Why does JBoss generate sessions for requests to secured static resources?
Issue
- Why does JBoss generate sessions for requests to secured static resources? For instance, when request an unsecured html page, no session is generated. But if we request a secured html page, a session is generated. Why is this? The page is secured like below:
<security-constraint>
<web-resource-collection>
<web-resource-name>Secured</web-resource-name>
<url-pattern>/secured/*.html</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>role</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>realm</realm-name>
</login-config>
<security-role>
<role-name>role</role-name>
</security-role>
Environment
- JBoss Enterprise Application Platform (EAP)
- 5.x
- 6.x
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
