You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Arno Schäfer <Ar...@sqs.com> on 2015/07/17 19:03:58 UTC
How to authenticate our webapp against our own relm only
Hi all,
I am using Tomcat 7.0.54 with java 1.7 and 1.8 on a Windows 8.1 System, maintaining our webapp with around 1000 JSP pages and I am NOT a web developer.
I have inherited this application and all of the previous owners are no longer available. So the last 2months I do a lot of reading and debugging the whole bunch of java and jsp code and I think, that I have a basic understanding what the software is doing and how it is implemented at least.
The last days I found a lot of configuration issues and I was able to get the whole stuff running in a very downsized environment build on a standard tomcat Installation.
I got rid of all special configuration inside the server.xml, so that I was able to fix some things and do it, like it was described in the beautiful tomcat documentation and available wiki's.
That's only for some explanations, before the stupid questions may follow:
I have to use basic authentication without an own login form. The behavior I see, is that if the webapp is starting a realm instance is correctly created and initialized in my webapp, but if the first request arrive, also the tomcat itself instantiate one object of this class and took the credentials from the automatically upcoming login form (here IExplorer 11).
My understanding from reading the documentation is, that, if I configure my own realm in my context.xml (what I have done), that the webapp will use it. That seems to be ok, but why also tomcat itself instantiate an object of my custom realm and take the first request when I want to access my webapp. Therefore I have no own control about my JSessions and so my session management leaks, because I didn't got the info's from the logins, what the tomcat is doing now.
What is wrong in my configuration or in my understanding? I want be the only one, that got the requests for the authentication for my webapp.
Here are my server.xml, it only contain one Realm line of our realm in the 'Host' section (I strip the comments and the header lines, which are unchanged):
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="conf/tomcat-users.xml"/>
</GlobalNamingResources>
<Service name="Catalina">
<Connector acceptCount="100" connectionTimeout="200000" maxThreads="150" port="9150" protocol="HTTP/1.1" redirectPort="8443"/>
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
<Engine defaultHost="localhost" name="Catalina">
[<Realm className="org.apache.catalina.realm.UserDatabaseRealm"/>]
<Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="true" xmlNamespaceAware="false" xmlValidation="false">
[<Realm className="de.myproject.tomcat.realm.BITRealm" domainName="dom1" .../>]
</Host>
</Engine>
</Service>
The lines in brackets I have switched on and off in several attempts without the wished result. Without a realm definition in server.xml and only in the context.xml I have had equal results and one combination I have had one time, was that I have to authenticate twice and the first time with the data of tomcat-users.xml and the second time with my own one.
Is it possible that there is some more configured in some of the web.xml's or other directories in WEB-INF, what cause this behavior? I have searched there for some words like security, realm, userdatabase and so on, but have found nothing.
Hopefully I have explained my problem as good as I know and somebody see my point :)
Thanks in advance, best regards,
mit freundlichen Grüßen
Arno
_________________________________________________________
SQS hat bei den AIM Awards 2014 zum zweiten Mal die begehrte
Auszeichnung "International Company of the Year" erhalten. <http://www.sqs.com/portal/news/de/pressemitteilungen-aim-awards-international-company-of-the-year.php>
Vorsitzender des Aufsichtsrats: David Bellin
Vorstand: Diederik Vos (CEO) ? Ralph Gillessen (COO) ? René Gawron (CFO)
SQS AG ? Stollwerckstraße 11 ? 51149 Köln
Sitz der Gesellschaft: Köln ? Amtsgericht Köln, HRB 12764
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient
(or have received this e-mail in error) please notify the sender immediately and destroy this e-mail.
Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
Re: How to authenticate our webapp against our own relm only
Posted by Konstantin Kolinko <kn...@gmail.com>.
2015-07-17 20:03 GMT+03:00 Arno Schäfer <Ar...@sqs.com>:
> Hi all,
>
> I am using Tomcat 7.0.54 with java 1.7 and 1.8 on a Windows 8.1 System, maintaining our webapp with around 1000 JSP pages and I am NOT a web developer.
>
> I have inherited this application and all of the previous owners are no longer available. So the last 2months I do a lot of reading and debugging the whole bunch of java and jsp code and I think, that I have a basic understanding what the software is doing and how it is implemented at least.
