You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by rop <ro...@gmail.com> on 2015/03/10 19:57:06 UTC
Form-based authentication breaks after upgrade to Tom 7.0.59
We are trying to upgrade Tomcat from 7.0.35 to 7.0.59.
For some reason, the form-based authentication gets broken after the
upgrade,
and just gives "Invalid username and/or password, please try again"
when trying to login.
Cannot find anything in catalina.out related to this.
>From our logging, it appears the DataSourceRealm.authenticate() never gets
called at all.
If I downgrade to 7.0.35, it works again...
Anyone has a clue if anything changed between these versions,
what the problem might be, or even how to troubleshoot the issue?
Re: Form-based authentication breaks after upgrade to Tom 7.0.59
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Rop,
On 3/12/15 7:10 PM, rop wrote:
> Hi Chris, Yes, we are applying salt before hashing (to prevent
> googling up many passwords from the hashes).
Depending upon how you are storing the salt, you may be able to use
Tomcat out of the box, now, because Tomcat can now do salted passwords
(it was way overdue).
> Override probably seemed like easiest way at the time, but maybe a
> better way now. Will check it out, thanks.
You will be better-off moving away from Realm and towards
CredentialHandler instead. Consider beginning to evaluate that for the
future.
- -chris
> On Thu, Mar 12, 2015 at 8:53 PM, Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
> Rop,
>
> On 3/12/15 3:33 PM, rop wrote:
>>>> Finally, found the issue.
>
> Please bottom-post if you can. Also, please sign your posts.
>
>>>> On Thu, Mar 12, 2015 at 6:18 PM, Mark Thomas
>>>> <ma...@apache.org> wrote:
>>>>
>>>>> On 12/03/2015 15:51, rop wrote:
>>>>>> Ah, I got it now. Thanks, David.
>>>>>>
>>>>>> Yes, the a-b-c-d points are OK then.
>>>>>>
>>>>>> As a trouble-shoot action, I actually did an
>>>>>> install-and-test "binary search" among the intermediate
>>>>>> tomcat-versions to pinpoint exactly which version breaks
>>>>>> our app.
>>>>>>
>>>>>> Turns out, up to 7.0.47 it still works OK. (7.0.48 and
>>>>>> 7.0.49 do not exist in the tomcat archive) And from
>>>>>> 7.0.50 it breaks.
>>>>>>
>>>>>> So apparently, between 47 and 50 some change occurred
>>>>>> that breaks our login....
>>>>>
>>>>> Nothing jumps out at me in the change log. I'd add that
>>>>> FORM auth is tested as part of every release so it isn't a
>>>>> general problem.
>>>>>
>>>>> In your shoes, I'd be firing up Eclipse and remote
>>>>> debugging my way through the authentication process.
>>>>> Alternatively, try creating the smallest/simplest possible
>>>>> WAR that exhibits the problem.
>>>>
>>>> The crucial change was in the method
>>>> RealmBase.compareCredentials(), which is new in 7.0.50 (the
>>>> comparison was much simpler before that).
>
> It is much more extensible, now.
>
>>>> Dunno if we do something unusual here, but we just extend
>>>> DataSourceRealm, like MyDataSourceRealm, and implement the
>>>> message-digest for password-hashing in there, by simply
>>>> overriding the digest() method.
>
> Do you need to extend the whole realm, or did you just want to
> override Tomcat's default password-hashing algorithm?
>
> If you just want to tweak the hashing algorithm, you can write a
> simpler class and not subclass DataSourceRealm. What does your
> Realm do besides change the password-comparison algorithm?
>
>>>> Before 7.0.50, this worked fine *without* explicitly setting
>>>> the DataSourceRealm.setDigest() property. It's always been
>>>> null, and still worked.
>
> This was because it defaulted to "MD5" and Tomcat always used
> simplistic credential-hashing. It's much more sophisticated, now,
> and also supports things like Bcrypt, Scrypt, PBKDF2, etc.
>
>>>> But the new method RealmBase.compareCredentials() assumes: if
>>>> you use messageDigest, this property MUST be set. (
>>>> compareCredentials() calls hasMessageDigest() which did not
>>>> happen in earlier versions. )
>>>>
>>>> So the solution was to simply add the property digest in
>>>> <Realm digest="..." ...> which we didnt have there before.
>>>> Then it works.
>
> Great. But I think you can do better. If your Realm merely changes
> the way hashing is done, please check-out the new features. You may
> be able to a) eliminate your class altogether due to new features
> or b) replace your Realm with a CredentialHandler that only does
> the mutation and comparison of credentials.
