You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Marcel Stör <ma...@frightanic.com> on 2009/02/26 00:16:25 UTC
Request not forwarded to login page with security-constraint after session time-out
Up to now I had always thought I understood the security aspects of
the Servlet spec quite well. Looks like I was wrong...
[Problem]
Upon session time-out the request is not forwarded to the login page
(form based auth). Nothing happens on the UI. However, forwarding to
the login page does work during the initially login into the
application.
[Setup]
Tomcat 5.0.28, but the behavior is the same in 5.5.
Application entry page at /app/app.jsp.
Entry Servlet at /app/AppServlet.
Login page at /public/login.jsp.
web.xml looks like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>myapp</web-resource-name>
<url-pattern>/app/app.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>myapp</web-resource-name>
<url-pattern>/app/AppServlet</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/public/login.jsp</form-login-page>
<form-error-page>/public/login.jsp?retry=true</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>
When I initially request /app/app.jsp Tomcat forwards to /public/
login.jsp as expected, I can login (using JDBCRealm) and will be
forwarded to /app/app.jsp.
[Analysis]
I started Tomcat in debug mode with debug log level and set a
breakpoint in FormAuthenticator.authenticate(HttpRequest,
HttpResponse, LoginConfig). I see that eventually
RequestDispatcher#forward() is invoked because it was detected that
the request needs to be authenticated. I followed the control flow to
ApplicationDispatcher.doForward(ServletRequest, ServletResponse) but
nothing seems to be wrong - at least to me. The log contains the
following:
23:27:55,251 DEBUG AuthenticatorBase:413 - [] Security checking
request POST /app/AppServlet
23:27:55,252 DEBUG RealmBase:422 - [] Checking constraint
'SecurityConstraint[myapp, myapp]' against POST /app/AppServlet --> true
23:27:55,253 DEBUG AuthenticatorBase:484 - Calling
hasUserDataPermission()
23:27:55,253 DEBUG RealmBase:752 - User data constraint has no
restrictions
23:27:55,254 DEBUG AuthenticatorBase:502 - Calling authenticate()
23:28:25,246 DEBUG FormAuthenticator:208 - Save request in session
'2E77E8D1AF28AA5369AE8DCD334960C5'
// Why would the servletPath be empyt? Potential problem?
23:28:27,500 DEBUG ApplicationDispatcher:148 - servletPath=, pathInfo=/
public/login.jsp, queryString=null, name=null
23:29:11,136 DEBUG ApplicationDispatcher:381 - Path Based Forward
23:30:58,381 DEBUG ApplicationDispatcher:418 - Disabling the response
for futher output
23:31:35,471 DEBUG AuthenticatorBase:506 - Failed authenticate() test
Kind regards,
Marcel
--
Marcel Stör, http://www.frightanic.com
Blog: http://frightanic.wordpress.com
Couchsurfing: http://www.couchsurfing.com/people/marcelstoer
Skype: marcelstoer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Request not forwarded to login page with security-constraint
after session time-out
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Marcel,
On 2/27/2009 5:17 PM, Marcel Stör wrote:
>
> On 27.02.2009, at 17:38, Christopher Schultz wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Chuck,
>>
>> On 2/26/2009 5:39 PM, Caldarale, Charles R wrote:
>>>> From: Mark Thomas [mailto:markt@apache.org] Subject: Re: Request
>>>> not forwarded to login page with security-constraint after session
>>>> time-out
>>>>
>>>> The spec is clearer than that. The "*" role == all roles defined in
>>>> web.xml.
>>>
>>> Yes, but what it's not clear about is what happens when there are
>>> *no* roles defined in web.xml, which is the situation the OP has.
>>
>> It's worse than that: he has no roles table defined, so he gets
>> SQLExceptions during authorization.
>
>
> [OT]
> Yes, indeed.
> I had expected that Tomcat would handle this more gracefully. I find it
> odd that JDBCRealm does try to run a query against the role table
> without checking first if one has even been defined. This is
> particularly annoying because the <Realm> tag in context.xml cannot be
> validated against a DTD or schema -> from a configuration point of view
> I'm not required to define it.
Patches are always welcome :)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkmsDgYACgkQ9CaO5/Lv0PDrGwCgvcKAeb9tIPqIRGmAgw2ClvTl
0qAAoMQhP6hh/VorqRKMyy4gR62pVbMw
=BSPA
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Request not forwarded to login page with security-constraint after session time-out
Posted by Marcel Stör <ma...@frightanic.com>.
