HTTP BASIC Authentication

[John Tangney <jt...@knowledgeplanet.com>]

Hi

The README says 
> 5.2 Container Managed Security
> 
> Tomcat 3.1 has an experimental implementation of container managed security,
> as described in the Servlet API Specification, version 2.2, section 11.
> Please
> note the following information about this implementation:
> 
> - BASIC authentication appears to work correctly, but has not been
> extensively tested.  Please report any bugs you encounter here
> at <http://jakarta.apache.org/bugs>.  The example application has
> a protected area defined at the following URL:
> 
> http://localhost:8080/examples/jsp/security/protected
> 
> which can be accessed by any user defined in the configuration file
> $TOMCAT_HOME/conf/tomcat-users.xml that has been granted the
> appropriate roles.

When I go to that url, my client makes me log in, so I use user='tomcat',
p/w='tomcat' as seen in the tomcat-users.xml file. So far so good.

But then I see a directory listing - apparently the contents of the
/examples directory. I was expecting to see
/examples/jsp/security/protected/index.jsp, which has something quite
different.

I see the same directory listing whether my client browser is running on the
same host as the server or different machines. This is an 'out the box'
install of tomcat on solaris using jdk1.2.2.

What's going on here? Is there some secret redirection going on? Am I just
misunderstanding what the http BASIC authentication is doing? Or is this a
bug?

Help!
--johnt

Re: HTTP BASIC Authentication

[John Tangney <jt...@knowledgeplanet.com>]

I changed the authentication to form based, and the same thing happens.

I also moved the index.jsp file from
$TOMCAT_HOME/webapps/examples/jsp/security/protected/ to
$TOMCAT_HOME/webapps/examples (the directory that I get to after logging in)
and the jsp works correctly, showing the principal name, etc.

So I am now convinced that this is a BUG, whereby the login process causes
the root of the web app to be returned, rather than the page mentioned in
the original request. I am going to enter this whole message into the
bugbase at http://jakarta.apache.org/bugs - just as soon as I can get access
to it :-(

In case anyone is interested, a log of the transaction as captured by iCab
is appended at the end of this message. It clearly shows the http request
for examples/jsp/security/protected/

--johnt

On 5/3/00 4:00 PM, John Tangney at jtangney@knowledgeplanet.com wrote:

> Hi
> 
> The README says 
>> 5.2 Container Managed Security
>> 
>> Tomcat 3.1 has an experimental implementation of container managed security,
>> as described in the Servlet API Specification, version 2.2, section 11.
>> Please
>> note the following information about this implementation:
>> 
>> - BASIC authentication appears to work correctly, but has not been
>> extensively tested.  Please report any bugs you encounter here
>> at <http://jakarta.apache.org/bugs>.  The example application has
>> a protected area defined at the following URL:
>> 
>> http://localhost:8080/examples/jsp/security/protected
>> 
>> which can be accessed by any user defined in the configuration file
>> $TOMCAT_HOME/conf/tomcat-users.xml that has been granted the
>> appropriate roles.
> 
> When I go to that url, my client makes me log in, so I use user='tomcat',
> p/w='tomcat' as seen in the tomcat-users.xml file. So far so good.
> 
> But then I see a directory listing - apparently the contents of the
> /examples directory. I was expecting to see
> /examples/jsp/security/protected/index.jsp, which has something quite
> different.
> 
> I see the same directory listing whether my client browser is running on the
> same host as the server or different machines. This is an 'out the box'
> install of tomcat on solaris using jdk1.2.2.
> 
> What's going on here? Is there some secret redirection going on? Am I just
> misunderstanding what the http BASIC authentication is doing? Or is this a
> bug?
> 
> Help!
> --johnt


***

Thread #1 (5/4/00, 9:50 AM):

Connecting to base.kuis.com  Port: 8080
GET /examples/jsp/security/protected HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/xbm,
image/png, */*
Host: base.kuis.com:8080
User-Agent: iCab/Pre1.9 (Macintosh; I; PPC)
If-Modified-Since: Thu, 4 May 2000 16:09:23 GMT
 
 

Thread #1 (5/4/00, 9:50 AM):

Response: 401
Date: Thu, 04 May 2000 16:49:39 GMT
Servlet-Engine: Tomcat Web Server/3.1 (JSP 1.1; Servlet 2.2; Java 1.2.2;
SunOS 5.6 sparc; java.vendor=Sun Microsystems Inc.)
Content-Language: en
WWW-Authenticate: Basic realm="Example Basic Authentication Area"
Content-Type: text/plain
Status: 401
 

Thread #1 (5/4/00, 9:50 AM):

Connecting to base.kuis.com  Port: 8080
GET /examples/jsp/security/protected HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/xbm,
image/png, */*
Authorization: Basic dG9tY2F0OnRvbWNhdA==
Host: base.kuis.com:8080
User-Agent: iCab/Pre1.9 (Macintosh; I; PPC)
If-Modified-Since: Thu, 4 May 2000 16:09:23 GMT
 
 

Thread #1 (5/4/00, 9:50 AM):

Response: 302
Content-Length: 191
Date: Thu, 04 May 2000 16:49:46 GMT
Servlet-Engine: Tomcat Web Server/3.1 (JSP 1.1; Servlet 2.2; Java 1.2.2;
SunOS 5.6 sparc; java.vendor=Sun Microsystems Inc.)
Content-Language: en
Content-Type: text/html
Status: 302
Location: http://base.kuis.com:8080/examples/jsp/security/protected/
 

Thread #1 (5/4/00, 9:50 AM):

Connecting to base.kuis.com  Port: 8080
GET /examples/jsp/security/protected/ HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/xbm,
image/png, */*
Authorization: Basic dG9tY2F0OnRvbWNhdA==
Host: base.kuis.com:8080
Referer: 
http://tomcat:tomcat@base.kuis.com:8080/examples/jsp/security/protected
User-Agent: iCab/Pre1.9 (Macintosh; I; PPC)
If-Modified-Since: Thu, 4 May 2000 16:31:14 GMT
 
 

Thread #1 (5/4/00, 9:50 AM):

Response: 200
Content-Length: 916
Date: Thu, 04 May 2000 16:49:46 GMT
Servlet-Engine: Tomcat Web Server/3.1 (JSP 1.1; Servlet 2.2; Java 1.2.2;
SunOS 5.6 sparc; java.vendor=Sun Microsystems Inc.)
Content-Language: en
Content-Type: text/plain
Status: 200
Last-Modified: Thu, 04 May 2000 16:31:14 GMT