>
> We did this so you can use the same credential-mutations on *any*
> realm, without having to subclass every Realm to do it.
>
> Hope that helps, -chris
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVAvnDAAoJEBzwKT+lPKRYswIQAK+OITerGZSKo0NWWtpDGZZk
yFbT2fwf4HfqveG0pP24pcF+1EJAkKJlPt+D/eonRw4REdVBjWlj5KOBVNSJSEcw
JS+2tcOYNdJFx/EYL1EvTOCB4mKuzwpyfegikfP6pj/hy1rBXGOzVVNpHPIoUQ5Q
ugkWqBckBZa/jVDwsvWbZUJPTuwYFs4HqdEfH4Y9NRvzBNz3a/cIjnRB75jAl+AY
0Wdcfe1YifFssVQv/jX8b+kUhVcrYQzS1EKzyJzuPcPYwF8X7sCLDB8QMkrB6Gkg
FMHZA48ytQSrGJyq+rZ62C97Y/nXsQ4EKsK4+cLwcinjfEJ5MhSvZGY7I8Vm+cQk
Xpika0vRNV8NtX+vqpdTS7lg/QeqZkUFn2KrDtpNyyS2e9lsbJ3laCcmDgg345VS
DY7icmTsuNbc9gcWMJzcf5AuSmf/U2GhhTgIza9mO9SkT/uckxOYX8q6bu1WT/8L
wSJeGPRI/VqIEik83X3dFWP6BcCguidjOB4J1uAowl1T1fKhrmVlsZ3LP9m9MWbO
0E4P7bRKIX3JlZvyqI2U2UFheFefj0vK/PCIUAttNDzuXENPvxigEiVrvYf5Qx37
JfVrW5cxHMGyUQ3YIVlZmRiwWT4hnZzbTLHxvs6/1mtu7Zr8267RcissgoEv5E7X
3X/MceB38qv4a3npJchq
=HqR1
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Form-based authentication breaks after upgrade to Tom 7.0.59
Posted by rop <ro...@gmail.com>.
Hi Chris,
Yes, we are applying salt before hashing (to prevent googling up many
passwords from the hashes).
Override probably seemed like easiest way at the time, but maybe a better
way now. Will check it out, thanks.
/Rop
On Thu, Mar 12, 2015 at 8:53 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Rop,
>
> On 3/12/15 3:33 PM, rop wrote:
> > Finally, found the issue.
>
> Please bottom-post if you can. Also, please sign your posts.
>
> > On Thu, Mar 12, 2015 at 6:18 PM, Mark Thomas <ma...@apache.org>
> > wrote:
> >
> >> On 12/03/2015 15:51, rop wrote:
> >>> Ah, I got it now. Thanks, David.
> >>>
> >>> Yes, the a-b-c-d points are OK then.
> >>>
> >>> As a trouble-shoot action, I actually did an install-and-test
> >>> "binary search" among the intermediate tomcat-versions to
> >>> pinpoint exactly which version breaks our app.
> >>>
> >>> Turns out, up to 7.0.47 it still works OK. (7.0.48 and 7.0.49
> >>> do not exist in the tomcat archive) And from 7.0.50 it breaks.
> >>>
> >>> So apparently, between 47 and 50 some change occurred that
> >>> breaks our login....
> >>
> >> Nothing jumps out at me in the change log. I'd add that FORM auth
> >> is tested as part of every release so it isn't a general
> >> problem.
> >>
> >> In your shoes, I'd be firing up Eclipse and remote debugging my
> >> way through the authentication process. Alternatively, try
> >> creating the smallest/simplest possible WAR that exhibits the
> >> problem.
> >
> > The crucial change was in the method
> > RealmBase.compareCredentials(), which is new in 7.0.50 (the
> > comparison was much simpler before that).
>
> It is much more extensible, now.
>
> > Dunno if we do something unusual here, but we just extend
> > DataSourceRealm, like MyDataSourceRealm, and implement the
> > message-digest for password-hashing in there, by simply overriding
> > the digest() method.
>
> Do you need to extend the whole realm, or did you just want to
> override Tomcat's default password-hashing algorithm?
>
> If you just want to tweak the hashing algorithm, you can write a
> simpler class and not subclass DataSourceRealm. What does your Realm
> do besides change the password-comparison algorithm?
>
> > Before 7.0.50, this worked fine *without* explicitly setting the
> > DataSourceRealm.setDigest() property. It's always been null, and
> > still worked.
>
> This was because it defaulted to "MD5" and Tomcat always used
> simplistic credential-hashing. It's much more sophisticated, now, and
> also supports things like Bcrypt, Scrypt, PBKDF2, etc.
