tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carsten Schiller <...@ikom.de>
Subject JAASRealm, Tomcat 5.5 getting HTTP error page 403 Access denied
Date Thu, 20 Oct 2005 07:17:05 GMT
Hello!

We are trying to implement a login/security environment using Tomcat 5.5's 
JAASRealm and Struts as a MVC-Framework.
After Login ,which fails with error "HTTP Status 403 - Access to the 
requested ressource has been denied", we can navigate manually to our 
output.jsp and use 
...
<%= request.getUserPrincipal %> , 
...
<%= request.isUserInRole("administrator") %> 
...
<logic:present role="administrator">
Admin present!
</logic:present>

These return correct username, (true) for isUserInRole, and the logic tag 
also works... 
BUT
Our problem is: We protected *.do in our web.xml to be only accessible by 
users in role "administrator", which fails as described above. 
Why does the login fail, but we still get a valid Subject with Principals, 
and can access the roles on the output.jsp?
We are stuck now for over a week, reading tutorials, asking google, but 
with no success... Any Ideas would be appreciated!

Our relevant sourcecode:

----------------- Tomcats server.xml 
--------------------------------------------------
<Server port="8005" shutdown="SHUTDOWN">
...
  <Service name="Catalina">
...
    <Engine name="Catalina" defaultHost="localhost">
...
        <Realm className="org.apache.catalina.realm.JAASRealm" 
            appName="SimpleLogin" 
            userClassNames="my.strutsLogin.UserPrincipal" 
            roleClassNames="my.strutsLogin.GroupPrincipal"
            useContextClassLoader="false" 
        />
        <Host ...> </Host>
    </Engine>
</Service>
</Server>


---------------------------- web.xml of our Project 
------------------------------------
...
    <servlet-name>logonAction</servlet-name>
...
  <servlet-mapping>
    <servlet-name>logonAction</servlet-name>
    <url-pattern>*.do</url-pattern>
  </servlet-mapping>
    <security-constraint>
         <web-resource-collection>
             <web-resource-name>logonAction</web-resource-name>
             <url-pattern>*.do</url-pattern>
         </web-resource-collection >
         <auth-constraint>
             <role-name>administrator</role-name> 
         </auth-constraint>
     </security-constraint>
     <login-config>
         <auth-method>BASIC</auth-method>
         <realm-name>JAASRealm</realm-name>
     </login-config>
  <security-role>
      <role-name>administrator</role-name>
  </security-role>
</web-app>

Greetings

Carsten Schiller.
+++++++++++++++++++++++++++++++++++++++++++ 
Diese E-Mail enthält vertrauliche und/oder rechtlich
geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich
erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail.
Das
unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.
 ----------------------------------------------------

This e-mail may contain confidential and/or privileged information. If you are not the intended
recipient (or have received this e-mail in error) please notify the sender immediately and
destroy this e-mail. 
Any unauthorized copying, disclosure or distribution of the material
in this e-mail is strictly forbidden.
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message