tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Hicks <hic...@theriver.com>
Subject Re: BASIC authentication in Tomcat 5.5.x vs. 5.0.x?
Date Sat, 14 Jul 2007 20:17:33 GMT
At 06:05 PM 7/13/2007, you wrote:

>"Thomas Hicks" <hickst@theriver.com> wrote in message
>news:7.0.1.0.2.20070713141605.0362ec00@theriver.com...
> >I have a web application which uses BASIC authentication.
> >
> > In Tomcat 5.0.28 (under Java 1.5 and Fedora Core 4) accessing
> > the protected webapp causes the browser to popup a login box
> > where username and password are entered. This works well, no
> > matter whether passwords are plain or SHA digested and no
> > matter whether I access the protected webapp using the HTTP
> > port or the HTTPS port. It also works with a wide variety of browsers.
> >
> > Moving to Tomcat 5.5.x, however, causes the BASIC authentication
> > not to work anymore. The login box pops up but no username/password
> > combination ever allows access. The login box just clears the entries
> > and one is "stuck" at the login box. Again, I have tried plain and SHA
> > digested passwords in the tomcat-users.xml file with no luck either way.
> > This behavior is the same across different web browsers.
> >
> > The web.xml file for the web application contains the following security
> > configuration portion, which enables password access in 5.0.x but
> > doesn't work in 5.5.x:
> >
> >   <!--                                  -->
> >   <!-- Container-Security Configuration -->
> >   <!--                                  -->
> >   <security-constraint>
> >     <web-resource-collection>
> >       <web-resource-name>Reports Browser</web-resource-name>
> >       <url-pattern>/*</url-pattern>
> >     </web-resource-collection>
> >
> >     <auth-constraint>
> >       <role-name>*</role-name>
> >     </auth-constraint>
> >   </security-constraint>
> >
>
>In TC 5.0, the special role-name '*' was incorrectly (according to the spec)
>being treated as 'any authenticated user'.  In TC 5.5 this was fixed to mean
>'any role that is declared in a security-role'.  You can set the attribute
>allRolesMode="authOnly" on the <Realm /> to have Tomcat revert to it's
>previous behavior.

Thank-you very much!
I didn't actually try reverting the behavior -- I took the other 
solution implied
by your crucial information; I just declared a security role in my web.xml
file, added that role to the tomcat-users.xml file and BASIC auth
works again. Thanks again for your timely response.
         regards,
         -tom


> >   <!-- Currently using only BASIC authentication. Use with HTTPS. -->
> >   <login-config>
> >     <auth-method>BASIC</auth-method>
> >     <realm-name>Protected Area</realm-name>
> >   </login-config>
> >
> >
> > I have searched online for answers and have reviewed the Servlet 2.4
> > specification (i.e. for Tomcat 5.5.x) but have found nothing. Surely,
> > BASIC authentication is such a well....basic thing that there must be
> > some small change I need to make, between the Tomcat versions, to get
> > this to work again. Any help is greatly appreciated.
> > -tom




---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message