>
> > But the new method RealmBase.compareCredentials() assumes: if you
> > use messageDigest, this property MUST be set. (
> > compareCredentials() calls hasMessageDigest() which did not happen
> > in earlier versions. )
> >
> > So the solution was to simply add the property digest in <Realm
> > digest="..." ...> which we didnt have there before. Then it works.
>
> Great. But I think you can do better. If your Realm merely changes the
> way hashing is done, please check-out the new features. You may be
> able to a) eliminate your class altogether due to new features or b)
> replace your Realm with a CredentialHandler that only does the
> mutation and comparison of credentials.
>
> We did this so you can use the same credential-mutations on *any*
> realm, without having to subclass every Realm to do it.
>
> Hope that helps,
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJVAe6tAAoJEBzwKT+lPKRYl6UP/AhEtn5f53OPipu+EN1r3iKR
> CkjrSZDT89yQ3LEqdV7mHkP1O1834MS8a21QVJ+AuLmceor2KRMkiwdAWbfa/uAx
> 5FKXg80n3Cu0lFQXrD3dHRq92+JPFJuAhN60s2VU+O76rbRgT4RkLULJa7j/t7Jr
> H2vQXL/kY2/y7Ku8Xg+I+be9fBdss7K0DBAq8PT1Qluo2BkHRjf5JU6D59xy0wXZ
> KMN6rnN7XRkKRw2/jZlle/fTBHKjIGO5Sq9lsr8KcS7Qpzguxlo3nZjz487pQ8Ok
> y1DV3pjNz7y4cZtL5j0zS8zxFf0Tlb5A/xfqn8japLXti0uBZEyld//b42mWlVD1
> 8OTcTh6B5XyMcqchfvfV/7Fp27EbKl6Gwtdn560NizQ3fCbmyx3QMWY5i1K+lq7P
> hlAYh4Xcs8WCS2aZ9s+R48AqsDAPsKVAHAam1i7wOe9k7yk7ziOkNvm1y9LNSseZ
> FPDc9G13O/JXDg7GRTOdX3yas2aXCygTkm062fd2Uvvv4E5musaIYE4VDJgAlWUJ
> cyY2Zx6DMjjSsDhxNgRgC6Z7c0eyjyHk7haWqMtWgqpDN0z+4qmc78o3hNoW5yfY
> TLEZQSKt7q04ECq0xlt0cktcp7hmHaB/gvu5bK+cYS8H4lmGAr9Fg6zbI31Uzyov
> xkQ8CoV6X9Oq0TlV3PXi
> =Y/0T
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Form-based authentication breaks after upgrade to Tom 7.0.59
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Rop,
On 3/12/15 3:33 PM, rop wrote:
> Finally, found the issue.
Please bottom-post if you can. Also, please sign your posts.
> On Thu, Mar 12, 2015 at 6:18 PM, Mark Thomas <ma...@apache.org>
> wrote:
>
>> On 12/03/2015 15:51, rop wrote:
>>> Ah, I got it now. Thanks, David.
>>>
>>> Yes, the a-b-c-d points are OK then.
>>>
>>> As a trouble-shoot action, I actually did an install-and-test
>>> "binary search" among the intermediate tomcat-versions to
>>> pinpoint exactly which version breaks our app.
>>>
>>> Turns out, up to 7.0.47 it still works OK. (7.0.48 and 7.0.49
>>> do not exist in the tomcat archive) And from 7.0.50 it breaks.
>>>
>>> So apparently, between 47 and 50 some change occurred that
>>> breaks our login....
>>
>> Nothing jumps out at me in the change log. I'd add that FORM auth
>> is tested as part of every release so it isn't a general
>> problem.
>>
>> In your shoes, I'd be firing up Eclipse and remote debugging my
>> way through the authentication process. Alternatively, try
>> creating the smallest/simplest possible WAR that exhibits the
>> problem.
>
> The crucial change was in the method
> RealmBase.compareCredentials(), which is new in 7.0.50 (the
> comparison was much simpler before that).
It is much more extensible, now.
> Dunno if we do something unusual here, but we just extend
> DataSourceRealm, like MyDataSourceRealm, and implement the
> message-digest for password-hashing in there, by simply overriding
> the digest() method.
Do you need to extend the whole realm, or did you just want to
override Tomcat's default password-hashing algorithm?
If you just want to tweak the hashing algorithm, you can write a
simpler class and not subclass DataSourceRealm. What does your Realm
do besides change the password-comparison algorithm?
> Before 7.0.50, this worked fine *without* explicitly setting the
> DataSourceRealm.setDigest() property. It's always been null, and
> still worked.