> The last days I found a lot of configuration issues and I was able to get the whole stuff running in a very downsized environment build on a standard tomcat Installation.
> I got rid of all special configuration inside the server.xml, so that I was able to fix some things and do it, like it was described in the beautiful tomcat documentation and available wiki's.
>
> That's only for some explanations, before the stupid questions may follow:
>
> I have to use basic authentication without an own login form. The behavior I see, is that if the webapp is starting a realm instance is correctly created and initialized in my webapp, but if the first request arrive, also the tomcat itself instantiate one object of this class and took the credentials from the automatically upcoming login form (here IExplorer 11).
>
> My understanding from reading the documentation is, that, if I configure my own realm in my context.xml (what I have done), that the webapp will use it. That seems to be ok, but why also tomcat itself instantiate an object of my custom realm and take the first request when I want to access my webapp. Therefore I have no own control about my JSessions and so my session management leaks, because I didn't got the info's from the logins, what the tomcat is doing now.
>
> What is wrong in my configuration or in my understanding? I want be the only one, that got the requests for the authentication for my webapp.
>
> Here are my server.xml, it only contain one Realm line of our realm in the 'Host' section (I strip the comments and the header lines, which are unchanged):
>
[....]
Several comments:
1) Authentication is performed by an Auntenticator (a kind of Valve),
not by a Realm. Realm is essentially just a user/password database
interface used by an authenticator.
There is one Realm per container (exposed as Container.getRealm()). If
none is configured then default implementation returns the one from
parent Container.
Normally there is at most one authenticator. If there is no
Authenticator valve in your context, but your webapp's web.xml
declares that an authentication is needed, Tomcat creates an
authenticator and inserts it into chain (pipeline) of valves in your
context.
If by some mistake there are several authenticators in a pipeline, all
of them will be active, just like any other valves.
http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Authentication
http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html
2) What context.xml file have you edited?
A usual mistake is to edit the global "conf/context.xml" file. That
file provides defaults for all web applications deployed on Tomcat.
You need to edit the file for your own web application.
http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Defining_a_context
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to authenticate our webapp against our own relm only
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Felix,
On 7/21/15 11:13 AM, Felix Schumacher wrote:
>
>
> Am 21. Juli 2015 17:50:43 MESZ, schrieb Arno
> <ar...@sqs.com>:
>> Christopher Schultz <chris <at> christopherschultz.net> writes:
>>> Accessing a protected resource triggers an authorization check,
>>> which also required authentication. Some realms cache
>>> authentication information while others do not. The
>>> authenticator is a Valve which uses the Realm to perform the
>>> authentication and gather authorization information (e.g.
>>> roles). If the user isn't authenticated, then they are
>>> challenged for credentials (login form, SSL client
>>> certificate, HTT BASIC/DIGEST auth, etc.) and the credentials
>>> they provide are
>> then
>>> fed back into the realm to authenticate the user. Then the
>>> roles are checked for authorization.
>>
>> ok, thanks for this explanation, that's makes it more clear for
>> me. One more question about "...Accessing a protected
>> resource..." Which resources are protected is decided by what
>> kind of configuration? Because I do nothing special for this, I
>> think that my configuration is using the normal defaults for
>> BASIC authentification. Perhaps there is some potential space to
>> increase performance by disable this authentification for a lot
>> of request types.
>
> You have to look in the web.xml of your webapp. Google for
> security-constraints. Newer servlet api versions are able to set
> those through annotation also.
>
>>
>> Because I will have some issues with the administration of my
>> session handling, can I also influence the JSESSION generation
>> with such kind of configuration or is this done by the used
>> browser only? Background for this question: Now I recognize, when
>> I open a new instance of f.e. an IExplorer with my home url, this
>> new instance use the same JSESSION id, what the parallel running
>> instance is also using. Is it possible to configure this in the
>> tomcat instance or couldn't I influence this behaviour?
>
> That is a feature of ie. It will share is cookies with all
> windows.
>
> If you don't want to use cookies for the authentication (session),
> you can use the cookies attribute on the context of your webapp.
> See
> http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Attributes
.
>
> Alternatively you can use different browsers, different instances
> of browsers that don't share their jar of cookies or use different
> dns names or ip's and this creating different cookie domains.