On 27.02.2009, at 17:38, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Chuck,
>
> On 2/26/2009 5:39 PM, Caldarale, Charles R wrote:
>>> From: Mark Thomas [mailto:markt@apache.org] Subject: Re: Request
>>> not forwarded to login page with security-constraint after session
>>> time-out
>>>
>>> The spec is clearer than that. The "*" role == all roles defined in
>>> web.xml.
>>
>> Yes, but what it's not clear about is what happens when there are
>> *no* roles defined in web.xml, which is the situation the OP has.
>
> It's worse than that: he has no roles table defined, so he gets
> SQLExceptions during authorization.
[OT]
Yes, indeed.
I had expected that Tomcat would handle this more gracefully. I find
it odd that JDBCRealm does try to run a query against the role table
without checking first if one has even been defined. This is
particularly annoying because the <Realm> tag in context.xml cannot be
validated against a DTD or schema -> from a configuration point of
view I'm not required to define it.
Regards,
Marcel
--
Marcel Stör, http://www.frightanic.com
Blog: http://frightanic.wordpress.com
Couchsurfing: http://www.couchsurfing.com/people/marcelstoer
Skype: marcelstoer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Request not forwarded to login page with security-constraint
after session time-out
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chuck,
On 2/26/2009 5:39 PM, Caldarale, Charles R wrote:
>> From: Mark Thomas [mailto:markt@apache.org] Subject: Re: Request
>> not forwarded to login page with security-constraint after session
>> time-out
>>
>> The spec is clearer than that. The "*" role == all roles defined in
>> web.xml.
>
> Yes, but what it's not clear about is what happens when there are
> *no* roles defined in web.xml, which is the situation the OP has.
It's worse than that: he has no roles table defined, so he gets
SQLExceptions during authorization.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkmoFw4ACgkQ9CaO5/Lv0PBD+wCfSVVvZBRbJ85MtrcIPM8FA/VR
kJcAn1DH5tT9Zs4V/XbBPI7pqRfrvpDk
=vOo5
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Request not forwarded to login page with security-constraint
after session time-out
Posted by Mark Thomas <ma...@apache.org>.
Marcel Stör wrote:
> Not sure I can follow you guys on this...A few questions, my assumption
> is that the role-issue has nothing to do with the real problem:
Correct. Chuck and I are off on our own little tangent.
> 1. Is the "*"-role issues even relevant in my context? After all, the
> security constraint works fine if I initially log in...
At this stage, I don't believe it is relevant.
> 2. My requirement is indeed: "allow any authenticated user, ignore roles
> all together". So I set
> <auth-constraint>
> <role-name>*</role-name>
> </auth-constraint>
> </security-constraint>
> ...
> <security-role>
> <role-name>*</role-name>
> </security-role>
>
> in web.xml and allRolesMode="AUTH_ONLY_MODE" in the JDBC realm config.
> Correct?
Correct.
> Uummhh, obviously not, because there's still this error in the
> log, but it has no impact:
>
> Feb 27, 2009 12:06:43 AM org.apache.catalina.realm.JDBCRealm getRoles
> SEVERE: Exception performing authentication
> java.sql.SQLException: ORA-00903: invalid table name
Tomcat expects there to be a role table with the right fields - even if
it doesn't actually need it.
> at
> oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:112)
> at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:331)
> at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:288)
>
> 3. Why does it seem to be relevant that the request where
> auto-forwarding-to-login-after-session-timeout fails is an AJAX request?
Maybe AJAX can't handle the redirect that Tomcat issues? ieHttpHeaders
(IE), LiveHttpHeaders (FireFox), tcpmon (from Apache Axis) or an
equivalent tool is required here to look at the HTTP headers going back
and forth.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Request not forwarded to login page with security-constraint
after session time-out
Posted by Marcel Stör <ma...@frightanic.com>.
Marcel Stör wrote:
[...]
> 3. Why does it seem to be relevant that the request where
> auto-forwarding-to-login-after-session-timeout fails is an AJAX request?
That was my last thought last night before I fell asleep...and my first this morning when I woke up. And then the scales fell from my eyes, it suddenly dawned on me.
As expected what Tomcat does is 100% correct. The key words here are "forward" vs. "redirect". My application sends an AJAX request to /app/AppServlet, Tomcat requires authentication because the session had timed out and dutifully *forwards* to the login page. Hence, the result of the request is not some JSON object as expected by the client in the browser but the login page HTML structure/page. The client simply isn't prepared for that and freezes.
