You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Diogenes Gomes <di...@gmail.com> on 2008/01/24 13:52:05 UTC
Problem with protecting pages in Tomcat 5.5
Hi,
I have the following web.xml
=====================================================
<web-app ...>
<display-name>testeweb</display-name>
<security-constraint>
<web-resource-collection>
<web-resource-name>Teste</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/erro.html</form-error-page>
</form-login-config>
</login-config>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
</web-app>
=====================================================
and the following contex.xml
=====================================================
<?xml version="1.0" encoding="UTF-8"?>
<Context debug="99" docBase="${catalina.home}/webapps/testeweb"
path="/testeweb">
<Realm className="org.apache.catalina.realm.JDBCRealm"
driverName="oracle.jdbc.driver.OracleDriver"
connectionURL="jdbc:oracle:thin:@localhost:1521/XE"
connectionName="saps" connectionPassword="saps" userTable="USUARIODOSISTEMA"
userNameCol="NOME" userCredCol="NOME"
userRoleTable="PAPEISDOUSUARIO" roleNameCol="NOMEDOPAPEL" />
</Context>
=====================================================
The application runs ok in Tomcat 5.0 but in 5.5.20 and 5.5.25 I have
the error page
=====================================================
HTTP Status 403 - Access to the requested resource has been denied
--------------------------------------------------------------------------------
type Status report
message Access to the requested resource has been denied
description Access to the specified resource (Access to the requested
resource has been denied) has been forbidden.
--------------------------------------------------------------------------------
Apache Tomcat/5.5.20
=====================================================
and a log segment (the very final lines in the log's file before the HTTP 403)
=====================================================
...
DEBUG http-80-Processor24
org.apache.catalina.authenticator.FormAuthenticator - Save request in
session 'C47C8398E47E5894DB8531EDBC2E0630'
DEBUG http-80-Processor24
org.apache.catalina.authenticator.FormAuthenticator - Authenticating
username 'usuario1'
DEBUG http-80-Processor24
org.apache.catalina.authenticator.FormAuthenticator - Authentication
of 'usuario1' was successful
DEBUG http-80-Processor24
org.apache.catalina.authenticator.FormAuthenticator - Redirecting to
original '/testeweb/'
DEBUG http-80-Processor24
org.apache.catalina.authenticator.FormAuthenticator - Restore request
from session 'C47C8398E47E5894DB8531EDBC2E0630'
DEBUG http-80-Processor24
org.apache.catalina.authenticator.FormAuthenticator - Proceed to
restored request
=====================================================
It seems to be a bug. Does anybody know a workaround? Is there a
mistake in my configuration files?
Thanks in advance.
Diogenes Gomes
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problem with protecting pages in Tomcat 5.5
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chuck,
Caldarale, Charles R wrote:
|> From: Diogenes Gomes [mailto:diogs.gomes@gmail.com]
|> Subject: Re: Problem with protecting pages in Tomcat 5.5
|>
|> Please, do you know how to define "any role"?
|
| I don't believe the servlet spec allows for such a weak constraint. You
| may want to consider using programmatic authentication (as defined in
| the servlet spec) rather than declarative.
|
| Take a look at:
| http://sourceforge.net/projects/securityfilter
|
| Although the last update was in 2004, it's recently become active again
| (thank you, Chris), and is much more flexible than what's allowed in the
| spec.
Yes, sf is a bit more flexible than Tomcat's built-in authentication and
authorization. sf currently interprets the "*" role to mean "any
authenticated user", much like TC 5.0 (erroneously) did. Technically, we
should be checking against the list of defined roles, but we're not.
I expect this to be "fixed" in a future version, but we will probably
provide either a backward-compatibility setting to allow * to mean "i
don't care at all" or make it easy to re-implement the algorithm
yourself to get the same effect.
Diogenes, what's the problem with simply defining all of your roles in
the web.xml file?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkeY1Y0ACgkQ9CaO5/Lv0PCIDgCfe9KQT7St7Usf7qanEU8XGGFT
nDkAnjPSMAAZmzIQSaooClaGUZxybdFh
=kW3r
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Problem with protecting pages in Tomcat 5.5
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Diogenes Gomes [mailto:diogs.gomes@gmail.com]
> Subject: Re: Problem with protecting pages in Tomcat 5.5
>
> Please, do you know how to define "any role"?
I don't believe the servlet spec allows for such a weak constraint. You
may want to consider using programmatic authentication (as defined in
the servlet spec) rather than declarative.
Take a look at:
http://sourceforge.net/projects/securityfilter
Although the last update was in 2004, it's recently become active again
(thank you, Chris), and is much more flexible than what's allowed in the
spec.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problem with protecting pages in Tomcat 5.5
Posted by David Smith <dn...@cornell.edu>.
I would think the simplest way to go is to define a role and add all
registered users to it. Nothing says a user can't have more than one role.
--David
Diogenes Gomes wrote:
>Thank you very much Caldarale.
>
>Please, do you know how to define "any role"? The framework I use
>takes care of authorization (based on service's methods). I only need
>to authenticate the user, otherwise I would double the access
>configuration.
