Hello Cédric,
sorry for the delay. Well - it depends on what you want, what you user population is and what you your business requirements are.
For example - if you have a site which is targeting all internet users using "
Authenticate when any URI is accessed" is not an option as you are locking out everybody who is not in your user registry. On the other side - if you are running an internal site and you know that all resources must be protected "
Authenticate when any URI is accessed" is an option as you are not relying on the application settings regarding secured resources but are configuring that on the cell level.
Hope that helps and clarifies. Have a Happy New Year - Hermann
------------------------------
Hermann Huebler
------------------------------
Original Message:
Sent: 12-21-2018 03:47 AM
From: Cédric A
Subject: Web and SIP security - URL security
Hello Hermann,
Thanks for your answer
So "Authenticate when any URI is accessed" is the best solution or rather the most secure solution ?
And the only test that can be done in "prod" to verify the effect of this parameter is that the application will require authentication each time?
------------------------------
Cédric A
Original Message:
Sent: 12-21-2018 03:37 AM
From: Hermann Huebler
Subject: Web and SIP security - URL security
Hello Cedric,
the documentation says here:
Authenticate only when the URI is protected
The application server challenges the web client to provide authentication data when the web client accesses a Uniform Resource Identifier (URI) that is protected by a Java™ Platform, Enterprise Edition (Java EE) role. The authenticated identity is available only when the web client accesses a protected URI.
i.e only if the application defines a resource as protected the client is challenged to authenticate. Via certificate, SAML, Form-Login etc. whatever authentication mechanism is in place. An application can protect resources for example via security constraints in web.xml (https://docs.oracle.com/cd/E19798-01/821-1841/bncbk/index.html) or via annotations in the servlet code like for example:
@DeclareRoles("snooprole")
@ServletSecurity(@HttpConstraint(transportGuarantee = ServletSecurity.TransportGuarantee.NONE, rolesAllowed={"snooprole"}))
In both cases you have to map the roles at deployment time to users, groups or special subjects.
On the other hand
Authenticate when any URI is accessed
The web client must provide authentication data regardless of whether the URI is protected.
In this case the user is challenged to authenticate no matter of there are security constraints defined for the URI or not. So accessing any servlet challenges the user.
Note: Global and application security must be enabled to these settings to be active!
Hope that helps.
------------------------------
Hermann Huebler
Original Message:
Sent: 12-20-2018 07:58 AM
From: Cédric A
Subject: Web and SIP security - URL security
Hello everybody
Can you tell me the best solution for the parameters below :
...And if it's possible, how to check during a test scenario the difference between these two parameters ? (Authenticate only when the URI is protected AND Authenticate when any URI is accessed )
Thanks for your help.
------------------------------
Cédric A
------------------------------