tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kehlenbach, Andreas" <>
Subject Is tomcat UserDatabaseRealm buggy?
Date Wed, 26 Nov 2014 10:42:58 GMT

I think I found the following bug in tomcat 7/8 with the following setup:

We use tomcat 7.0.42 (but I tried 7.0.55 and 8.0.15 without success) and deployed a web service
with jersey 1.18.2. Additionally we set up HTTP authentication. In our case DIGEST authentication,
but I tried BASIC authentication the observed behavior is the same.
We have a web service with login and logout methods, as well as some other methods which could
only be invoked if a login request was made previously. Authentication works fine, till some
point in time.
At this point the client receives a HTTP response 401 Unauthorized. I double checked that
the client sends correct credentials and nonce values. On server side I enabled logging (see
attached log file).

The log shows two web service calls, the first one returns successfully the last one reports
the 401 error. As one could see in line 12 and 13
FEIN:  Calling authenticate()
Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase authenticate
Tomcat delegates the authentication request to RealmBase class logs some stuff and returns
FEIN:  Successfully passed all security constraints

But in case of my error just these three lines are logged:
FEIN:  Calling authenticate()
Nov 18, 2014 2:58:25 PM org.apache.catalina.authenticator.AuthenticatorBase invoke
FEIN:  Failed authenticate() test

My server.xml is as follows:
    <Engine name="Catalina" defaultHost="localhost">
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase" digest="md5"/>

      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true" deployOnStartup="true">

        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log." suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />


I also tried to remove the LockOutRealm, but without success.
As far as I understand with this setup class
is invoked to handle authentication. If I further understand correctly, then method authenticate(String
username, String clientDigest, String nonce, String nc, String cnonce, String qop, String
realmName, String md5a2) is also invoked. This method iterates over all configured Realms.
It seems to me that, in case of the 401 error, the list of realms (Line 51) is empty and thus
authentication fails.

The error only occurs after many calls to the webservice. I was unable to identify any pattern,
but it seems related to the nonce timeout, somehow.
Could one verify this bug?

Best Regards,

Andreas Kehlenbach
Software Engineer, SWD

Dolivostrasse 11, D-64293 Darmstadt

Tel.: +49 6151 9287 332
Fax: +49 6151 9287 326


PROSTEP AG, Dolivostraße 11, D-64293 Darmstadt
HR: Amtsgericht Darmstadt, HRB 8383
Vorstand: Dr. Bernd Pätzold (Vorsitz), Reinhard Betz
Aufsichtsrat: Dr. Heinz-Gerd Lehnhoff (Vorsitz)
View raw message