This was because it defaulted to "MD5" and Tomcat always used
simplistic credential-hashing. It's much more sophisticated, now, and
also supports things like Bcrypt, Scrypt, PBKDF2, etc.
> But the new method RealmBase.compareCredentials() assumes: if you
> use messageDigest, this property MUST be set. (
> compareCredentials() calls hasMessageDigest() which did not happen
> in earlier versions. )
>
> So the solution was to simply add the property digest in <Realm
> digest="..." ...> which we didnt have there before. Then it works.
Great. But I think you can do better. If your Realm merely changes the
way hashing is done, please check-out the new features. You may be
able to a) eliminate your class altogether due to new features or b)
replace your Realm with a CredentialHandler that only does the
mutation and comparison of credentials.
We did this so you can use the same credential-mutations on *any*
realm, without having to subclass every Realm to do it.
Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVAe6tAAoJEBzwKT+lPKRYl6UP/AhEtn5f53OPipu+EN1r3iKR
CkjrSZDT89yQ3LEqdV7mHkP1O1834MS8a21QVJ+AuLmceor2KRMkiwdAWbfa/uAx
5FKXg80n3Cu0lFQXrD3dHRq92+JPFJuAhN60s2VU+O76rbRgT4RkLULJa7j/t7Jr
H2vQXL/kY2/y7Ku8Xg+I+be9fBdss7K0DBAq8PT1Qluo2BkHRjf5JU6D59xy0wXZ
KMN6rnN7XRkKRw2/jZlle/fTBHKjIGO5Sq9lsr8KcS7Qpzguxlo3nZjz487pQ8Ok
y1DV3pjNz7y4cZtL5j0zS8zxFf0Tlb5A/xfqn8japLXti0uBZEyld//b42mWlVD1
8OTcTh6B5XyMcqchfvfV/7Fp27EbKl6Gwtdn560NizQ3fCbmyx3QMWY5i1K+lq7P
hlAYh4Xcs8WCS2aZ9s+R48AqsDAPsKVAHAam1i7wOe9k7yk7ziOkNvm1y9LNSseZ
FPDc9G13O/JXDg7GRTOdX3yas2aXCygTkm062fd2Uvvv4E5musaIYE4VDJgAlWUJ
cyY2Zx6DMjjSsDhxNgRgC6Z7c0eyjyHk7haWqMtWgqpDN0z+4qmc78o3hNoW5yfY
TLEZQSKt7q04ECq0xlt0cktcp7hmHaB/gvu5bK+cYS8H4lmGAr9Fg6zbI31Uzyov
xkQ8CoV6X9Oq0TlV3PXi
=Y/0T
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Form-based authentication breaks after upgrade to Tom 7.0.59
Posted by rop <ro...@gmail.com>.
Finally, found the issue.
The crucial change was in the method RealmBase.compareCredentials(),
which is new in 7.0.50 (the comparison was much simpler before that).
Dunno if we do something unusual here,
but we just extend DataSourceRealm, like MyDataSourceRealm,
and implement the message-digest for password-hashing in there,
by simply overriding the digest() method.
Before 7.0.50, this worked fine *without* explicitly setting the
DataSourceRealm.setDigest() property.
It's always been null, and still worked.
But the new method RealmBase.compareCredentials() assumes: if you use
messageDigest, this property MUST be set.
( compareCredentials() calls hasMessageDigest() which did not happen in
earlier versions. )
So the solution was to simply add the property digest in
<Realm digest="..." ...>
which we didnt have there before.
Then it works.
On Thu, Mar 12, 2015 at 6:18 PM, Mark Thomas <ma...@apache.org> wrote:
> On 12/03/2015 15:51, rop wrote:
> > Ah, I got it now.
> > Thanks, David.
> >
> > Yes, the a-b-c-d points are OK then.
> >
> > As a trouble-shoot action, I actually did an install-and-test "binary
> > search"
> > among the intermediate tomcat-versions to pinpoint exactly which version
> > breaks our app.
> >
> > Turns out, up to 7.0.47 it still works OK.
> > (7.0.48 and 7.0.49 do not exist in the tomcat archive)
> > And from 7.0.50 it breaks.
> >
> > So apparently, between 47 and 50 some change occurred that breaks our
> > login....
>
> Nothing jumps out at me in the change log. I'd add that FORM auth is
> tested as part of every release so it isn't a general problem.
>
> In your shoes, I'd be firing up Eclipse and remote debugging my way
> through the authentication process. Alternatively, try creating the
> smallest/simplest possible WAR that exhibits the problem.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Form-based authentication breaks after upgrade to Tom 7.0.59
Posted by Mark Thomas <ma...@apache.org>.
