Java Mailing List Archive

http://www.junlu.com/

Home » Home (12/2007) » Apache Tomcat »

Re: BASIC authentication in Tomcat 5.5.x vs. 5.0.x?

Thomas Hicks

2007-07-14

Replies:

At 06:05 PM 7/13/2007, you wrote:

>"Thomas Hicks" <hickst@(protected)
>news:7.0.1.0.2.20070713141605.0362ec00@(protected)...
> >I have a web application which uses BASIC authentication.
> >
> > In Tomcat 5.0.28 (under Java 1.5 and Fedora Core 4) accessing
> > the protected webapp causes the browser to popup a login box
> > where username and password are entered. This works well, no
> > matter whether passwords are plain or SHA digested and no
> > matter whether I access the protected webapp using the HTTP
> > port or the HTTPS port. It also works with a wide variety of browsers.
> >
> > Moving to Tomcat 5.5.x, however, causes the BASIC authentication
> > not to work anymore. The login box pops up but no username/password
> > combination ever allows access. The login box just clears the entries
> > and one is "stuck" at the login box. Again, I have tried plain and SHA
> > digested passwords in the tomcat-users.xml file with no luck either way.
> > This behavior is the same across different web browsers.
> >
> > The web.xml file for the web application contains the following security
> > configuration portion, which enables password access in 5.0.x but
> > doesn't work in 5.5.x:
> >
> >  <!--                       -->
> >  <!-- Container-Security Configuration -->
> >  <!--                       -->
> >  <security-constraint>
> >   <web-resource-collection>
> >     <web-resource-name>Reports Browser</web-resource-name>
> >     <url-pattern>/*</url-pattern>
> >   </web-resource-collection>
> >
> >   <auth-constraint>
> >     <role-name>*</role-name>
> >   </auth-constraint>
> >  </security-constraint>
> >
>
>In TC 5.0, the special role-name '*' was incorrectly (according to the spec)
>being treated as 'any authenticated user'. In TC 5.5 this was fixed to mean
>'any role that is declared in a security-role'. You can set the attribute
>allRolesMode="authOnly" on the <Realm /> to have Tomcat revert to it's
>previous behavior.

Thank-you very much!
I didn't actually try reverting the behavior -- I took the other
solution implied
by your crucial information; I just declared a security role in my web.xml
file, added that role to the tomcat-users.xml file and BASIC auth
works again. Thanks again for your timely response.
     regards,
     -tom


> >  <!-- Currently using only BASIC authentication. Use with HTTPS. -->
> >  <login-config>
> >   <auth-method>BASIC</auth-method>
> >   <realm-name>Protected Area</realm-name>
> >  </login-config>
> >
> >
> > I have searched online for answers and have reviewed the Servlet 2.4
> > specification (i.e. for Tomcat 5.5.x) but have found nothing. Surely,
> > BASIC authentication is such a well....basic thing that there must be
> > some small change I need to make, between the Tomcat versions, to get
> > this to work again. Any help is greatly appreciated.
> > -tom




---------------------------------------------------------------------
To start a new topic, e-mail: users@(protected)
To unsubscribe, e-mail: users-unsubscribe@(protected)
For additional commands, e-mail: users-help@(protected)

©2008 junlu.com - Jax Systems, LLC, U.S.A.