You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jason Harrop <jh...@bigpond.net.au> on 2001/03/01 16:11:43 UTC
[TC4] Bug? Authentication problem with HTTP 1.1 client (MSIE)
Hi
I'm using TC4 built from CVS on 17 Feb, and I'm scratching my head about
a strange problem when i try and access 2 webapps which have the same
realm name in their web.xml file, as in:
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>myRealm</realm-name>
If I visit these webapps using a HTTP 1.0 client (eg NS 4.7, or IE 5 or
5.5 with "Use HTTP 1.1" deselected), i get the expected sequence of a
401 error, at which point the browser presents the authentication
dialog; then on subsequent protected pages, the browser responds to the
401 error with authentication information without involving the users.
If I visit these webapps using either IE 5 or 5.5 in their default HTTP
1.1 enabled mode, then what happens is this:
For IE 5.5, when i visit the first page, i am asked to authenticate.
Then, when i visit the second page (on my setup, this is in a second
webapp, but with the same realm-name), i am presented with a blank
screen. The tomcat logs show the 401 response, but they DO NOT show a
subsequent request in which the authentication information is provided
by the browser.
HOWEVER, according to my packet sniffer, that request _is_ being sent,
however Tomcat never responds to it:
G E T / T e s t D r i v e / p r o t e c t e d / s h o w
H o m e D i r e c t o r y H T T P / 1 . 1
H T T P / 1 . 1 4 0 1 U n a u t h o r i z e d
W W W - A u t h e n t i c a t e : B a s i c r e a l m
= " m y R e a l m "
G E T / T e s t D r i v e / p r o t e c t e d / s h o w
H o m e D i r e c t o r y H T T P / 1 . 1
A u t h o r i z a t i o n : B a s i c Z n J l Z D p u
Z X J r
[Tomcat sends the page]
G E T / S m a r t P r e c e d e n t S e r v e
r / a s k I n t e r v i e w P r
e f e r e n c e s ? I D = % 2 F
f i l e s % 2 F d e m o n s t r
a t i o n % 2 F T e s t 2 S A f
o r R e p o s i t o r y . x m l
& r e p o s i t o r y n a m e =
T e s t D r i v e H T T P / 1
. 1
H T T P / 1 . 1 4 0 1 U n a u t h o r i z e d
W W W - A u t h e n t i c a t e : B a s i c r e a l m =
" m y R e a l m "
G E T / S m a r t P r e c e d e n t S e r v e
r / a s k I n t e r v i e w P r
e f e r e n c e s ? I D = % 2 F
f i l e s % 2 F d e m o n s t r
a t i o n % 2 F T e s t 2 S A f
o r R e p o s i t o r y . x m l
& r e p o s i t o r y n a m e =
T e s t D r i v e H T T P / 1
. 1
A u t h o r i z a t i o n : B a s i c Z n J l Z D p u
Z X J r
Clicking refresh successfully grabs the page for me, without me having
to type any authentication info again. So i think this might a bug in
Tomcat 4's HTTP 1.1 connector (since things are okay with a 1.0 client)?
With IE 5, the second time Tomcat sends a 401, IE asks me to
authenticate, even though the WWW-Authenticate header is the same one it
has seen before. This looks to me like a bug in IE 5.
Any thoughts? BTW, i'm not using the single sign on support valve.
thanks
Jason
Re: [TC4] HTTP 1.1 client authentication problems STILL
Posted by Jason Harrop <jh...@bigpond.net.au>.
Replying to my own post: main problem fixed by Remy's patches in the
most recent nightly build. I haven't experimented with the SSO stuff
again though.
Re: [TC4] HTTP 1.1 client authentication problems STILL
Posted by Jason Harrop <jh...@bigpond.net.au>.
Jason Harrop wrote:
> Replying to my own post - this problem went away when i updated to the
> latest TC cvs sources and rebuilt. cheers, Jason
Actually it didn't :( Attached please find what i see. i'm not sure
whether the fact that i have 2 webapps is implicated in this - i suspect
so.