On 12/03/2015 15:51, rop wrote:
> Ah, I got it now.
> Thanks, David.
>
> Yes, the a-b-c-d points are OK then.
>
> As a trouble-shoot action, I actually did an install-and-test "binary
> search"
> among the intermediate tomcat-versions to pinpoint exactly which version
> breaks our app.
>
> Turns out, up to 7.0.47 it still works OK.
> (7.0.48 and 7.0.49 do not exist in the tomcat archive)
> And from 7.0.50 it breaks.
>
> So apparently, between 47 and 50 some change occurred that breaks our
> login....
Nothing jumps out at me in the change log. I'd add that FORM auth is
tested as part of every release so it isn't a general problem.
In your shoes, I'd be firing up Eclipse and remote debugging my way
through the authentication process. Alternatively, try creating the
smallest/simplest possible WAR that exhibits the problem.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Form-based authentication breaks after upgrade to Tom 7.0.59
Posted by rop <ro...@gmail.com>.
Ah, I got it now.
Thanks, David.
Yes, the a-b-c-d points are OK then.
As a trouble-shoot action, I actually did an install-and-test "binary
search"
among the intermediate tomcat-versions to pinpoint exactly which version
breaks our app.
Turns out, up to 7.0.47 it still works OK.
(7.0.48 and 7.0.49 do not exist in the tomcat archive)
And from 7.0.50 it breaks.
So apparently, between 47 and 50 some change occurred that breaks our
login....
On Thu, Mar 12, 2015 at 3:37 PM, David kerber <dc...@verizon.net> wrote:
> On 3/12/2015 10:16 AM, rop wrote:
>
>> Hi Chris,
>>
>> Thanks for your input.
>>
>> Re your points a+b:
>> "You have put your <Realm> into conf/context.xml instead of into your
>> web
>> application's META-INF/context.xml"
>>
>> Actually neither ---- we define the <Realm> in
>> $CATALINA_BASE/conf/server.xml
>> That's also what I see in the Tomcat-docs:
>> http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.
>> html#DataSourceRealm
>>
>
> That is his option (a) in his list. Did you check that?
>
>
>
>
>> And I see no mention of META-INF anywhere in there.
>>
>> Can you please elaborate what you're referring to?
>>
>>
>>
>>
>> On Wed, Mar 11, 2015 at 2:26 PM, Christopher Schultz <
>> chris@christopherschultz.net> wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>>
>>> Rop,
>>>
>>> On 3/10/15 2:57 PM, rop wrote:
>>>
>>>> We are trying to upgrade Tomcat from 7.0.35 to 7.0.59.
>>>>
>>>> For some reason, the form-based authentication gets broken after
>>>> the upgrade, and just gives "Invalid username and/or password,
>>>> please try again" when trying to login.
>>>>
>>>> Cannot find anything in catalina.out related to this.
>>>>
>>>
>>> What about the other log files in logs/? Nothing?
>>>
>>> :(
>>>
>>> From our logging, it appears the DataSourceRealm.authenticate()
>>>> never gets called at all.
>>>>
>>>
>>> What is your <Realm> configuration, and in what file is it configured?
>>>
>>> If I downgrade to 7.0.35, it works again...
>>>>
>>>> Anyone has a clue if anything changed between these versions, what
>>>> the problem might be, or even how to troubleshoot the issue?
>>>>
>>>
>>> Some initial thoughts for what could be wrong:
>>>
>>> a. You have put your <Realm> into conf/server.xml instead of into
>>> your web application's META-INF/context.xml file, and you forgot
>>> to copy that configuration from 7.0.35 to your new 7.0.59
>>> install.
>>>
>>> b. You have put your <Realm> into conf/context.xml instead of into
>>> your web application's META-INF/context.xml file, and you should
>>> not have done that at all; move the <Realm> into META-INF/context.xml
>>>
>>> c. The configuration you are modifying isn't the one that Tomcat is
>>> actually using. I find that this happens a lot to people who are
>>> launching Tomcat from within an IDE like Eclipse, because the IDE
>>> does odd things with configuration management.
>>>
>>> d. You installed your JDBC driver into Tomcat 7.0.35's lib/ directory
>>> and didn't copy it into Tomcat 7.0.59's lib/ directory, though this
>>> should have given you errors on startup.
>>>
>>> Take a look at those possibilities and let us know what you find.