+1
Also, some browsers have modes where they don't share cookies, etc.
with other windows. Google Chrome for example calls this "Incognito"
and it can run a "normal" window next to an "incognito" one. Mozilla
Firefox has a mode that doesn't persist anything to the disk, but you
can't run it side-by-side with another "normal" window, you have to
quit and re-start ff to switch modes.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVroBYAAoJEBzwKT+lPKRY3gsQAJf7Y/m363962K/DRmCM2vkv
k21yy8uxBfLmGr16V5aAoONjAZIQYyJQ1gU1XIoKi70m4aefVz6gCTiV/eSG45wM
gWmQBptjr2XEmR+PED3N9PBlHhnoUML4czUMZzPfZGpFEbiv3/W0eDitO8EHaw7Z
BgGOUwVcdZFq/3lBZA3bahOKF00e3jVhcJIwup23mcfm+SN0anvNUqD46ptqguZ5
YH5daTM1iovTDIOYD1tMSpGBXkCBR9jqP7kAjz88THJbSXdCELjqOosHIhndVnnz
jYFDS1C8MKSNXvilMNr4yJAFjgQtUAENvZlcxbvHQYmb7OO8R2Sh8PbIf/jGb2p1
e+8Tilpn1nJ4+gTVlbZ/5ohcwgUsjZc+O5kgEbjCCQ9Ox1GpYF0m2SXTcbUjbRmR
4Ffbh8bbAaUEP/ABh0vt0pDGVpkUZr+SOyNhgXQhuOJy4hCZ/QZK4e9Kal4e9odP
mxSw8jdpF2pSP/HtYGAFVopz9/zzGyQE30likBOa6/MUyN6pveWaK6D6wVBWo7PR
aUt7tQ/mhgN/HQu2mhCduBHxnzcbXyrx0vsAsC4y4unpvF/98XLxE17h0lDVseTD
BQaHkaYvYdw9k9654TZ6pedlJMAF4eHVPLqrQznvvG0pU/im5b0emfHdrvFMev33
mT6vupZqoSU/aztzWGOT
=OvvC
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to authenticate our webapp against our own relm only
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 21. Juli 2015 17:50:43 MESZ, schrieb Arno <ar...@sqs.com>:
>Christopher Schultz <chris <at> christopherschultz.net> writes:
>> Accessing a protected resource triggers an authorization check, which
>> also required authentication. Some realms cache authentication
>> information while others do not. The authenticator is a Valve which
>> uses the Realm to perform the authentication and gather authorization
>> information (e.g. roles). If the user isn't authenticated, then they
>> are challenged for credentials (login form, SSL client certificate,
>> HTT BASIC/DIGEST auth, etc.) and the credentials they provide are
>then
>> fed back into the realm to authenticate the user. Then the roles are
>> checked for authorization.
>
>ok, thanks for this explanation, that's makes it more clear for me. One
>more
>question about "...Accessing a protected resource..."
>Which resources are protected is decided by what kind of configuration?
>Because I do nothing special for this, I think that my configuration is
>using the normal defaults for BASIC authentification.
>Perhaps there is some potential space to increase performance by
>disable
>this authentification for a lot of request types.
You have to look in the web.xml of your webapp. Google for security-constraints. Newer servlet api versions are able to set those through annotation also.
>
>Because I will have some issues with the administration of my session
>handling, can I also influence the JSESSION generation with such kind
>of
>configuration or is this done by the used browser only?
>Background for this question: Now I recognize, when I open a new
>instance of
>f.e. an IExplorer with my home url, this new instance use the same
>JSESSION
>id, what the parallel running instance is also using. Is it possible to
>configure this in the tomcat instance or couldn't I influence this
>behaviour?
That is a feature of ie. It will share is cookies with all windows.
If you don't want to use cookies for the authentication (session), you can use the cookies attribute on the context of your webapp. See http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Attributes.
Alternatively you can use different browsers, different instances of browsers that don't share their jar of cookies or use different dns names or ip's and this creating different cookie domains.
Regards,
Felix
PS. If you have new questions, you should open new discussions by sending new mails with new titles.
>
>kind regards
>Arno
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to authenticate our webapp against our own relm only
Posted by Arno <ar...@sqs.com>.