cheers, jason
============= without SSO ========================
[click on link requiring authentication in first webapp (called TestDrive)]
- user gets authentication challenge
- tcpdump says for request:
G E T / T e s t D r i v e / p r o t e c t e d
/ s h o w H o m e D i r e c t o
r y H T T P / 1 . 1
- Tomcat log says:
61.9.164.185 - - [02/Mar/2001:23:34:57 10000] "GET
/TestDrive/protected/showHomeDirectory HTTP/1.1" 401 -
- tcpdump says for response:
H T T P / 1 . 1 4 0 1 U n a u t h o r i z e
d
W W W - A u t h e n t i c a t e : B a s i c
r e a l m = " S m a r t P r e c
e d e n t S e r v e r "
[all ok so far - enter authentication information]
- tcp dump says for request:
G E T / T e s t D r i v e / p r o t e c t e d
/ s h o w H o m e D i r e c t o
r y H T T P / 1 . 1
A u t h o r i z a t i o n : B a s i c Z n J
l Z D p u Z Y V r
- Tomcat log says:
61.9.164.185 - jerry [02/Mar/2001:23:44:32 10000] "GET
/TestDrive/protected/showHomeDirectory HTTP/1.1" 200 688
- tcpdump says for response:
H T T P / 1 . 1
2 0 0
p r a g m a : n o - c a c h e
T r a n s f e r - E n c o d i n g : c h u n
k e d
S e r v e r : A p a c h e T o m c a t / 4 . 0 - d
e v ( H T T P / 1 . 1 C o n
n e c t o r )
C a c h e - C o n t r o l : n o - c a c h e
[okay so far - so click on another link (second webapp, called
SmartPrecedentServer), and USER GETS BLANK SCREEN :(]
- tcpdump says for request
G E T / S m a r t P r e c e d e n t S e r v e
r / a s k I n t e r v i e w P r
e f e r e n c e s ? I D = % 2 F
f i l e s % 2 F d e m o n s t r
a t i o n % 2 F S e r v i c e s
+ A g r e e m e n t . x m l & r
e p o s i t o r y n a m e = T e
s t D r i v e H T T P / 1 . 1
C o n n e c t i o n :
K e e p - A l i v e
- Tomcat logs say
61.9.164.185 - - [02/Mar/2001:23:50:07 10000] "GET
/SmartPrecedentServer/askInterviewPreferences HTTP/1.1" 401 -
- tcpdump says for response
H T T P / 1 . 1
4 0 1 U n a u t h o r i z e
d
S e r v e r : A p a c h e T o m c a t / 4 . 0 - d e
v ( H T T P / 1 . 1 C o n n
e c t o r )
W W W - A u t h e n t i c a t e : B a s i c
r e a l m = " S m a r t P r e c
e d e n t S e r v e r "
[user doesn't do anything]
- tcpdump says for request
G E T / S m a r t P r e c e d e n t S e r v e
r / a s k I n t e r v i e w P r
e f e r e n c e s ? I D = % 2 F
f i l e s % 2 F d e m o n s t r
a t i o n % 2 F S e r v i c e s
+ A g r e e m e n t . x m l & r
e p o s i t o r y n a m e = T e
s t D r i v e H T T P / 1 . 1
A u t h o r i z a t i o n : B a s i c
Z n J l Z D p u Z Y V r
- Tomcat logs say nothing :(
- tcpdump does not show any response
[User clicks refresh]
- tcpdump says for request
G E T / S m a
r t P r e c e d e n t S e r v e
r / a s k I n t e r v i e w P r
e f e r e n c e s ? I D = % 2 F
f i l e s % 2 F d e m o n s t r
a t i o n % 2 F S e r v i c e s
+ A g r e e m e n t . x m l & r
e p o s i t o r y n a m e = T e
s t D r i v e H T T P / 1 . 1
C o n n e
c t i o n : K e e p - A l i v
e
A u t h o r i z a t i o n
: B a s i c Z n J l Z D p u
Z Y V r
- Tomcat log says
61.9.164.185 - jerry [02/Mar/2001:23:56:56 10000] "GET
/SmartPrecedentServer/askInterviewPreferences HTTP/1.1" 200 1315
- tcpdump says for response:
H T T P / 1 . 1
2 0 0
P r a g m a : n
o - c a c h e
T r a n s f e
r - E n c o d i n g : c h u n
k e d
S e r v e r : A p a
c h e T o m c a t / 4 . 0 - d
e v ( H T T P / 1 . 1 C o n
n e c t o r )
C a c h e - C
o n t r o l : n o - c a c h e
S e t - C o o k i e : J S
E S S I O N I D = [etc]
================ with SSO ==================================
If i go through the exercise with SingleSignOn support enabled:
[eventually we get to the request:]
G E T / S m a
r t P r e c e d e n t S e r v e
r / a s k I n t e r v i e w P r
e f e r e n c e s ? I D = % 2 F
f i l e s % 2 F d e m o n s t r
a t i o n % 2 F S e r v i c e s
+ A g r e e m e n t . x m l & r
e p o s i t o r y n a m e = T e
s t D r i v e H T T P / 1 . 1
[there is no authorization header]
Tomcat log says BOTH OF THE FOLLOWING!
