redirect successfully to error page, However when they are correct it didn't grant the user the access with the following error:
HTTP Status 403 - Forbidden.
I'm coding my pages in JSF.
My Glassfish console looks like this.
My web.xml like this :
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>faces/index.xhtml</welcome-file>
</welcome-file-list>
<security-role>
<description>all the users with the role Admin</description>
<role-name>ADMIN</role-name>
</security-role>
<security-role>
<description>all the users that are authenticated</description>
<role-name>LOGGEDIN_USER</role-name>
</security-role>
<security-role>
<description>all the users that are moderators/extended rights</description>
<role-name>MODERATOR</role-name>
</security-role>
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>Secured resources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>LOGGEDIN_USER</role-name>
<role-name>ADMIN</role-name>
<role-name>MODERATOR</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>ldapRealm</realm-name>
<form-login-config>
<form-login-page>/login.xhtml</form-login-page>
<form-error-page>/loginError.xhtml</form-error-page>
</form-login-config>
</login-config>
</web-app>
My sun-web.xml has this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD GlassFish Application Server 3.0 Servlet 3.0//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_3_0-0.dtd">
<sun-web-app error-url="">
<context-root>/</context-root>
<security-role-mapping>
<role-name>LOGGEDIN_USER</role-name>
<group-name>default</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>MODERATOR</role-name>
<group-name>moderatoren</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>ADMIN</role-name>
<group-name>root</group-name>
</security-role-mapping>
<class-loader delegate="true"/>
<jsp-config>
<property name="keepgenerated" value="true">
<description>Keep a copy of the generated
servlet class' java code.</description>
</property>
</jsp-config>
</sun-web-app>
I solved it.
the problem was with the uppercase letters for roles in the web.xml

Authentication of java melody integration with LDAP

I am using the following filter in the web.xml of my application, with it I am able to get authentication over java melody page.
How can I integrate this authentication with LDAP? When I login at localhost:8080/application/monitoring, it will ask credentials and they should be validated against LDAP.
Is it possible to achieve this?
<filter>
<filter-name>monitoring</filter-name>
<filter-class>net.bull.javamelody.MonitoringFilter</filter-class>
<init-param>
<param-name>allowed-addr-pattern</param-name>
<param-value>10\.10\.10\..*|10\.10\.10\.10|10\.10\.10\..*</param-value>
</init-param>
<init-param>
<param-name>authorized-users</param-name>
<param-value>user1:pwd1, user2:pwd2</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>monitoring</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>net.bull.javamelody.SessionListener</listener-class>
</listener>
The following is the configuration that needs to be done in web.xml and
1.server.xml in case of tomcat
2.jetty.xml in case of jetty
web.xml code:
==============
<filter>
<filter-name>monitoring</filter-name>
<filter-class>net.bull.javamelody.MonitoringFilter</filter-class>
<init-param>
<param-name>allowed-addr-pattern</param-name>
<param-value>127.0.0.1</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>monitoring</filter-name>
<url-pattern>/monitoring</url-pattern>
</filter-mapping>
<listener>
<listener-class>net.bull.javamelody.SessionListener</listener-class>
</listener>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Monitoring</realm-name>
</login-config>
<security-role>
<role-name>tomcat</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>Monitoring</web-resource-name>
<url-pattern>/monitoring</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>tomcat</role-name>
</auth-constraint>
<!-- if SSL enabled (SSL and certificate must then be configured in the
server) <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint> -->
</security-constraint>
In Tomcat:
===========
Add the following realm in tomcat_home/conf/server.xml
=======================================================
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://ldapip:ldapport/" userSubtree="true"
userBase="ou=xyz,dc=abc,dc=com" userSearch="(uid={0})"
roleBase="ou=Group,dc=abc,dc=com" roleName="cn"
roleSearch="(memberUid={0})" roleSubtree="true"/>
In Jetty:
===========
Add this code in jetty.xml
<Configure id='wac' class="org.eclipse.jetty.webapp.WebAppContext">
<Set name="contextPath">/abc</Set>
<Set name="war"><Property name="jetty.webapps" default="."/>/abc.war</Set>
<Set name="extractWAR">true</Set>
<Set name="securityHandler">
<New class="org.eclipse.jetty.security.ConstraintSecurityHandler">
<Set name="loginService">
<New class="org.eclipse.jetty.jaas.JAASLoginService">
<Set name="name">Monitoring</Set>
<Set name="loginModuleName">ldaploginmodule</Set>
</New>
</Set>
</New>
</Set>
</Configure>
create a file login.conf file in etc folder of jetty_base directory:
ldaploginmodule {
org.eclipse.jetty.jaas.spi.LdapLoginModule required
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
hostname="ldapip"
port="ldapport"
authenticationmenthod="simple"
forceBindingLogin="true"
userBaseDn="ou=People,dc=abc,dc=com"
userRdnAttribute="uid"
userIdAttribute="uid"
userObjectClass="posixAccount"
roleBaseDn="ou=Group,dc=abc,dc=com"
roleNameAttribute="cn"
roleMemberAttribute="memberUid"
roleObjectClass="posixGroup";
};

unresolved error javax.security.jacc ldap + glassfishserver

I am getting the following error, which, in my opinion, is leading to "request not granted" response from glassfish server even after a successful login using LDAPRealm.
How can I resolve this?
(unresolved javax.security.jacc.WebUserDataPermission /* null)
(unresolved com.sun.corba.ee.impl.presentation.rmi.DynamicAccessPermission access null)
(unresolved javax.security.jacc.WebResourcePermission/*!DELETE,GET,HEAD,OPTIONS,POST,PUT,TRACE)
(unresolved com.sun.enterprise.security.CORBAObjectPermission * *)
my web.xml looks like:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<context-param>
<param-name>org.richfaces.push.jms.enabled</param-name>
<param-value>false</param-value>
</context-param>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>
180
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>/faces/welcome.xhtml</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted Access</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>USERS</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>LDAPRealm</realm-name>
<form-login-config>
<form-login-page>/login.xhtml</form-login-page>
<form-error-page>/login.xhtml</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>USERS</role-name>
</security-role>
</web-app>

Authentication without Role in web.xml in JBoss AS 7

For a RESTful enterprise application I need all calls to be authenticated, but I cannot provide a common group/rolt that all users of the system have. I authenticate and authorize over LDAP (which should not make a difference for this issue).
If I leave the elements commented out as in the web.xml below, I do not get any authentication at all. How can I have authentication without the need of a common role? Also, an empty auth-consraint does not work.
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation=" http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<context-param>
<!-- fpe: This one is necessary. -->
<param-name>resteasy.role.based.security</param-name>
<param-value>true</param-value>
</context-param>
<security-constraint>
<web-resource-collection>
<web-resource-name>Resteasy</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<!-- <auth-constraint> -->
<!-- <role-name>*</role-name> -->
<!-- </auth-constraint> -->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Login</realm-name>
</login-config>
<!-- <security-role> -->
<!-- <role-name>the_common_role</role-name> -->
<!-- </security-role> -->
</web-app>
Using the * properly does the trick:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation=" http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<context-param>
<!-- fpe: This one is necessary. -->
<param-name>resteasy.role.based.security</param-name>
<param-value>true</param-value>
</context-param>
<security-constraint>
<web-resource-collection>
<web-resource-name>Resteasy</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Login</realm-name>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>
</web-app>
You should use double asterisks (if you're using Servlet 4.0+):
<auth-constraint>
<role-name>**</role-name>
</auth-constraint>
See: https://stackoverflow.com/a/73899071/562644