Christopher Schultz <chris <at> christopherschultz.net> writes:
> Accessing a protected resource triggers an authorization check, which
> also required authentication. Some realms cache authentication
> information while others do not. The authenticator is a Valve which
> uses the Realm to perform the authentication and gather authorization
> information (e.g. roles). If the user isn't authenticated, then they
> are challenged for credentials (login form, SSL client certificate,
> HTT BASIC/DIGEST auth, etc.) and the credentials they provide are then
> fed back into the realm to authenticate the user. Then the roles are
> checked for authorization.
ok, thanks for this explanation, that's makes it more clear for me. One more
question about "...Accessing a protected resource..."
Which resources are protected is decided by what kind of configuration?
Because I do nothing special for this, I think that my configuration is
using the normal defaults for BASIC authentification.
Perhaps there is some potential space to increase performance by disable
this authentification for a lot of request types.
Because I will have some issues with the administration of my session
handling, can I also influence the JSESSION generation with such kind of
configuration or is this done by the used browser only?
Background for this question: Now I recognize, when I open a new instance of
f.e. an IExplorer with my home url, this new instance use the same JSESSION
id, what the parallel running instance is also using. Is it possible to
configure this in the tomcat instance or couldn't I influence this behaviour?
kind regards
Arno
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to authenticate our webapp against our own relm only
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Arno,
On 7/21/15 10:05 AM, Arno wrote:
> Felix Schumacher <felix.schumacher <at> internetallee.de> writes:
>> I think tomcat will always inject a realm into to host when it
>> finds none.
> But that realm should not interfere
>> with your requests to your webapp.
>
> You are right, and I see, that I have misinterpreted my debugger
> sessions. Our realm contains an additinal class, that contain the
> access methods to our server against we have to authenticate. So
> the realm does a lot of things what are not neccessary on the
> webserver side at the moment. So I have written now my own small
> method, what only make the autentification and all things was ok
> afterwards.
>
> By the way, what I haven't realy understood, is how and when this
> realm is called, after a request reached the connector. What I
> didn't understand also is what actions or what content of the
> request triggers the realm to do anything.
Accessing a protected resource triggers an authorization check, which
also required authentication. Some realms cache authentication
information while others do not. The authenticator is a Valve which
uses the Realm to perform the authentication and gather authorization
information (e.g. roles). If the user isn't authenticated, then they
are challenged for credentials (login form, SSL client certificate,
HTT BASIC/DIGEST auth, etc.) and the credentials they provide are then
fed back into the realm to authenticate the user. Then the roles are
checked for authorization.
> Perhaps you have a hint or a link for me, where I can see which
> control flow a request have, before he arrived my first filter. I
> haven't found the right documents for this til now.
The Filter stage is too late, because all of this is done in Valves
before any webapp-specific code is invoked.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVrmOxAAoJEBzwKT+lPKRYxucP+gJnYSOUdbmUjgLTRfx6Z8RJ
0L3EyQBqDJL+9/Jv6a+dxiQmLLUN+2Xl1vSsQVpKtqcr20CssDspDGjmL6lOewr7
9cd/YzxiSeTNz+MbB7wfziWfW3qyK15w/gEuOShvfdDBD3U/NcGsL6WtN+ydQYDp
kFWR7VbW1GuprjY+4fsNq/xPo8HxxD9KuC+GwoV+0p4NtgNkLxesXIUIz4QVriPn
TTy3EPwIMVKzDsMH+aMBbJ78x0aWik4j6PKFoXLTEzAT4KGMS2+w7TQ3+CkjUOtX
Hgi5bAF1hQ1/PKSALs2QiLzBTxDOkv725SqXiW7d0nwcoH+bT3O4hqSZzWlQYG3r
3OyoYVb+3jX6gJNfh3zvU5aPADL1jzhad1Mcn6FhE32MvKMihhJ0j96tKqleznje
EKjFYI5ULURQIZzbcQtaZY+/L2vUfk4Bt/bZhSeBQbSwPCyTiiUH8FVB8BPMGLmI
eaF4nBuQEuHh9jI9MslDfYEM7HLiYltAFlWJsU39h5Wnx/64b6yH7/L+TokgbwqD
NrJfvk8Lwk4q+6XPgWcB9HiUPU88ByjkrZ/YaKhAoIH1yI0XDViUQwmlJvbfIxk4
SbCOEKXdxaec6G1vjmc1RqUTSaSaJ47R9D1WBKMw5oRvEtrJvS3s7fpgXp/T7GpZ
LB6V01Eu5sIjCj2ZVL5P
=FoC0
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to authenticate our webapp against our own relm only
Posted by Arno <ar...@sqs.com>.
