tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kehlenbach, Andreas" <Andreas.Kehlenb...@PROSTEP.com>
Subject AW: [bulk]: Re: Is tomcat UserDatabaseRealm buggy?
Date Wed, 26 Nov 2014 16:26:43 GMT
Hey Chris,

Yes I know that BASIC authentication doesn't use nonces, thus I don't think that this is the
root cause. Just forget about the nonce timout.
For full information: I played around with the timeout and used values of 1, 5, 20 minutes.

But as I discovered that also the 401 appears with BASIC authentication I would suggest to
test with this.

I reconfigured tomcat, because the configuration differs. That’s what I did to test both
cases.

I hope I could create a small test case tomorrow.

Thank you for your answer,
Andreas

> -----Ursprüngliche Nachricht-----
> Von: Christopher Schultz [mailto:chris@christopherschultz.net]
> Gesendet: Mittwoch, 26. November 2014 17:20
> An: Tomcat Users List
> Betreff: [bulk]: Re: Is tomcat UserDatabaseRealm buggy?
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Andreas,
>
> On 11/26/14 5:42 AM, Kehlenbach, Andreas wrote:
> > I think I found the following bug in tomcat 7/8 with the following
> > setup:
> >
> > We use tomcat 7.0.42 (but I tried 7.0.55 and 8.0.15 without
> > success) and deployed a web service with jersey 1.18.2.
> > Additionally we set up HTTP authentication. In our case DIGEST
> > authentication, but I tried BASIC authentication the observed behavior
> > is the same. We have a web service with login and logout methods, as
> > well as some other methods which could only be invoked if a login
> > request was made previously. Authentication works fine, till some
> > point in time. At this point the client receives a HTTP response 401
> > Unauthorized. I double checked that the client sends correct
> > credentials and nonce values. On server side I enabled logging (see
> > attached log file). The log shows two web service calls, the first one
> > returns successfully the last one reports the
> > 401 error. As one could see in line 12 and 13 FEIN:  Calling
> > authenticate() Nov 18, 2014 2:58:25 PM
> > org.apache.catalina.realm.RealmBase authenticate Tomcat delegates the
> > authentication request to RealmBase class logs some stuff and returns
> > with FEIN:  Successfully passed all security constraints
> >
> > But in case of my error just these three lines are logged: FEIN:
> > Calling authenticate() Nov 18, 2014 2:58:25 PM
> > org.apache.catalina.authenticator.AuthenticatorBase invoke FEIN:
> > Failed authenticate() test
> >
> > My server.xml is as follows: <… <Engine name="Catalina"
> > defaultHost="localhost"> <Realm
> > className="org.apache.catalina.realm.LockOutRealm"> <Realm
> > className="org.apache.catalina.realm.UserDatabaseRealm"
> > resourceName="UserDatabase" digest="md5"/> </Realm>
> >
> > <Host name="localhost"  appBase="webapps" unpackWARs="true"
> > autoDeploy="true" deployOnStartup="true">
> >
> > <Valve className="org.apache.catalina.valves.AccessLogValve"
> > directory="logs" prefix="localhost_access_log." suffix=".txt"
> > pattern="%h %l %u %t &quot;%r&quot; %s %b" />
> >
> > </Host> </Engine> <…
> >
> > I also tried to remove the LockOutRealm, but without success. As far
> > as I understand with this setup class
> > org.apache.catalina.realm.CombinedRealm.java is invoked to handle
> > authentication. If I further understand correctly, then method
> > authenticate(String username, String clientDigest,__String nonce,
> > String nc, String cnonce, String qop,__String realmName, String
> > md5a2) is also invoked. This method iterates over all configured
> > Realms. It seems to me that, in case of the 401 error, the list of
> > realms (Line 51) is empty and thus authentication fails.
> >
> > The error only occurs after many calls to the webservice. I was unable
> > to identify any pattern, but it seems related to the nonce timeout,
> > somehow. Could one verify this bug?
>
> What is the nonce timeout?
>
> Note that HTTP BASIC authentication does not use nonces, so the nonce
> timeout wouldn't be the cause under those circumstances.
>
> How did you switch testing from HTTP DIGEST to HTTP BASIC authentication?
> The stored credentials are of course incompatible. If you created a small test
> case, can you share it with us?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUdf2pAAoJEBzwKT+lPKRYYa0P/1lxVAmXeDshnYP47zSnyk
> hj
> wv5z86sX57H480VdYQLIIrTwj9KOa6Wifgd/YkC6fUihLNIa+kOe0Jhoq6+K/IIA
> hh9ZHu/qVKUHOsuef5sYD15CWX/VDEkJUyy4G/qvSB1u0dM5vGUkWggZVvn
> 5kwRG
> 4V0CIg4M4bNAdki3M8ZYKp8fmD5qzYFnfmjJOKwvGiFk4nJjUZG0crVbQC69cy
> eC
> 5/7tnzswV6dPwyJdBj0b/yiMx0h58mt0BSKz/VNsukxa2WbP0P9csP7mA9gleF
> UB
> OQdupQ6KE5t8lQBHogHJ7QvjlOJT0Tesqn+NUbNuK8cAmntEg8HQc3b/Erqdly
> 7G
> GMIx9dhz381RyRlZbBbvwShVc9PK8H5klDfPlwWAQzXG55+iqSx0LS2yV4X+aA
> ht
> dxuE/Jc0gZRcb/s2KeUhNGR//Me1GPHStCl3nGxDMczdriEE0/Af+r6tvtXlwd0
> W
> 5SdVO1r3oar5e+aPBQMBqdmw47MyGx+vCdjY4jeuuoBm3XY4V2VJLrpZm993
> PwTV
> HgTqgREvgGzDgYkHy4Mm5Fus6YCw4GWWHjVJeff5DBezXigSBcbKtLWK4HoI1
> zLA
> 5k7Gm0liagpPsxovlt+OzgQ/kHqSE7qgTHgAWF8CRthOv4U8y4PJuZjPdvVeX9iE
> oTrAPaf7gZymwtORZm1J
> =83X2
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org

________________________________________________________________________
PROSTEP AG, Dolivostraße 11, D-64293 Darmstadt
HR: Amtsgericht Darmstadt, HRB 8383
Vorstand: Dr. Bernd Pätzold (Vorsitz), Reinhard Betz
Aufsichtsrat: Dr. Heinz-Gerd Lehnhoff (Vorsitz)
________________________________________________________________________
Mime
View raw message