You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by ed banfa <e_...@yahoo.com> on 2002/09/26 21:23:37 UTC

Help Urgently needed, Security problem

Hi ,

How is everyone doing, hope ok.

I have this problem with trying to use Basic authentication with my web app. I have Tomcat 4.1.10 up and running on win 2000 machine using j2sdk1.4.

Tomcat is listening on port 8443 for SSL connnections. I would like the browser to display a login box to the user when the user attempts to access a protected resource. When I try to check/test the app, It allows me into the restricted area with out having to log in. I expect to be promted to enter a user name and a password but hey nothing like thats happens. What am I doing wrong????.

 

Please if u can help me out I will appreciate it

Below is what my web.xml looks like. The manager role is the same role name I specified in tomcat-users.xml

<web-app>

<security-constraint>

<web-resource-collection>

<web-resource-name>

Secure Area

</web-resource-name>

<url-pattern>/secure/*</url-pattern>

</web-resource-collection>

<auth-constraint>

<role-name>manager</role-name>

<role-name>tomcat</role-name>

</auth-constraint>

</security-constraint>

<security-role>

<role-name>manager</role-name>

</security-role>

<login-config>

<auth-method>BASIC</auth-method>

<realm-name>User Basic Authentication</realm-name>

</login-config>

</web-app>

 

Thanks in advance 

Edward

 





---------------------------------
Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!

Re: Help Urgently needed, Security problem

Posted by ed banfa <e_...@yahoo.com>.
Hey Rick,
Man ur da BOMB, yes it work!!!!!. Thanks a lot.
Now its back to da labs to see my baby(tomcat), be right back with more quetions
thanks bro
Edward
 Rick Fincher wrote:Hi Ed,

You have a couple of problems. First, you left out the user data constraint
transport guarantee tag that forces Tomcat to use HTTPS. A security
constraint has to have 3 things: 1- the web resource collection describing
what to protect, 2- the authorization constraint describing who gets access,
and 3- the user data constraint telling how to protect it at the transport
level. Since you mentioned that you set up port 8443 I presume you want to
use secure HTTP, so the transport guarantee has to be set to CONFIDENTIAL.
Use NONE for no encryption or INTEGRAL to prevent changes in data but not
necessarily to prevent observation of the data during transport.

One note: Port 8443 isn't the default HTTPS port. It is the default in
Tomcat so that you can do development without interfering with the
production port. If you don't change this to 443 you'll have to put the
port number (8443) in your web address to access this webapp.

One other thing that might cause a problem in your web.xml file: you had
your login config out of order. It comes before security role. Some
parsers are picky about that.

The order from the servlet 2.3 specification is:


distributable?, context-param*, filter*, filter-mapping*,

listener*, servlet*, servlet-mapping*, session-config?, mimemapping*,

welcome-file-list?, error-page*, taglib*, resourceenv-

ref*, resource-ref*, security-constraint*, login-config?,

security-role*, env-entry*, ejb-ref*, ejb-local-ref*)>

A corrected web.xml file is below. Hope this helps.

Rick

> 
>
> 
>
> 
>
> 
>
> Secure Area
>
> 
>
> /secure/*
>
> 
>
> 
>
> manager
>
> tomcat
>
> 



CONFIDENTIAL




> 




BASIC

User Basic Authentication




> 
>
> manager
>
> 
>
>
> 

----- Original Message -----
From: "ed banfa" 
To: 
Sent: Thursday, September 26, 2002 3:23 PM
Subject: Help Urgently needed, Security problem


> Hi ,
>
> How is everyone doing, hope ok.
>
> I have this problem with trying to use Basic authentication with my web
app. I have Tomcat 4.1.10 up and running on win 2000 machine using j2sdk1.4.
>
> Tomcat is listening on port 8443 for SSL connnections. I would like the
browser to display a login box to the user when the user attempts to access
a protected resource. When I try to check/test the app, It allows me into
the restricted area with out having to log in. I expect to be promted to
enter a user name and a password but hey nothing like thats happens. What am
I doing wrong????.
>
>
>
> Please if u can help me out I will appreciate it
>
> Below is what my web.xml looks like. The manager role is the same role
name I specified in tomcat-users.xml
>
> 
>
> 
>
> 
>
> 
>
> Secure Area
>
> 
>
> /secure/*
>
> 
>
> 
>
> manager
>
> tomcat
>
> 
>
> 
>
> 
>
> manager
>
> 
>
> 
>
> BASIC
>
> User Basic Authentication
>
> 
>
> 
>
>
>
> Thanks in advance
>
> Edward
>
>
>
>
>
>
>
> ---------------------------------
> Do you Yahoo!?
> New DSL Internet Access from SBC & Yahoo!


