You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Alberto Montoya <er...@gmail.com> on 2006/05/22 09:23:47 UTC
Problems with Realms and authorization
Hello!
This is my first post to the list. My problem is this, I've configured
Tomcat's file server.xml in order to use JDBC to authenticate users, and
I've set up the realms and the different roles that can access to that
realms, then, if i try to access to some realm but I haven't got the right
role Tomcat redirect me to a error page (Forbidden Access) but it never ask
again my user and my password. This occurs only if that user/password exists
in my DataBase but it haven got the right role, If I enter a non exist
user/password, Tomcat ask me again for them. How can I solve this? Could I
change that error page that Tomcat shows? How?
Thank you in advance...
Alberto
Re: Problems with Realms and authorization
Posted by Alberto Montoya <er...@gmail.com>.
Hello David,
Thank you very much. I'll follow your advices.
Greetings
2006/5/22, David Delbecq <de...@oma.be>:
>
> Hi Alberto.
>
> A user can be in two states in tomcat's point of view.
> 1) anonymous (that is the user has not yet provided user / password)
> 2) Authenticated (user has provided user / password)
>
> Aside from this, there are 2 kinds of urls for tomcat
> 1) unrestricted ones (anyone can access them)
> 2) urls restricted to specific roles (only authenticated users having
> the correct role can access them)
>
> As a result, when you try to access an url, those are the possible
> scenarios
> 1) public url -> access is granted
> 2) restricted url and you are anonymous -> you are pleased to log in
> 3) restricted url, you are authenticated but you don't have the correct
> role -> access is refused
> 4) restricted url, you are authenticated and you have correct roles ->
> access is granted
>
> Your problem is point 3, you used a user / pass that has not the
> priviledge for the given url. However, as you are authenticated, tomcat
> will not ask you to authenticate again. It already knows who you are and
> knows you can't acces that url. You should avoid design where an
> individual has to use different user / pass depending on what he want
> to do. It's better that he use only one account that got the requested
> priviledges. Really, there is a problem with J2EE specs you must care
> about. There is no way to log out, except by closing the browser.
>
> Changing the error page is of not help by the way. There is no way to
> force tomcat to accept a new user / password because there is no way to
> do it according to J2EE specs. Also, there is a difference between
> 401 Unauthorized
> 403 Forbidden
>
> 401 will request user / pass, 403 not. Forcing a 401 is useless because
> browser will cache user / pass and resend them without poping a new
> dialog.
>
> Regards
>
> Alberto Montoya wrote:
> > Hello!
> >
> > This is my first post to the list. My problem is this, I've configured
> > Tomcat's file server.xml in order to use JDBC to authenticate users, and
> > I've set up the realms and the different roles that can access to that
> > realms, then, if i try to access to some realm but I haven't got the
> > right
> > role Tomcat redirect me to a error page (Forbidden Access) but it
> > never ask
> > again my user and my password. This occurs only if that user/password
> > exists
> > in my DataBase but it haven got the right role, If I enter a non exist
> > user/password, Tomcat ask me again for them. How can I solve this?
> > Could I
> > change that error page that Tomcat shows? How?
> >
> > Thank you in advance...
> > Alberto
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Problems with Realms and authorization
Posted by David Delbecq <de...@oma.be>.
Hi Alberto.
A user can be in two states in tomcat's point of view.
1) anonymous (that is the user has not yet provided user / password)
2) Authenticated (user has provided user / password)
Aside from this, there are 2 kinds of urls for tomcat
1) unrestricted ones (anyone can access them)
2) urls restricted to specific roles (only authenticated users having
the correct role can access them)
As a result, when you try to access an url, those are the possible scenarios
1) public url -> access is granted
2) restricted url and you are anonymous -> you are pleased to log in
3) restricted url, you are authenticated but you don't have the correct
role -> access is refused
4) restricted url, you are authenticated and you have correct roles ->
access is granted
Your problem is point 3, you used a user / pass that has not the
priviledge for the given url. However, as you are authenticated, tomcat
will not ask you to authenticate again. It already knows who you are and
knows you can't acces that url. You should avoid design where an
individual has to use different user / pass depending on what he want
to do. It's better that he use only one account that got the requested
priviledges. Really, there is a problem with J2EE specs you must care
about. There is no way to log out, except by closing the browser.
Changing the error page is of not help by the way. There is no way to
force tomcat to accept a new user / password because there is no way to
do it according to J2EE specs. Also, there is a difference between
401 Unauthorized
403 Forbidden
401 will request user / pass, 403 not. Forcing a 401 is useless because
browser will cache user / pass and resend them without poping a new dialog.
Regards
Alberto Montoya wrote:
> Hello!
>
> This is my first post to the list. My problem is this, I've configured
> Tomcat's file server.xml in order to use JDBC to authenticate users, and
> I've set up the realms and the different roles that can access to that
> realms, then, if i try to access to some realm but I haven't got the
> right
> role Tomcat redirect me to a error page (Forbidden Access) but it
> never ask
> again my user and my password. This occurs only if that user/password
> exists
> in my DataBase but it haven got the right role, If I enter a non exist
> user/password, Tomcat ask me again for them. How can I solve this?
> Could I
> change that error page that Tomcat shows? How?
>
> Thank you in advance...
> Alberto
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org