tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: tomcat-users.xml
Date Sun, 02 Apr 2000 20:29:32 GMT
Sim IJskes wrote:

> "Craig R. McClanahan" wrote:
> > As Costin said, FileRealmTool does not work and it will not work with 3.1 -- edit
> > tomcat-users.xml file directly for now.  FileRealmTool was part of an experimental
> > that used different conventions for how it's XML data was stored, and is not compatible.
> Forgive me if i'm not explicit enough. Again: Does the Basic security
> stuff work? I have big (bug) problems getting it to work, as i'm new
> here i don't know what features do work and don't. No i'm not talking
> about the FileRealm stuf. Just SecurityCheck and MemoryRealm. B.T.W. I
> did edit the tomcat-users.xml file by hand.

I was able to get basic authentication working by editing the file
"$TOMCAT_HOME/webapps/examples/WEB-INF/web.xml and changing the <auth-method> element
from FORM
to BASIC.  Then, accessing the following URL:


correctly caused the basic authentication dialog to come up, and it correctly rejected all
username/password combinations other than the one defined in the conf/tomcat-users.xml file
(tomcat/tomcat).  If you can find a scenario like this that doesn't work correctly, could
please report it?

In addition, form-based login works at least partially -- it accepts valid logins from the
that is displayed.  However, it currently appears to ignore the <form-error-page> declaration
you enter an invalid username/password, and simply redisplays the login form again.  Digest
SSL based authentication is not currently supported.

Both of the submitted bugs (161 and 162) dealt specifically with FileRealmTool, which is not
going to be supported.  Also, you'll probably need to restart Tomcat after hand editing the
conf/tomcat-users.xml file.

By the way, I just checked in a change to the protected page that comes up when you successfully
logged in, to show you what username you logged in as (that is, the value of
request.getRemoteUser()).  This change will be reflected in the final release.

> Thanks,
> Sim

Craig McClanahan

View raw message