--
To unsubscribe, e-mail: 
For additional commands, e-mail: 



---------------------------------
Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!

Re: Help Urgently needed, Security problem

Posted by Rick Fincher <rn...@tbird.com>.
Hi Ed,

You have a couple of problems.  First, you left out the user data constraint
transport guarantee tag that forces Tomcat to use HTTPS.   A security
constraint has to have 3 things: 1- the web resource collection describing
what to protect, 2- the authorization constraint describing who gets access,
and 3- the user data constraint telling how to protect it at the transport
level.  Since you mentioned that you set up port 8443 I presume you want to
use secure HTTP, so the transport guarantee has to be set to CONFIDENTIAL.
Use NONE for no encryption or INTEGRAL to prevent changes in data but not
necessarily to prevent observation of the data during transport.

One note: Port 8443 isn't the default HTTPS port.  It is the default in
Tomcat so that you can do development without interfering with the
production port.  If you don't change this to 443 you'll have to put the
port number (8443) in your web address to access this webapp.

One other thing that might cause a problem in your web.xml file:  you had
your login config out of order.  It comes before security role.  Some
parsers are picky about that.

The order from the servlet 2.3 specification is:

<!ELEMENT web-app (icon?, display-name?, description?,

distributable?, context-param*, filter*, filter-mapping*,

listener*, servlet*, servlet-mapping*, session-config?, mimemapping*,

welcome-file-list?, error-page*, taglib*, resourceenv-

ref*, resource-ref*, security-constraint*, login-config?,

security-role*, env-entry*, ejb-ref*, ejb-local-ref*)>

A corrected web.xml file is below.  Hope this helps.

Rick

> <web-app>
>
> <security-constraint>
>
> <web-resource-collection>
>
> <web-resource-name>
>
> Secure Area
>
> </web-resource-name>
>
> <url-pattern>/secure/*</url-pattern>
>
> </web-resource-collection>
>
> <auth-constraint>
>
> <role-name>manager</role-name>
>
> <role-name>tomcat</role-name>
>
> </auth-constraint>

<user-data-constraint>

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

</user-data-constraint>


> </security-constraint>


<login-config>

 <auth-method>BASIC</auth-method>

 <realm-name>User Basic Authentication</realm-name>

 </login-config>


> <security-role>
>
> <role-name>manager</role-name>
>
> </security-role>
>
>
> </web-app>

----- Original Message -----
From: "ed banfa" <e_...@yahoo.com>
To: <to...@jakarta.apache.org>
Sent: Thursday, September 26, 2002 3:23 PM
Subject: Help Urgently needed, Security problem


> Hi ,
>
> How is everyone doing, hope ok.
>
> I have this problem with trying to use Basic authentication with my web
app. I have Tomcat 4.1.10 up and running on win 2000 machine using j2sdk1.4.
>
> Tomcat is listening on port 8443 for SSL connnections. I would like the
browser to display a login box to the user when the user attempts to access
a protected resource. When I try to check/test the app, It allows me into
the restricted area with out having to log in. I expect to be promted to
enter a user name and a password but hey nothing like thats happens. What am
I doing wrong????.
>
>
>
> Please if u can help me out I will appreciate it
>
> Below is what my web.xml looks like. The manager role is the same role
name I specified in tomcat-users.xml
>
> <web-app>
>
> <security-constraint>
>
> <web-resource-collection>
>
> <web-resource-name>
>
> Secure Area
>
> </web-resource-name>
>
> <url-pattern>/secure/*</url-pattern>
>
> </web-resource-collection>
>
> <auth-constraint>
>
> <role-name>manager</role-name>
>
> <role-name>tomcat</role-name>
>
> </auth-constraint>
>
> </security-constraint>
>
> <security-role>
>
> <role-name>manager</role-name>
>
> </security-role>
>
> <login-config>
>
> <auth-method>BASIC</auth-method>
>
> <realm-name>User Basic Authentication</realm-name>
>
> </login-config>
>
> </web-app>
>
>
>
> Thanks in advance
>
> Edward
>
>
>
>
>
>
>
> ---------------------------------
> Do you Yahoo!?
> New DSL Internet Access from SBC & Yahoo!


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>