>
>Diogenes
>
>2008/1/24, Caldarale, Charles R <Ch...@unisys.com>:
>
>
>>>From: Diogenes Gomes [mailto:diogs.gomes@gmail.com]
>>>Subject: Problem with protecting pages in Tomcat 5.5
>>>
>>> <auth-constraint>
>>> <role-name>*</role-name>
>>> </auth-constraint>
>>>
>>>
>>IIRC, 5.0 misinterpreted a <role-name> setting of *; this was corrected
>>in 5.5 and above. The asterisk does not mean "any role", but rather
>>"all defined roles". (See section 12 of the servlet spec.) You need to
>>provide a set of valid roles via <security-role> in your web.xml file.
>>
>>
>>
>>><Context debug="99" docBase="${catalina.home}/webapps/testeweb"
>>> path="/testeweb">
>>>
>>>
>>Take out the docBase and path attributes - they're not allowed when the
>><Context> element is in META-INF/context.xml (where it should be).
>>
>> - Chuck
>>
>>
>>THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>>MATERIAL and is thus for use only by the intended recipient. If you
>>received this in error, please contact the sender and delete the e-mail
>>and its attachments from all computers.
>>
>>---------------------------------------------------------------------
>>To start a new topic, e-mail: users@tomcat.apache.org
>>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>>
>
>---------------------------------------------------------------------
>To start a new topic, e-mail: users@tomcat.apache.org
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problem with protecting pages in Tomcat 5.5
Posted by Bill Barker <wb...@wilshire.com>.
"Diogenes Gomes" <di...@gmail.com> wrote in message
news:3e7cf32c0801240622t7b2784cbp640575f715d92c9b@mail.gmail.com...
> Thank you very much Caldarale.
>
> Please, do you know how to define "any role"? The framework I use
> takes care of authorization (based on service's methods). I only need
> to authenticate the user, otherwise I would double the access
> configuration.
>
There is a backwards compatible setting on the <Realm />. You add the
attribute allRolesMode="authOnly", and Tomcat will revert to it's 5.0
behavior.
> Diogenes
>
> 2008/1/24, Caldarale, Charles R <Ch...@unisys.com>:
>> > From: Diogenes Gomes [mailto:diogs.gomes@gmail.com]
>> > Subject: Problem with protecting pages in Tomcat 5.5
>> >
>> > <auth-constraint>
>> > <role-name>*</role-name>
>> > </auth-constraint>
>>
>> IIRC, 5.0 misinterpreted a <role-name> setting of *; this was corrected
>> in 5.5 and above. The asterisk does not mean "any role", but rather
>> "all defined roles". (See section 12 of the servlet spec.) You need to
>> provide a set of valid roles via <security-role> in your web.xml file.
>>
>> > <Context debug="99" docBase="${catalina.home}/webapps/testeweb"
>> > path="/testeweb">
>>
>> Take out the docBase and path attributes - they're not allowed when the
>> <Context> element is in META-INF/context.xml (where it should be).
>>
>> - Chuck
>>
>>
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>> MATERIAL and is thus for use only by the intended recipient. If you
>> received this in error, please contact the sender and delete the e-mail
>> and its attachments from all computers.
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problem with protecting pages in Tomcat 5.5
Posted by Diogenes Gomes <di...@gmail.com>.
Thank you very much Caldarale.
Please, do you know how to define "any role"? The framework I use
takes care of authorization (based on service's methods). I only need
to authenticate the user, otherwise I would double the access
configuration.
Diogenes
2008/1/24, Caldarale, Charles R <Ch...@unisys.com>:
> > From: Diogenes Gomes [mailto:diogs.gomes@gmail.com]
> > Subject: Problem with protecting pages in Tomcat 5.5
> >
> > <auth-constraint>
> > <role-name>*</role-name>
> > </auth-constraint>
>
> IIRC, 5.0 misinterpreted a <role-name> setting of *; this was corrected
> in 5.5 and above. The asterisk does not mean "any role", but rather
> "all defined roles". (See section 12 of the servlet spec.) You need to
> provide a set of valid roles via <security-role> in your web.xml file.
>
> > <Context debug="99" docBase="${catalina.home}/webapps/testeweb"
> > path="/testeweb">
>
> Take out the docBase and path attributes - they're not allowed when the
> <Context> element is in META-INF/context.xml (where it should be).
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Problem with protecting pages in Tomcat 5.5
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Diogenes Gomes [mailto:diogs.gomes@gmail.com]
> Subject: Problem with protecting pages in Tomcat 5.5
>
> <auth-constraint>
> <role-name>*</role-name>
> </auth-constraint>
IIRC, 5.0 misinterpreted a <role-name> setting of *; this was corrected
in 5.5 and above. The asterisk does not mean "any role", but rather
"all defined roles". (See section 12 of the servlet spec.) You need to
provide a set of valid roles via <security-role> in your web.xml file.
> <Context debug="99" docBase="${catalina.home}/webapps/testeweb"
> path="/testeweb">
Take out the docBase and path attributes - they're not allowed when the
<Context> element is in META-INF/context.xml (where it should be).
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org