>>>
>>> - -chris
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1
>>> Comment: GPGTools - http://gpgtools.org
>>>
>>> iQIcBAEBCAAGBQJVAEKTAAoJEBzwKT+lPKRYyHMP/RbZX8neYPrCCGh0lTOQ7PRG
>>> MOXkxFSbQRGsWwV2tyH//Q41IKfSy1Tlb01zbxNklb7gy3h+j+8JgFoYLOjg/iVz
>>> f6XSfw4tUbpTMK/1kqIvpTIMbgi9aK18O+5aLlTdrvAguDZsODgylTi4MTTVZUPZ
>>> v1c+iQbvO8bC7YG81bBm+76rD9pyrMVFbvCPKijfZHTXk5CivaNDwtpysTgDyE65
>>> aG4cHumGSf6JjxSG4cw84OteY6CAYfcNBVDe0/y+F3WKjB6BQ8eHWHEYR57pK+L8
>>> sbxyp6gg5k5Fbrrk/EgEx30CL+rQQfsUkCwKfzlcn3J0fsaE043vnKcNmHA8c6QB
>>> DgC29Bj/o7WkW+hdB7UqB6d0Hq/x+lMZ1JDedEFQFm0IqIxyE3pI6PAX4BHQiWqG
>>> 04QB1kRJ32RhYX3+/6Le16FKVxwp2tjuv+xby6gsIGzEY817nIkmRi9SmdR8pGCx
>>> xaxY4uRCNsRrt3fj/nkpygg/ZABueMt+2ix0Nqpe8Wi5T6O8sTRW3jUqj8ZY78+G
>>> rbJZGBEbUuXe5s5o+ZsIfSjKY1U4NTtQhDd+ti8RpkDGy/pcSj2CNyPJ9NLS4E/u
>>> Lb1JdV2nANX4s5r7vWVP1Satzk4DGSx2e93ddy5wDk14vp09d1Fezaq5H8FXUxnc
>>> mzjWDKZT3BY6OqVoN2yj
>>> =b0eg
>>> -----END PGP SIGNATURE-----
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Form-based authentication breaks after upgrade to Tom 7.0.59
Posted by David kerber <dc...@verizon.net>.
On 3/12/2015 10:16 AM, rop wrote:
> Hi Chris,
>
> Thanks for your input.
>
> Re your points a+b:
> "You have put your <Realm> into conf/context.xml instead of into your web
> application's META-INF/context.xml"
>
> Actually neither ---- we define the <Realm> in
> $CATALINA_BASE/conf/server.xml
> That's also what I see in the Tomcat-docs:
> http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#DataSourceRealm
That is his option (a) in his list. Did you check that?
>
> And I see no mention of META-INF anywhere in there.
>
> Can you please elaborate what you're referring to?
>
>
>
>
> On Wed, Mar 11, 2015 at 2:26 PM, Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Rop,
>>
>> On 3/10/15 2:57 PM, rop wrote:
>>> We are trying to upgrade Tomcat from 7.0.35 to 7.0.59.
>>>
>>> For some reason, the form-based authentication gets broken after
>>> the upgrade, and just gives "Invalid username and/or password,
>>> please try again" when trying to login.
>>>
>>> Cannot find anything in catalina.out related to this.
>>
>> What about the other log files in logs/? Nothing?
>>
>> :(
>>
>>> From our logging, it appears the DataSourceRealm.authenticate()
>>> never gets called at all.
>>
>> What is your <Realm> configuration, and in what file is it configured?
>>
>>> If I downgrade to 7.0.35, it works again...
>>>
>>> Anyone has a clue if anything changed between these versions, what
>>> the problem might be, or even how to troubleshoot the issue?
>>
>> Some initial thoughts for what could be wrong:
>>
>> a. You have put your <Realm> into conf/server.xml instead of into
>> your web application's META-INF/context.xml file, and you forgot
>> to copy that configuration from 7.0.35 to your new 7.0.59
>> install.
>>
>> b. You have put your <Realm> into conf/context.xml instead of into
>> your web application's META-INF/context.xml file, and you should
>> not have done that at all; move the <Realm> into META-INF/context.xml
>>
>> c. The configuration you are modifying isn't the one that Tomcat is
>> actually using. I find that this happens a lot to people who are
>> launching Tomcat from within an IDE like Eclipse, because the IDE
>> does odd things with configuration management.
>>
>> d. You installed your JDBC driver into Tomcat 7.0.35's lib/ directory
>> and didn't copy it into Tomcat 7.0.59's lib/ directory, though this
>> should have given you errors on startup.
>>
>> Take a look at those possibilities and let us know what you find.
