You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Thomas Hicks <hi...@theriver.com> on 2007/07/13 23:35:46 UTC

BASIC authentication in Tomcat 5.5.x vs. 5.0.x?

I have a web application which uses BASIC authentication.

In Tomcat 5.0.28 (under Java 1.5 and Fedora Core 4) accessing
the protected webapp causes the browser to popup a login box
where username and password are entered. This works well, no
matter whether passwords are plain or SHA digested and no
matter whether I access the protected webapp using the HTTP
port or the HTTPS port. It also works with a wide variety of browsers.

Moving to Tomcat 5.5.x, however, causes the BASIC authentication
not to work anymore. The login box pops up but no username/password
combination ever allows access. The login box just clears the entries
and one is "stuck" at the login box. Again, I have tried plain and SHA
digested passwords in the tomcat-users.xml file with no luck either way.
This behavior is the same across different web browsers.

The web.xml file for the web application contains the following security
configuration portion, which enables password access in 5.0.x but
doesn't work in 5.5.x:

   <!--                                  -->
   <!-- Container-Security Configuration -->
   <!--                                  -->
   <security-constraint>
     <web-resource-collection>
       <web-resource-name>Reports Browser</web-resource-name>
       <url-pattern>/*</url-pattern>
     </web-resource-collection>

     <auth-constraint>
       <role-name>*</role-name>
     </auth-constraint>
   </security-constraint>

   <!-- Currently using only BASIC authentication. Use with HTTPS. -->
   <login-config>
     <auth-method>BASIC</auth-method>
     <realm-name>Protected Area</realm-name>
   </login-config>


I have searched online for answers and have reviewed the Servlet 2.4
specification (i.e. for Tomcat 5.5.x) but have found nothing. Surely,
BASIC authentication is such a well....basic thing that there must be
some small change I need to make, between the Tomcat versions, to get
this to work again. Any help is greatly appreciated.
	-tom



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: BASIC authentication in Tomcat 5.5.x vs. 5.0.x?

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: Thomas Hicks [mailto:hickst@theriver.com] 
> Subject: BASIC authentication in Tomcat 5.5.x vs. 5.0.x?
> 
> The web.xml file for the web application contains the 
> following security configuration portion, which enables
> password access in 5.0.x but doesn't work in 5.5.x:

The problem is very likely not in the web.xml security declarations,
since those haven't changed (they're under control of the servlet spec,
not Tomcat).

It's most likely in your <Realm> declaration for Tomcat 5.5; check it
closely against the 5.5 documentation.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: BASIC authentication in Tomcat 5.5.x vs. 5.0.x?

Posted by Thomas Hicks <hi...@theriver.com>.

At 06:05 PM 7/13/2007, you wrote:

>"Thomas Hicks" <hi...@theriver.com> wrote in message
>news:7.0.1.0.2.20070713141605.0362ec00@theriver.com...
> >I have a web application which uses BASIC authentication.
> >
> > In Tomcat 5.0.28 (under Java 1.5 and Fedora Core 4) accessing
> > the protected webapp causes the browser to popup a login box
> > where username and password are entered. This works well, no
> > matter whether passwords are plain or SHA digested and no
> > matter whether I access the protected webapp using the HTTP
> > port or the HTTPS port. It also works with a wide variety of browsers.
> >
> > Moving to Tomcat 5.5.x, however, causes the BASIC authentication
> > not to work anymore. The login box pops up but no username/password
> > combination ever allows access. The login box just clears the entries
> > and one is "stuck" at the login box. Again, I have tried plain and SHA
> > digested passwords in the tomcat-users.xml file with no luck either way.
> > This behavior is the same across different web browsers.
> >
> > The web.xml file for the web application contains the following security
> > configuration portion, which enables password access in 5.0.x but
> > doesn't work in 5.5.x:
> >
> >   <!--                                  -->
> >   <!-- Container-Security Configuration -->
> >   <!--                                  -->
> >   <security-constraint>
> >     <web-resource-collection>
> >       <web-resource-name>Reports Browser</web-resource-name>
> >       <url-pattern>/*</url-pattern>
> >     </web-resource-collection>
> >
> >     <auth-constraint>
> >       <role-name>*</role-name>
> >     </auth-constraint>
> >   </security-constraint>
> >
>
>In TC 5.0, the special role-name '*' was incorrectly (according to the spec)
>being treated as 'any authenticated user'.  In TC 5.5 this was fixed to mean
>'any role that is declared in a security-role'.  You can set the attribute
>allRolesMode="authOnly" on the <Realm /> to have Tomcat revert to it's
>previous behavior.