I'll go fix my application now. Sorry for the disturbance.
Regards,
Marcel
--
Marcel Stör, http://www.frightanic.com
Blog: http://frightanic.wordpress.com
Couchsurfing: http://www.couchsurfing.com/people/marcelstoer
Skype: marcelstoer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Request not forwarded to login page with security-constraint after session time-out
Posted by Marcel Stör <ma...@frightanic.com>.
On 26.02.2009, at 23:44, Mark Thomas wrote:
> Caldarale, Charles R wrote:
>>> From: Mark Thomas [mailto:markt@apache.org]
>>> Subject: Re: Request not forwarded to login page with
>>> security-constraint after session time-out
>>>
>>> The spec is clearer than that. The "*" role == all roles
>>> defined in web.xml.
>>
>> Yes, but what it's not clear about is what happens when there are
>> *no* roles defined in web.xml, which is the situation the OP has.
>
> I thought it was pretty clear. If "*" is all roles defined and you
> have
> no roles defined then you are basically preventing anyone from
> accessing
> that resource (subject to the weird and wonderful rules on combining
> security constraints).
Not sure I can follow you guys on this...A few questions, my
assumption is that the role-issue has nothing to do with the real
problem:
1. Is the "*"-role issues even relevant in my context? After all, the
security constraint works fine if I initially log in...
2. My requirement is indeed: "allow any authenticated user, ignore
roles all together". So I set
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
...
<security-role>
<role-name>*</role-name>
</security-role>
in web.xml and allRolesMode="AUTH_ONLY_MODE" in the JDBC realm config.
Correct? Uummhh, obviously not, because there's still this error in
the log, but it has no impact:
Feb 27, 2009 12:06:43 AM org.apache.catalina.realm.JDBCRealm getRoles
SEVERE: Exception performing authentication
java.sql.SQLException: ORA-00903: invalid table name
at
oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:
112)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:331)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:288)
3. Why does it seem to be relevant that the request where auto-
forwarding-to-login-after-session-timeout fails is an AJAX request?
Regards,
Marcel
--
Marcel Stör, http://www.frightanic.com
Blog: http://frightanic.wordpress.com
Couchsurfing: http://www.couchsurfing.com/people/marcelstoer
Skype: marcelstoer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Request not forwarded to login page with security-constraintafter
session time-out
Posted by Mark Thomas <ma...@apache.org>.
Caldarale, Charles R wrote:
>> From: Mark Thomas [mailto:markt@apache.org]
>> Subject: Re: Request not forwarded to login page with
>> security-constraintafter session time-out
>>
>> If "*" is all roles defined and you have no roles
>> defined then you are basically preventing anyone
>> from accessing that resource
>
> That's not quite what it says. The actual wording:
>
> "The special role name "*" is a shorthand for all role names defined in the deployment descriptor. An authorization constraint that names no roles indicates that access to the constrained requests must not be permitted under any circumstances."
I think the current implementation follows from that. "*" is all roles
defined. If there no roles defined then the auth constraint names no
roles and all users are blocked.
> In the OP's case, the authorization constraint does name roles, albeit just the shorthand version.
"*" makes no sense in
<security-role><role-name>*</role-name></security-role>
I suspect what Tomcat is doing is creating a role named "*". Since no
user has been assigned to that role, no user is permitted access.
What the spec is not explicit about is the combination of "*" with an
empty or non-existant <security-role> list.
I think it is quite clear. It means no-one gets access.
The OP (and others) have interpreted the "*" and no <security-role> list
to indicate no roles are needed for authorization.
Indeed. So did Tomcat for many versions.
For all we know, the intent of the spec writers may have been to allow that.
I know that that was not the intent. The current behaviour was the intent.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Request not forwarded to login page with
security-constraintafter session time-out
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Mark Thomas [mailto:markt@apache.org]
> Subject: Re: Request not forwarded to login page with
> security-constraintafter session time-out
>
> If "*" is all roles defined and you have no roles
> defined then you are basically preventing anyone
> from accessing that resource
That's not quite what it says. The actual wording:
"The special role name "*" is a shorthand for all role names defined in the deployment descriptor. An authorization constraint that names no roles indicates that access to the constrained requests must not be permitted under any circumstances."