Felix Schumacher <felix.schumacher <at> internetallee.de> writes:
> I think tomcat will always inject a realm into to host when it finds none.
But that realm should not interfere
> with your requests to your webapp.
You are right, and I see, that I have misinterpreted my debugger sessions.
Our realm contains an additinal class, that contain the access methods to
our server against we have to authenticate. So the realm does a lot of
things what are not neccessary on the webserver side at the moment. So I
have written now my own small method, what only make the autentification and
all things was ok afterwards.
By the way, what I haven't realy understood, is how and when this realm is
called, after a request reached the connector. What I didn't understand also
is what actions or what content of the request triggers the realm to do
anything.
Perhaps you have a hint or a link for me, where I can see which control flow
a request have, before he arrived my first filter. I haven't found the right
documents for this til now.
kind regards
Arno
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to authenticate our webapp against our own relm only
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 17. Juli 2015 19:03:58 MESZ, schrieb "Arno Schäfer" <Ar...@sqs.com>:
>Hi all,
>
>I am using Tomcat 7.0.54 with java 1.7 and 1.8 on a Windows 8.1 System,
>maintaining our webapp with around 1000 JSP pages and I am NOT a web
>developer.
>
>I have inherited this application and all of the previous owners are no
>longer available. So the last 2months I do a lot of reading and
>debugging the whole bunch of java and jsp code and I think, that I have
>a basic understanding what the software is doing and how it is
>implemented at least.
>The last days I found a lot of configuration issues and I was able to
>get the whole stuff running in a very downsized environment build on a
>standard tomcat Installation.
>I got rid of all special configuration inside the server.xml, so that I
>was able to fix some things and do it, like it was described in the
>beautiful tomcat documentation and available wiki's.
>
>That's only for some explanations, before the stupid questions may
>follow:
>
>I have to use basic authentication without an own login form. The
>behavior I see, is that if the webapp is starting a realm instance is
>correctly created and initialized in my webapp, but if the first
>request arrive, also the tomcat itself instantiate one object of this
>class and took the credentials from the automatically upcoming login
>form (here IExplorer 11).
I think tomcat will always inject a realm into to host when it finds none. But that realm should not interfere with your requests to your webapp.
Where have you defined your own realm?
How many andwhich webapps do you have?
Have you looked at the access logs to see whether the requests all are directed entirely at your webapp and not some other?
Regards,
Felix
>
>My understanding from reading the documentation is, that, if I
>configure my own realm in my context.xml (what I have done), that the
>webapp will use it. That seems to be ok, but why also tomcat itself
>instantiate an object of my custom realm and take the first request
>when I want to access my webapp. Therefore I have no own control about
>my JSessions and so my session management leaks, because I didn't got
>the info's from the logins, what the tomcat is doing now.
>
>What is wrong in my configuration or in my understanding? I want be the
>only one, that got the requests for the authentication for my webapp.
>
>Here are my server.xml, it only contain one Realm line of our realm in
>the 'Host' section (I strip the comments and the header lines, which
>are unchanged):
>
> <GlobalNamingResources>
><Resource name="UserDatabase" auth="Container"
>type="org.apache.catalina.UserDatabase" description="User database that
>can be updated and saved"
>factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
>pathname="conf/tomcat-users.xml"/>
> </GlobalNamingResources>
>
> <Service name="Catalina">
><Connector acceptCount="100" connectionTimeout="200000"
>maxThreads="150" port="9150" protocol="HTTP/1.1" redirectPort="8443"/>
> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
> <Engine defaultHost="localhost" name="Catalina">
> [<Realm className="org.apache.catalina.realm.UserDatabaseRealm"/>]
>
><Host appBase="webapps" autoDeploy="true" name="localhost"
>unpackWARs="true" xmlNamespaceAware="false" xmlValidation="false">
>[<Realm className="de.myproject.tomcat.realm.BITRealm"
>domainName="dom1" .../>]
> </Host>
> </Engine>
> </Service>
>
>The lines in brackets I have switched on and off in several attempts
>without the wished result. Without a realm definition in server.xml and
>only in the context.xml I have had equal results and one combination I
>have had one time, was that I have to authenticate twice and the first
>time with the data of tomcat-users.xml and the second time with my own
>one.