>>
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1
>> Comment: GPGTools - http://gpgtools.org
>>
>> iQIcBAEBCAAGBQJVAEKTAAoJEBzwKT+lPKRYyHMP/RbZX8neYPrCCGh0lTOQ7PRG
>> MOXkxFSbQRGsWwV2tyH//Q41IKfSy1Tlb01zbxNklb7gy3h+j+8JgFoYLOjg/iVz
>> f6XSfw4tUbpTMK/1kqIvpTIMbgi9aK18O+5aLlTdrvAguDZsODgylTi4MTTVZUPZ
>> v1c+iQbvO8bC7YG81bBm+76rD9pyrMVFbvCPKijfZHTXk5CivaNDwtpysTgDyE65
>> aG4cHumGSf6JjxSG4cw84OteY6CAYfcNBVDe0/y+F3WKjB6BQ8eHWHEYR57pK+L8
>> sbxyp6gg5k5Fbrrk/EgEx30CL+rQQfsUkCwKfzlcn3J0fsaE043vnKcNmHA8c6QB
>> DgC29Bj/o7WkW+hdB7UqB6d0Hq/x+lMZ1JDedEFQFm0IqIxyE3pI6PAX4BHQiWqG
>> 04QB1kRJ32RhYX3+/6Le16FKVxwp2tjuv+xby6gsIGzEY817nIkmRi9SmdR8pGCx
>> xaxY4uRCNsRrt3fj/nkpygg/ZABueMt+2ix0Nqpe8Wi5T6O8sTRW3jUqj8ZY78+G
>> rbJZGBEbUuXe5s5o+ZsIfSjKY1U4NTtQhDd+ti8RpkDGy/pcSj2CNyPJ9NLS4E/u
>> Lb1JdV2nANX4s5r7vWVP1Satzk4DGSx2e93ddy5wDk14vp09d1Fezaq5H8FXUxnc
>> mzjWDKZT3BY6OqVoN2yj
>> =b0eg
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Form-based authentication breaks after upgrade to Tom 7.0.59
Posted by rop <ro...@gmail.com>.
Hi Chris,
Thanks for your input.
Re your points a+b:
"You have put your <Realm> into conf/context.xml instead of into your web
application's META-INF/context.xml"
Actually neither ---- we define the <Realm> in
$CATALINA_BASE/conf/server.xml
That's also what I see in the Tomcat-docs:
http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#DataSourceRealm
And I see no mention of META-INF anywhere in there.
Can you please elaborate what you're referring to?
On Wed, Mar 11, 2015 at 2:26 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Rop,
>
> On 3/10/15 2:57 PM, rop wrote:
> > We are trying to upgrade Tomcat from 7.0.35 to 7.0.59.
> >
> > For some reason, the form-based authentication gets broken after
> > the upgrade, and just gives "Invalid username and/or password,
> > please try again" when trying to login.
> >
> > Cannot find anything in catalina.out related to this.
>
> What about the other log files in logs/? Nothing?
>
> :(
>
> > From our logging, it appears the DataSourceRealm.authenticate()
> > never gets called at all.
>
> What is your <Realm> configuration, and in what file is it configured?
>
> > If I downgrade to 7.0.35, it works again...
> >
> > Anyone has a clue if anything changed between these versions, what
> > the problem might be, or even how to troubleshoot the issue?
>
> Some initial thoughts for what could be wrong:
>
> a. You have put your <Realm> into conf/server.xml instead of into
> your web application's META-INF/context.xml file, and you forgot
> to copy that configuration from 7.0.35 to your new 7.0.59
> install.
>
> b. You have put your <Realm> into conf/context.xml instead of into
> your web application's META-INF/context.xml file, and you should
> not have done that at all; move the <Realm> into META-INF/context.xml
>
> c. The configuration you are modifying isn't the one that Tomcat is
> actually using. I find that this happens a lot to people who are
> launching Tomcat from within an IDE like Eclipse, because the IDE
> does odd things with configuration management.
>
> d. You installed your JDBC driver into Tomcat 7.0.35's lib/ directory
> and didn't copy it into Tomcat 7.0.59's lib/ directory, though this
> should have given you errors on startup.