In the OP's case, the authorization constraint does name roles, albeit just the shorthand version. What the spec is not explicit about is the combination of "*" with an empty or non-existant <security-role> list. The OP (and others) have interpreted the "*" and no <security-role> list to indicate no roles are needed for authorization. For all we know, the intent of the spec writers may have been to allow that.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Request not forwarded to login page with
security-constraintafter session time-out
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Christopher Schultz [mailto:chris@christopherschultz.net]
> Subject: Re: Request not forwarded to login page with
> security-constraintafter session time-out
>
> I don't find this ambiguous at all
You have to carefully examine the sections being referred to; in each area of the spec, the references are the to <role-name>s specified in a <security-constraint>, not to those listed in a <security-role>. There is no direct statement in the spec (but there is implication) that a list of <security-role> elements is required, nor is there any statement about what happens if there is no such list.
Moreover, the spec does not address the situation the OP has: all that's desired is authentication, authorization is not needed or desired.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Request not forwarded to login page with security-constraint
after session time-out
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chuck,
On 2/26/2009 7:22 PM, Caldarale, Charles R wrote:
>> From: Mark Thomas [mailto:markt@apache.org]
>> Subject: Re: Request not forwarded to login page with
>> security-constraint after session time-out
>
>>> What the spec is not explicit about is the combination
>>> of "*" with an empty or non-existant <security-role> list.
>
>> I think it is quite clear. It means no-one gets access.
>
> We'll have to agree to disagree; I find it ambiguous, and obviously
> others have different interpretations, so it definitely isn't clear. I'd
> like to see the spec document how authentication can be configured when
> no authorization (and therefore no roles) is necessary.
I don't find this ambiguous at all (this is the XSD documentation for
auth-constraintType).
"
The auth-constraintType indicates the user roles that
should be permitted access to this resource
collection. The role-name used here must either correspond
to the role-name of one of the security-role elements
defined for this web application, or be the specially
reserved role-name "*" that is a compact syntax for
indicating all roles in the web application. If both "*"
and rolenames appear, the container interprets this as all
roles. If no roles are defined, no user is allowed access
to the portion of the web application described by the
containing security-constraint. The container matches
role names case sensitively when determining access.
"
No roles listed? Nobody gets access. * = all (should be "any") roles
defined in the application. No roles defined? Nobody gets access.
As I said, practically speaking, this last constraint hasn't been
properly enforced in many versions of Tomcat (or securityfilter! we're
working on fixing that somehow).
>> Chuck and I are off on our own little tangent.
>
> Not sure that's entirely true, since the OP's situation
> (authentication without need for authorization) doesn't seem to be
> covered by the spec, and behavior of other containers (and even
> different versions of Tomcat) may well differ from what he's getting today.
I agree with Chuck. Although the OP's issue was resolved (login pages
rarely look like JSON responses... oops!), the fact that the OP was
abusing the authentication and authorization mechanism of Tomcat is not
good. I'm not sure why any user was ever properly authorized, here: a
SQLException in role gathering results in successful authorization for
all users? Shouldn't the default be to disallow access unless
authorization is successful? Sounds like a horrible security bug to me.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkmoGesACgkQ9CaO5/Lv0PCK3wCbBVtSKKYyJzxnqDtpLoizTv4D
8moAn1XjL2qRTjgEplLyJ5Jha5Pd6Bu7
=dhaL
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Request not forwarded to login page with security-constraint
after session time-out
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Mark Thomas [mailto:markt@apache.org]
> Subject: Re: Request not forwarded to login page with
> security-constraint after session time-out
> > What the spec is not explicit about is the combination
> > of "*" with an empty or non-existant <security-role> list.
> I think it is quite clear. It means no-one gets access.
We'll have to agree to disagree; I find it ambiguous, and obviously others have different interpretations, so it definitely isn't clear. I'd like to see the spec document how authentication can be configured when no authorization (and therefore no roles) is necessary.
> Chuck and I are off on our own little tangent.
Not sure that's entirely true, since the OP's situation (authentication without need for authorization) doesn't seem to be covered by the spec, and behavior of other containers (and even different versions of Tomcat) may well differ from what he's getting today.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Request not forwarded to login page with security-constraint
after session time-out
Posted by Mark Thomas <ma...@apache.org>.
Caldarale, Charles R wrote:
>> From: Mark Thomas [mailto:markt@apache.org]
>> Subject: Re: Request not forwarded to login page with
>> security-constraint after session time-out
>>
>> The spec is clearer than that. The "*" role == all roles
>> defined in web.xml.