>
>Is it possible that there is some more configured in some of the
>web.xml's or other directories in WEB-INF, what cause this behavior? I
>have searched there for some words like security, realm, userdatabase
>and so on, but have found nothing.
>
>Hopefully I have explained my problem as good as I know and somebody
>see my point :)
>
>Thanks in advance, best regards,
>mit freundlichen Grüßen
>Arno
>
>_________________________________________________________
>
>SQS hat bei den AIM Awards 2014 zum zweiten Mal die begehrte
>Auszeichnung "International Company of the Year" erhalten.
><http://www.sqs.com/portal/news/de/pressemitteilungen-aim-awards-international-company-of-the-year.php>
>
>Vorsitzender des Aufsichtsrats: David Bellin
>Vorstand: Diederik Vos (CEO) ? Ralph Gillessen (COO) ? René Gawron
>(CFO)
>SQS AG ? Stollwerckstraße 11 ? 51149 Köln
>Sitz der Gesellschaft: Köln ? Amtsgericht Köln, HRB 12764
>
>This e-mail may contain confidential and/or privileged information. If
>you are not the intended recipient
>(or have received this e-mail in error) please notify the sender
>immediately and destroy this e-mail.
>Any unauthorised copying, disclosure or distribution of the material in
>this e-mail is strictly forbidden.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to authenticate our webapp against our own relm only
Posted by Arno <ar...@sqs.com>.
Mark Eggers <its_toasted <at> yahoo.com.INVALID> writes:
> It looks like one of the prior developers wrote a custom Realm. Was
> this application written to run on a prior version of Tomcat (Tomcat
> 6, for example)? If so, the custom Realm may not work with Tomcat 7.
> You would have to look at the javadoc for
Thanks Mark for this hint, it leads me to the problem, what we have had in
our realm and after rewritting some older stuff I have had corrected the
behaviour of our webapp and all the misinterpreted debugging stuff was away
kind regards
Arno
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to authenticate our webapp against our own relm only
Posted by Mark Eggers <it...@yahoo.com.INVALID>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Arno,
Welcome to Tomcat!
First of all, thanks for providing all of the background.
Second of all, thanks for doing all of this hard work.
Third of all, I'm probably not going to be as much help as many other
people here will be, but I'll give it a shot.
Comments are inline.
On 7/17/2015 10:03 AM, Arno Schäfer wrote:
> Hi all,
>
> I am using Tomcat 7.0.54 with java 1.7 and 1.8 on a Windows 8.1
> System, maintaining our webapp with around 1000 JSP pages and I am
> NOT a web developer.
>
> I have inherited this application and all of the previous owners
> are no longer available. So the last 2months I do a lot of reading
> and debugging the whole bunch of java and jsp code and I think,
> that I have a basic understanding what the software is doing and
> how it is implemented at least. The last days I found a lot of
> configuration issues and I was able to get the whole stuff running
> in a very downsized environment build on a standard tomcat
> Installation. I got rid of all special configuration inside the
> server.xml, so that I was able to fix some things and do it, like
> it was described in the beautiful tomcat documentation and
> available wiki's.
>
> That's only for some explanations, before the stupid questions may
> follow:
>
> I have to use basic authentication without an own login form. The
> behavior I see, is that if the webapp is starting a realm instance
> is correctly created and initialized in my webapp, but if the first
> request arrive, also the tomcat itself instantiate one object of
> this class and took the credentials from the automatically upcoming
> login form (here IExplorer 11).
>
> My understanding from reading the documentation is, that, if I
> configure my own realm in my context.xml (what I have done), that
> the webapp will use it.
Yes, if you place the Realm definition in context.xml, then only that
particular web application will use it. If you place the Realm
definition in a <Host> element, then all applications for that host
will use it. Finally, if you place the Realm definition inside the
<Engine> element, all virtual hosts inside that Engine will use it.
