Java Mailing List Archive

http://www.junlu.com/

Home » Home (12/2007) » Apache Tomcat »

Re: BASIC authentication in Tomcat 5.5.x vs. 5.0.x?

Bill Barker

2007-07-13

Replies:


"Thomas Hicks" <hickst@(protected)
news:7.0.1.0.2.20070713141605.0362ec00@(protected)...
>I have a web application which uses BASIC authentication.
>
> In Tomcat 5.0.28 (under Java 1.5 and Fedora Core 4) accessing
> the protected webapp causes the browser to popup a login box
> where username and password are entered. This works well, no
> matter whether passwords are plain or SHA digested and no
> matter whether I access the protected webapp using the HTTP
> port or the HTTPS port. It also works with a wide variety of browsers.
>
> Moving to Tomcat 5.5.x, however, causes the BASIC authentication
> not to work anymore. The login box pops up but no username/password
> combination ever allows access. The login box just clears the entries
> and one is "stuck" at the login box. Again, I have tried plain and SHA
> digested passwords in the tomcat-users.xml file with no luck either way.
> This behavior is the same across different web browsers.
>
> The web.xml file for the web application contains the following security
> configuration portion, which enables password access in 5.0.x but
> doesn't work in 5.5.x:
>
>  <!--                       -->
>  <!-- Container-Security Configuration -->
>  <!--                       -->
>  <security-constraint>
>   <web-resource-collection>
>     <web-resource-name>Reports Browser</web-resource-name>
>     <url-pattern>/*</url-pattern>
>   </web-resource-collection>
>
>   <auth-constraint>
>     <role-name>*</role-name>
>   </auth-constraint>
>  </security-constraint>
>

In TC 5.0, the special role-name '*' was incorrectly (according to the spec)
being treated as 'any authenticated user'. In TC 5.5 this was fixed to mean
'any role that is declared in a security-role'. You can set the attribute
allRolesMode="authOnly" on the <Realm /> to have Tomcat revert to it's
previous behavior.

>  <!-- Currently using only BASIC authentication. Use with HTTPS. -->
>  <login-config>
>   <auth-method>BASIC</auth-method>
>   <realm-name>Protected Area</realm-name>
>  </login-config>
>
>
> I have searched online for answers and have reviewed the Servlet 2.4
> specification (i.e. for Tomcat 5.5.x) but have found nothing. Surely,
> BASIC authentication is such a well....basic thing that there must be
> some small change I need to make, between the Tomcat versions, to get
> this to work again. Any help is greatly appreciated.
> -tom
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@(protected)
> To unsubscribe, e-mail: users-unsubscribe@(protected)
> For additional commands, e-mail: users-help@(protected)
>
>




---------------------------------------------------------------------
To start a new topic, e-mail: users@(protected)
To unsubscribe, e-mail: users-unsubscribe@(protected)
For additional commands, e-mail: users-help@(protected)

©2008 junlu.com - Jax Systems, LLC, U.S.A.