>
> Yes, but what it's not clear about is what happens when there are *no* roles defined in web.xml, which is the situation the OP has.
I thought it was pretty clear. If "*" is all roles defined and you have
no roles defined then you are basically preventing anyone from accessing
that resource (subject to the weird and wonderful rules on combining
security constraints).
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Request not forwarded to login page with security-constraint
after session time-out
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Mark Thomas [mailto:markt@apache.org]
> Subject: Re: Request not forwarded to login page with
> security-constraint after session time-out
>
> The spec is clearer than that. The "*" role == all roles
> defined in web.xml.
Yes, but what it's not clear about is what happens when there are *no* roles defined in web.xml, which is the situation the OP has.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Request not forwarded to login page with security-constraint
after session time-out
Posted by Mark Thomas <ma...@apache.org>.
Caldarale, Charles R wrote:
>> From: Marcel Stör [mailto:marcel@frightanic.com]
>> Subject: Re: Request not forwarded to login page with
>> security-constraint after session time-out
>>
>> No, I only mentioned this because Tomcat throws an SQL exception
>> because it tries to query a table called "" if I don't specify a role
>> table in the realm config in context.xml
>
> That's because of the strong implication in the servlet spec that roles are required; any behavior you observe in a particular Tomcat level when no roles exist is very likely an accident and not guaranteed from one version to the next.
The spec is clearer than that. The "*" role == all roles defined in web.xml.
Unfortunately, Tomcat used to treat "*" as any authenticated user - not
quite what the spec requires. That was fixed - check the change log for
the version.
The undocumented realm attribute allRolesMode (see RealmBase) can be
used to control this behaviour.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Request not forwarded to login page with security-constraint
after session time-out
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Marcel Stör [mailto:marcel@frightanic.com]
> Subject: Re: Request not forwarded to login page with
> security-constraint after session time-out
>
> No, I only mentioned this because Tomcat throws an SQL exception
> because it tries to query a table called "" if I don't specify a role
> table in the realm config in context.xml
That's because of the strong implication in the servlet spec that roles are required; any behavior you observe in a particular Tomcat level when no roles exist is very likely an accident and not guaranteed from one version to the next.
A proper way to handle this would be to subclass the Realm you're now using, and have that subclass fill in a dummy role name for each user; that dummy name should also be specified in the web.xml for the webapp.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Request not forwarded to login page with security-constraint after session time-out
Posted by Marcel Stör <ma...@frightanic.com>.
On 26.02.2009, at 20:13, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Marcel,
>
> On 2/26/2009 10:21 AM, Marcel Stör wrote:
>> If I request a protected URL (manually clicking
>> link, AJAX request, etc.) *after* the session has timed out I
>> expect an
>> automatic forwarding to the login page. As I could see while
>> debugging,
>> the request dispatcher does indeed issue a forward() to the login
>> page
>> but nothing happens.
>
> Error logs? HTTP dump? Note that Tomcat 5.0 has been unsupported for
> quite a while. I recommend planning an upgrade SOON.
I'll gather some more information...
I know. It's just that Google's GWT setup for local development ships
with 5.0.28 embedded. We don't use 5.0 in production, don't worry.
>> I'm sure either, I saw it in some tutorial. Since I don't have a role
>> table (right, JDBCRealm complains about that, but whatever...) it
>> basically means that I don't use role based access.
>
> Technically speaking, no roles defined = no access. Practically
> speaking, I don't believe Tomcat forces any roles to be defined when
> "*"
> is the role-name required by the security-constraint.
No, I only mentioned this because Tomcat throws an SQL exception
because it tries to query a table called "" if I don't specify a role
table in the realm config in context.xml
Regards,
Marcel
--
Marcel Stör, http://www.frightanic.com
Blog: http://frightanic.wordpress.com
Couchsurfing: http://www.couchsurfing.com/people/marcelstoer
Skype: marcelstoer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Request not forwarded to login page with security-constraint
after session time-out
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Marcel,
On 2/26/2009 10:21 AM, Marcel Stör wrote:
> If I request a protected URL (manually clicking
> link, AJAX request, etc.) *after* the session has timed out I expect an
> automatic forwarding to the login page. As I could see while debugging,
> the request dispatcher does indeed issue a forward() to the login page
> but nothing happens.
