You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Dimitris Mouchritsas <dv...@mail.daedalus.gr> on 2007/07/13 12:42:00 UTC

Tomcat cannot access the resources in an HTTPS webapp

Hi, I'm running Tomcat 6.0.13 in Windows XP SP2.
I've configured Tomcat to use SSL through the documentation instructions and
it works, since I can access the ROOT webapp from https.
The problem is a book example I'm trying. I've set up web.xml like this:
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>search</web-resource-name>
      <url-pattern>/ch13/search/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>admin</role-name>
      <role-name>user</role-name>
    </auth-constraint>
  </security-constraint>

  <login-config>
    <auth-method>HTTPS</auth-method>
    <realm-name>ORA Examples</realm-name>
  </login-config>

  <security-role>
    <role-name>admin</role-name>
  </security-role>
  <security-role>
    <role-name>user</role-name>
  </security-role>

but when I try to access say /ch13/search/search.html I get:

HTTP Status 403 - Access to the requested resource has been denied

Does this has to do with file permissions? Also, after changing some of
the file permissions I got a strange error for the webapp
from tomcat in stdout: SEVERE: Cannot configure an authenticator for
method HTTPS
which seemed to go away after a few restarts. Now I'm back in the
original question. But if anyone can tell me what this error is
I'd appreciate it.

Thank you.




---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Tomcat cannot access the resources in an HTTPS webapp

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: Dimitris Mouchritsas [mailto:dvm@mail.daedalus.gr] 
> Subject: Re: Tomcat cannot access the resources in an HTTPS webapp
> 
> Out of curiosity though what should I do to add tomcat user
> authentication?

Container-managed authentication is unique to the container, so refer to
the appropriate Tomcat doc:
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html

If you're using the default <Realm> (likely), you need to add
appropriate userid, password, and role names to conf/tomcat-users.xml,
and restart Tomcat.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat cannot access the resources in an HTTPS webapp

Posted by Dimitris Mouchritsas <dv...@mail.daedalus.gr>.

Thank you for your responses. Well, I was a bit lost in the specs but
after looking up <transport-guarantee> I got what I
wanted. Out of curiosity though what should I do to add tomcat user
authentication?
I tried adding:
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>search</web-resource-name>
            <url-pattern>/ch13/search/*</url-pattern>
        </web-resource-collection>

        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
<!-- add here -->
     <auth-constraint>
      <role-name>admin</role-name>
    </auth-constraint>
<!-- end add -->
    </security-constraint>
but tomcat, while asking me to log in, and I did, denied access to the
resource. Without the addition I get the https encryption
that I require.

Caldarale, Charles R wrote:
>> From: Dimitris Mouchritsas [mailto:dvm@mail.daedalus.gr] 
>> Subject: Re: Tomcat cannot access the resources in an HTTPS webapp
>>
>> So if I want a subdirectory (e.g. admin) of my webapp, or my entire
>> webapp to be accessible _only_ under https what should I do?
>>     
>
> Read section 12 of the servlet spec:
> http://jcp.org/aboutJava/communityprocess/mrel/jsr154/index.html
>
> Use a combination of <url-pattern> and <transport-guarantee> (along with
> their surrounding elements, of course).
>
> Note that the Tomcat doc does not duplicate any information in the
> servlet spec; you have to read both.
>
>  - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>   


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Tomcat cannot access the resources in an HTTPS webapp

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: Dimitris Mouchritsas [mailto:dvm@mail.daedalus.gr] 
> Subject: Re: Tomcat cannot access the resources in an HTTPS webapp
> 
> So if I want a subdirectory (e.g. admin) of my webapp, or my entire
> webapp to be accessible _only_ under https what should I do?

Read section 12 of the servlet spec:
http://jcp.org/aboutJava/communityprocess/mrel/jsr154/index.html

Use a combination of <url-pattern> and <transport-guarantee> (along with
their surrounding elements, of course).

Note that the Tomcat doc does not duplicate any information in the
servlet spec; you have to read both.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat cannot access the resources in an HTTPS webapp

Posted by Lyallex <ly...@gmail.com>.

Hi

There seems to be an awful lot of confusion on this list about
container managed security and https ... I know I was confused when I
started with it.

As I see it the two are not really connected.

I think what you want to do is to force an https request for certain
resources in your application.

One way of doing this is to add this to your security constraint

<user-data-constraint>
	<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>

Of course, as always, this is not the complete answer but it should
get you started.

(see http://java.sun.com/j2ee/dtds/web-app_2_2.dtd for where this goes
in web.xml)

If you were to configure the
<auth-method>FORM</auth-method> (for example)
with a suitable login form then when you attempt to access a protected
resource that has the required transport guarantee associated with it,
access to that resource will not only require a user to log in but
access to the resource itself will 'automatically' be over https.

As usual I'm sure there are other (better) ways of doing this but it
works for me.

I hope this helps.

Rgds
Duncan

On 7/16/07, Dimitris Mouchritsas <dv...@mail.daedalus.gr> wrote:
> Mark Thomas wrote:
> > Dimitris Mouchritsas wrote:
> >
> >>   <login-config>
> >>     <auth-method>HTTPS</auth-method>
> >>     <realm-name>ORA Examples</realm-name>
> >>   </login-config>> >>
> >
> > There is no such authentication method defined in the spec. If you
> > want client certificate authentication then the correct value is
> > CLIENT-CERT.
> >
> > Mark
> >
> > ---------------------------------------------------------------------
> > To start a new topic, e-mail: users@tomcat.apache.org
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
> >
>
> No, I don't want client certification at the moment, only the encryption
> that https offers.
> So if I want a subdirectory (e.g. admin) of my webapp, or my entire
> webapp to be accessible
> _only_ under https what should I do?
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat cannot access the resources in an HTTPS webapp

Posted by Dimitris Mouchritsas <dv...@mail.daedalus.gr>.

Mark Thomas wrote:
> Dimitris Mouchritsas wrote:
>   
>>   <login-config>
>>     <auth-method>HTTPS</auth-method>
>>     <realm-name>ORA Examples</realm-name>
>>   </login-config>
>>     
>
> There is no such authentication method defined in the spec. If you
> want client certificate authentication then the correct value is
> CLIENT-CERT.
>
> Mark
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>   

No, I don't want client certification at the moment, only the encryption
that https offers.
So if I want a subdirectory (e.g. admin) of my webapp, or my entire
webapp to be accessible
_only_ under https what should I do?


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat cannot access the resources in an HTTPS webapp

Posted by Mark Thomas <ma...@apache.org>.

Dimitris Mouchritsas wrote:
>   <login-config>
>     <auth-method>HTTPS</auth-method>
>     <realm-name>ORA Examples</realm-name>
>   </login-config>

There is no such authentication method defined in the spec. If you
want client certificate authentication then the correct value is
CLIENT-CERT.

Mark

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org