>
> Take a look at those possibilities and let us know what you find.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJVAEKTAAoJEBzwKT+lPKRYyHMP/RbZX8neYPrCCGh0lTOQ7PRG
> MOXkxFSbQRGsWwV2tyH//Q41IKfSy1Tlb01zbxNklb7gy3h+j+8JgFoYLOjg/iVz
> f6XSfw4tUbpTMK/1kqIvpTIMbgi9aK18O+5aLlTdrvAguDZsODgylTi4MTTVZUPZ
> v1c+iQbvO8bC7YG81bBm+76rD9pyrMVFbvCPKijfZHTXk5CivaNDwtpysTgDyE65
> aG4cHumGSf6JjxSG4cw84OteY6CAYfcNBVDe0/y+F3WKjB6BQ8eHWHEYR57pK+L8
> sbxyp6gg5k5Fbrrk/EgEx30CL+rQQfsUkCwKfzlcn3J0fsaE043vnKcNmHA8c6QB
> DgC29Bj/o7WkW+hdB7UqB6d0Hq/x+lMZ1JDedEFQFm0IqIxyE3pI6PAX4BHQiWqG
> 04QB1kRJ32RhYX3+/6Le16FKVxwp2tjuv+xby6gsIGzEY817nIkmRi9SmdR8pGCx
> xaxY4uRCNsRrt3fj/nkpygg/ZABueMt+2ix0Nqpe8Wi5T6O8sTRW3jUqj8ZY78+G
> rbJZGBEbUuXe5s5o+ZsIfSjKY1U4NTtQhDd+ti8RpkDGy/pcSj2CNyPJ9NLS4E/u
> Lb1JdV2nANX4s5r7vWVP1Satzk4DGSx2e93ddy5wDk14vp09d1Fezaq5H8FXUxnc
> mzjWDKZT3BY6OqVoN2yj
> =b0eg
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Form-based authentication breaks after upgrade to Tom 7.0.59
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Rop,
On 3/10/15 2:57 PM, rop wrote:
> We are trying to upgrade Tomcat from 7.0.35 to 7.0.59.
>
> For some reason, the form-based authentication gets broken after
> the upgrade, and just gives "Invalid username and/or password,
> please try again" when trying to login.
>
> Cannot find anything in catalina.out related to this.
What about the other log files in logs/? Nothing?
:(
> From our logging, it appears the DataSourceRealm.authenticate()
> never gets called at all.
What is your <Realm> configuration, and in what file is it configured?
> If I downgrade to 7.0.35, it works again...
>
> Anyone has a clue if anything changed between these versions, what
> the problem might be, or even how to troubleshoot the issue?
Some initial thoughts for what could be wrong:
a. You have put your <Realm> into conf/server.xml instead of into
your web application's META-INF/context.xml file, and you forgot
to copy that configuration from 7.0.35 to your new 7.0.59
install.
b. You have put your <Realm> into conf/context.xml instead of into
your web application's META-INF/context.xml file, and you should
not have done that at all; move the <Realm> into META-INF/context.xml
c. The configuration you are modifying isn't the one that Tomcat is
actually using. I find that this happens a lot to people who are
launching Tomcat from within an IDE like Eclipse, because the IDE
does odd things with configuration management.
d. You installed your JDBC driver into Tomcat 7.0.35's lib/ directory
and didn't copy it into Tomcat 7.0.59's lib/ directory, though this
should have given you errors on startup.
Take a look at those possibilities and let us know what you find.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVAEKTAAoJEBzwKT+lPKRYyHMP/RbZX8neYPrCCGh0lTOQ7PRG
MOXkxFSbQRGsWwV2tyH//Q41IKfSy1Tlb01zbxNklb7gy3h+j+8JgFoYLOjg/iVz
f6XSfw4tUbpTMK/1kqIvpTIMbgi9aK18O+5aLlTdrvAguDZsODgylTi4MTTVZUPZ
v1c+iQbvO8bC7YG81bBm+76rD9pyrMVFbvCPKijfZHTXk5CivaNDwtpysTgDyE65
aG4cHumGSf6JjxSG4cw84OteY6CAYfcNBVDe0/y+F3WKjB6BQ8eHWHEYR57pK+L8
sbxyp6gg5k5Fbrrk/EgEx30CL+rQQfsUkCwKfzlcn3J0fsaE043vnKcNmHA8c6QB
DgC29Bj/o7WkW+hdB7UqB6d0Hq/x+lMZ1JDedEFQFm0IqIxyE3pI6PAX4BHQiWqG
04QB1kRJ32RhYX3+/6Le16FKVxwp2tjuv+xby6gsIGzEY817nIkmRi9SmdR8pGCx
xaxY4uRCNsRrt3fj/nkpygg/ZABueMt+2ix0Nqpe8Wi5T6O8sTRW3jUqj8ZY78+G
rbJZGBEbUuXe5s5o+ZsIfSjKY1U4NTtQhDd+ti8RpkDGy/pcSj2CNyPJ9NLS4E/u
Lb1JdV2nANX4s5r7vWVP1Satzk4DGSx2e93ddy5wDk14vp09d1Fezaq5H8FXUxnc
mzjWDKZT3BY6OqVoN2yj
=b0eg
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org