> That seems to be ok, but why also tomcat itself instantiate an
> object of my custom realm and take the first request when I want
> to access my webapp. Therefore I have no own control about my
> JSessions and so my session management leaks, because I didn't got
> the info's from the logins, what the tomcat is doing now.
>
> What is wrong in my configuration or in my understanding? I want be
> the only one, that got the requests for the authentication for my
> webapp.
>
> Here are my server.xml, it only contain one Realm line of our realm
> in the 'Host' section (I strip the comments and the header lines,
> which are unchanged):
>
I am going to assume that you have all of the Service and Valve
elements that come with the stock server.xml in your file.
> <GlobalNamingResources> <Resource name="UserDatabase"
> auth="Container" type="org.apache.catalina.UserDatabase"
> description="User database that can be updated and saved"
> factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
> pathname="conf/tomcat-users.xml"/> </GlobalNamingResources>
>
> <Service name="Catalina"> <Connector acceptCount="100"
> connectionTimeout="200000" maxThreads="150" port="9150"
> protocol="HTTP/1.1" redirectPort="8443"/> <Connector port="8009"
> protocol="AJP/1.3" redirectPort="8443"/> <Engine
> defaultHost="localhost" name="Catalina"> [<Realm
> className="org.apache.catalina.realm.UserDatabaseRealm"/>]
>
> <Host appBase="webapps" autoDeploy="true" name="localhost"
> unpackWARs="true" xmlNamespaceAware="false" xmlValidation="false">
> [<Realm className="de.myproject.tomcat.realm.BITRealm"
> domainName="dom1" .../>] </Host> </Engine> </Service>
>
> The lines in brackets I have switched on and off in several
> attempts without the wished result. Without a realm definition in
> server.xml and only in the context.xml I have had equal results
> and one combination I have had one time, was that I have to
> authenticate twice and the first time with the data of
> tomcat-users.xml and the second time with my own one.
It looks like one of the prior developers wrote a custom Realm. Was
this application written to run on a prior version of Tomcat (Tomcat
6, for example)? If so, the custom Realm may not work with Tomcat 7.
You would have to look at the javadoc for
https://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/Realm.h
tml
And compare it to:
https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/Realm.h
tml
In order for a custom Realm to work, you have to place the JAR file
containing that implementation in %CATALINA_HOME%\lib.
My first reaction is that this has not been done, but you said that
you were able to authenticate at least once.
>
> Is it possible that there is some more configured in some of the
> web.xml's or other directories in WEB-INF, what cause this
> behavior? I have searched there for some words like security,
> realm, userdatabase and so on, but have found nothing.
>
> Hopefully I have explained my problem as good as I know and
> somebody see my point :)
Here's an (admittedly outdated) link concerning Realms. In particular,
take a look at the Cascading and Combined Realms sections.
http://wiki.apache.org/tomcat/TomcatDataSourceRealms
It almost looks like the custom Realm is not being used. My two
guesses about that are (and they are guesses):
1. The custom Realm was written against a prior version of Tomcat and
may no longer work
2. JAR file containing the custom Realm is not in %CATALINA_HOME%\lib
>
> Thanks in advance, best regards, mit freundlichen Grüßen Arno
I hope this is of some use.
. . . just my two cents
/mde/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBAgAGBQJVqUKQAAoJEEFGbsYNeTwt3mwH/1XsFPlKTB64O02OssSotI19
kQ2hgerkhY+jkYWjkzLT/A0NRtJepp2zYNY+9JistTelz/F/9PYW6KcKU7g6xOq1
hO9mDipEFsDhbprwGPox1Ag1iUsAQX2l6J0AohxP8tA4D/cFm/iYxzhHO09Y6K+z
8W522croQq37magnMztR2y/IOa3AJ8gpSakeWinAi1gRbo6OLUcvDJv+QcysQvHl
9Q4pRO+O1xNBa0w2UxRURErvIBaxym5r0cRY4I6Qk9ZAoYPQRnk7ghALknQ2wbvl
LCsnodtimSIGpEdLSYq0XEyap8KAcxuaMkpb+ezqc5HLT8SKVfQ0DqUg2/MgnAc=
=q6OZ
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org