Error logs? HTTP dump? Note that Tomcat 5.0 has been unsupported for
quite a while. I recommend planning an upgrade SOON.
> I'm sure either, I saw it in some tutorial. Since I don't have a role
> table (right, JDBCRealm complains about that, but whatever...) it
> basically means that I don't use role based access.
Technically speaking, no roles defined = no access. Practically
speaking, I don't believe Tomcat forces any roles to be defined when "*"
is the role-name required by the security-constraint.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkmm6d0ACgkQ9CaO5/Lv0PCQdACeMdhQZmxMxDm0YJix89pVwoPt
MhQAoMFd8EQywZr/JAwJ0fiIyBDU+BSI
=C3//
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Request not forwarded to login page with security-constraint
after session time-out
Posted by Marcel Stör <ma...@frightanic.com>.
Gregor Schneider wrote:
> Marcel,
>
> On Thu, Feb 26, 2009 at 12:16 AM, Marcel Stör <ma...@frightanic.com> wrote:
>> [Problem]
>> Upon session time-out the request is not forwarded to the login page (form
>> based auth). Nothing happens on the UI. However, forwarding to the login
>> page does work during the initially login into the application.
>>
>
> Not sure if I get you right:
>
> Do you expect an *automatic* forwarding to the login-page?
>
> Or are your requesting a protected url *after* session has timed out?
Well, a bit of both ;-) If I request a protected URL (manually clicking link, AJAX request, etc.) *after* the session has timed out I expect an automatic forwarding to the login page. As I could see while debugging, the request dispatcher does indeed issue a forward() to the login page but nothing happens.
> If the latter:
>
> In the Tomcat-access-logs, do you seen any HTTP 40x?
I need to check.
> PS.:
>
> This looks a bit awkward to me (didn't know that this is possible),
> but I guess that's not the reason for your problem:
>
>> <role-name>*</role-name>
I'm sure either, I saw it in some tutorial. Since I don't have a role table (right, JDBCRealm complains about that, but whatever...) it basically means that I don't use role based access.
> PPS: Compliments for the excellent problem-decription!
Thanks, after all I need people to help me. So, it's in my own best interest.
Marcel
--
Marcel Stör, http://www.frightanic.com
Blog: http://frightanic.wordpress.com
Couchsurfing: http://www.couchsurfing.com/people/marcelstoer
Skype: marcelstoer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Request not forwarded to login page with security-constraint
after session time-out
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Gregor,
On 2/26/2009 9:59 AM, Gregor Schneider wrote:
> This looks a bit awkward to me (didn't know that this is possible),
> but I guess that's not the reason for your problem:
>
> <role-name>*</role-name>
This is fine. From the servlet spec SRV.13.3:
"
The auth-constraintType indicates the user roles that
should be permitted access to this resource
collection. The role-name used here must either correspond
to the role-name of one of the security-role elements
defined for this web application, or be the specially
reserved role-name "*" that is a compact syntax for
indicating all roles in the web application. If both "*"
and rolenames appear, the container interprets this as all
roles. If no roles are defined, no user is allowed access
to the portion of the web application described by the
containing security-constraint. The container matches
role names case sensitively when determining access.
"
In this context, it means "any authenticated user is authorized,
regardless of role".
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkmm5NQACgkQ9CaO5/Lv0PC2BgCgr/wdxfLd7z0Vhzqb60x1BCaN
fxIAoJDD0oWvU27WN6mrnHVsGlMpMYhh
=foxl
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Request not forwarded to login page with security-constraint
after session time-out
Posted by Gregor Schneider <rc...@googlemail.com>.
Marcel,
On Thu, Feb 26, 2009 at 12:16 AM, Marcel Stör <ma...@frightanic.com> wrote:
>
> [Problem]
> Upon session time-out the request is not forwarded to the login page (form
> based auth). Nothing happens on the UI. However, forwarding to the login
> page does work during the initially login into the application.
>
Not sure if I get you right:
Do you expect an *automatic* forwarding to the login-page?
Or are your requesting a protected url *after* session has timed out?
If the latter:
In the Tomcat-access-logs, do you seen any HTTP 40x?
Gregor
PS.:
This looks a bit awkward to me (didn't know that this is possible),
but I guess that's not the reason for your problem:
> <role-name>*</role-name>
PPS: Compliments for the excellent problem-decription!
Gregor
--
just because your paranoid, doesn't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available @ http://pgpkeys.pca.dfn.de:11371
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org