Thank-you very much!
I didn't actually try reverting the behavior -- I took the other 
solution implied
by your crucial information; I just declared a security role in my web.xml
file, added that role to the tomcat-users.xml file and BASIC auth
works again. Thanks again for your timely response.
         regards,
         -tom


> >   <!-- Currently using only BASIC authentication. Use with HTTPS. -->
> >   <login-config>
> >     <auth-method>BASIC</auth-method>
> >     <realm-name>Protected Area</realm-name>
> >   </login-config>
> >
> >
> > I have searched online for answers and have reviewed the Servlet 2.4
> > specification (i.e. for Tomcat 5.5.x) but have found nothing. Surely,
> > BASIC authentication is such a well....basic thing that there must be
> > some small change I need to make, between the Tomcat versions, to get
> > this to work again. Any help is greatly appreciated.
> > -tom




---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: BASIC authentication in Tomcat 5.5.x vs. 5.0.x?

Posted by Bill Barker <wb...@wilshire.com>.

"Thomas Hicks" <hi...@theriver.com> wrote in message 
news:7.0.1.0.2.20070713141605.0362ec00@theriver.com...
>I have a web application which uses BASIC authentication.
>
> In Tomcat 5.0.28 (under Java 1.5 and Fedora Core 4) accessing
> the protected webapp causes the browser to popup a login box
> where username and password are entered. This works well, no
> matter whether passwords are plain or SHA digested and no
> matter whether I access the protected webapp using the HTTP
> port or the HTTPS port. It also works with a wide variety of browsers.
>
> Moving to Tomcat 5.5.x, however, causes the BASIC authentication
> not to work anymore. The login box pops up but no username/password
> combination ever allows access. The login box just clears the entries
> and one is "stuck" at the login box. Again, I have tried plain and SHA
> digested passwords in the tomcat-users.xml file with no luck either way.
> This behavior is the same across different web browsers.
>
> The web.xml file for the web application contains the following security
> configuration portion, which enables password access in 5.0.x but
> doesn't work in 5.5.x:
>
>   <!--                                  -->
>   <!-- Container-Security Configuration -->
>   <!--                                  -->
>   <security-constraint>
>     <web-resource-collection>
>       <web-resource-name>Reports Browser</web-resource-name>
>       <url-pattern>/*</url-pattern>
>     </web-resource-collection>
>
>     <auth-constraint>
>       <role-name>*</role-name>
>     </auth-constraint>
>   </security-constraint>
>

In TC 5.0, the special role-name '*' was incorrectly (according to the spec) 
being treated as 'any authenticated user'.  In TC 5.5 this was fixed to mean 
'any role that is declared in a security-role'.  You can set the attribute 
allRolesMode="authOnly" on the <Realm /> to have Tomcat revert to it's 
previous behavior.

>   <!-- Currently using only BASIC authentication. Use with HTTPS. -->
>   <login-config>
>     <auth-method>BASIC</auth-method>
>     <realm-name>Protected Area</realm-name>
>   </login-config>
>
>
> I have searched online for answers and have reviewed the Servlet 2.4
> specification (i.e. for Tomcat 5.5.x) but have found nothing. Surely,
> BASIC authentication is such a well....basic thing that there must be
> some small change I need to make, between the Tomcat versions, to get
> this to work again. Any help is greatly appreciated.
> -tom
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> 




---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org