tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <>
Subject Re: BASIC authentication in Tomcat 5.5.x vs. 5.0.x?
Date Sat, 14 Jul 2007 01:05:28 GMT

"Thomas Hicks" <> wrote in message
>I have a web application which uses BASIC authentication.
> In Tomcat 5.0.28 (under Java 1.5 and Fedora Core 4) accessing
> the protected webapp causes the browser to popup a login box
> where username and password are entered. This works well, no
> matter whether passwords are plain or SHA digested and no
> matter whether I access the protected webapp using the HTTP
> port or the HTTPS port. It also works with a wide variety of browsers.
> Moving to Tomcat 5.5.x, however, causes the BASIC authentication
> not to work anymore. The login box pops up but no username/password
> combination ever allows access. The login box just clears the entries
> and one is "stuck" at the login box. Again, I have tried plain and SHA
> digested passwords in the tomcat-users.xml file with no luck either way.
> This behavior is the same across different web browsers.
> The web.xml file for the web application contains the following security
> configuration portion, which enables password access in 5.0.x but
> doesn't work in 5.5.x:
>   <!--                                  -->
>   <!-- Container-Security Configuration -->
>   <!--                                  -->
>   <security-constraint>
>     <web-resource-collection>
>       <web-resource-name>Reports Browser</web-resource-name>
>       <url-pattern>/*</url-pattern>
>     </web-resource-collection>
>     <auth-constraint>
>       <role-name>*</role-name>
>     </auth-constraint>
>   </security-constraint>

In TC 5.0, the special role-name '*' was incorrectly (according to the spec) 
being treated as 'any authenticated user'.  In TC 5.5 this was fixed to mean 
'any role that is declared in a security-role'.  You can set the attribute 
allRolesMode="authOnly" on the <Realm /> to have Tomcat revert to it's 
previous behavior.

>   <!-- Currently using only BASIC authentication. Use with HTTPS. -->
>   <login-config>
>     <auth-method>BASIC</auth-method>
>     <realm-name>Protected Area</realm-name>
>   </login-config>
> I have searched online for answers and have reviewed the Servlet 2.4
> specification (i.e. for Tomcat 5.5.x) but have found nothing. Surely,
> BASIC authentication is such a well....basic thing that there must be
> some small change I need to make, between the Tomcat versions, to get
> this to work again. Any help is greatly appreciated.
> -tom
> ---------------------------------------------------------------------
> To start a new topic, e-mail:
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message