61.9.164.185 - - [02/Mar/2001:23:50:07 10000] "GET
/SmartPrecedentServer/askInterviewPreferences HTTP/1.1" 401 -
61.9.164.185 - jerry [02/Mar/2001:23:56:56 10000] "GET
/SmartPrecedentServer/askInterviewPreferences HTTP/1.1" 200 1315
BUT tcp dump doesn't show a response to the first request, and nor does
it show the second request to have been made!?
neither the logs nor tcpdump show SSO cookie to be set:
2001-03-03 00:09:07 SingleSignOn[localhost]: Checking for SSO cookie
2001-03-03 00:09:07 SingleSignOn[localhost]: SSO cookie is not present
2001-03-03 00:09:07 StandardHost[localhost]: Mapping request URI
'/TestDrive/protected/showHomeDirectory'
2001-03-03 00:09:07 StandardHost[localhost]: Trying the longest
context path prefix
2001-03-03 00:09:07 StandardHost[localhost]: Mapped to context '/TestDrive'
2001-03-03 00:09:07 showHomeDirectory: init
The realm names in both webapps are identical.
Re: [TC4] Bug? Authentication problem with HTTP 1.1 client (MSIE)
Posted by Jason Harrop <jh...@bigpond.net.au>.
Replying to my own post - this problem went away when i updated to the
latest TC cvs sources and rebuilt. cheers, Jason
Jason Harrop wrote:
> Hi
>
> I'm using TC4 built from CVS on 17 Feb, and I'm scratching my head about
> a strange problem when i try and access 2 webapps which have the same
> realm name in their web.xml file, as in:
>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>myRealm</realm-name>
>
> If I visit these webapps using a HTTP 1.0 client (eg NS 4.7, or IE 5 or
> 5.5 with "Use HTTP 1.1" deselected), i get the expected sequence of a
> 401 error, at which point the browser presents the authentication
> dialog; then on subsequent protected pages, the browser responds to the
> 401 error with authentication information without involving the users.
>
> If I visit these webapps using either IE 5 or 5.5 in their default HTTP
> 1.1 enabled mode, then what happens is this:
>
> For IE 5.5, when i visit the first page, i am asked to authenticate.
> Then, when i visit the second page (on my setup, this is in a second
> webapp, but with the same realm-name), i am presented with a blank
> screen. The tomcat logs show the 401 response, but they DO NOT show a
> subsequent request in which the authentication information is provided
> by the browser.
>
> HOWEVER, according to my packet sniffer, that request _is_ being sent,
> however Tomcat never responds to it:
>
> G E T / T e s t D r i v e / p r o t e c t e d / s h o w
> H o m e D i r e c t o r y H T T P / 1 . 1
>
> H T T P / 1 . 1 4 0 1 U n a u t h o r i z e d
> W W W - A u t h e n t i c a t e : B a s i c r e a l m
> = " m y R e a l m "
>
> G E T / T e s t D r i v e / p r o t e c t e d / s h o w
> H o m e D i r e c t o r y H T T P / 1 . 1
> A u t h o r i z a t i o n : B a s i c Z n J l Z D p u
> Z X J r
>
> [Tomcat sends the page]
>
> G E T / S m a r t P r e c e d e n t S e r v e
> r / a s k I n t e r v i e w P r
> e f e r e n c e s ? I D = % 2 F
> f i l e s % 2 F d e m o n s t r
> a t i o n % 2 F T e s t 2 S A f
> o r R e p o s i t o r y . x m l
> & r e p o s i t o r y n a m e =
> T e s t D r i v e H T T P / 1
> . 1
>
> H T T P / 1 . 1 4 0 1 U n a u t h o r i z e d
> W W W - A u t h e n t i c a t e : B a s i c r e a l m =
> " m y R e a l m "
>
> G E T / S m a r t P r e c e d e n t S e r v e
> r / a s k I n t e r v i e w P r
> e f e r e n c e s ? I D = % 2 F
> f i l e s % 2 F d e m o n s t r
> a t i o n % 2 F T e s t 2 S A f
> o r R e p o s i t o r y . x m l
> & r e p o s i t o r y n a m e =
> T e s t D r i v e H T T P / 1
> . 1
>
> A u t h o r i z a t i o n : B a s i c Z n J l Z D p u
> Z X J r
>
> Clicking refresh successfully grabs the page for me, without me having
> to type any authentication info again. So i think this might a bug in
> Tomcat 4's HTTP 1.1 connector (since things are okay with a 1.0 client)?
>
> With IE 5, the second time Tomcat sends a 401, IE asks me to
> authenticate, even though the WWW-Authenticate header is the same one it
> has seen before. This looks to me like a bug in IE 5.
>
> Any thoughts? BTW, i'm not using the single sign on support valve.
>
> thanks
>
> Jason
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, email: tomcat-user-help@jakarta.apache.org