You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Erik Rumppe <er...@library.berkeley.edu> on 2008/08/26 21:03:07 UTC

Authentication Issues

Hello All,

I am having a very difficult time using Tomcat authentication.  Here is 
the situation:

For right now I am using BASIC authentication.  There are 3 roles 
defined in the tomcat-users.xml file.  To access different areas of my 
application requires different levels of roles.  I want my users to be 
able to click on a link and if they don't meet the role requirement have 
the Authentication Requested login box pop-up so someone with the proper 
level of access can simply login right there and go to the requested 
screen.  Instead of this happening all I get is an HTTP error page 
saying  that the request resource is protected.  The user then has to 
close their browser and re-open it to log in as another user with a 
different role.  It would make sense to me that Tomcat has a way of 
handling this issue, but I can't for the life of me find it.  HELP!!!!

I have also tried to simply implement a logout function that removes the 
current session and (supposedly) deletes the persistent cookie and 
presents the user with a screen that has a link to a page that requires 
a login.  It should (IMHO) present them with the login box once they 
click the link since the session and cookie were removed, but it 
doesn't.  I've monitored the Tomcat sessions through the manager 
application and I know that the session is being removed for sure but it 
doesn't seem that the cookie is being removed.  Here is the code for the 
utility that removes the session and cookie:

package logic;

import javax.servlet.http.*;
import javax.servlet.http.HttpSession.*;
import java.io.*;
import javax.servlet.*;

public class CookieUtil extends HttpServlet
{
  protected void doGet(HttpServletRequest request,
            HttpServletResponse response)
            throws ServletException, IOException
  {
    HttpSession session = request.getSession();
    session.invalidate();

    Cookie[] cookies = request.getCookies();
    for (int i=0; i<cookies.length; i++)
    {
    Cookie cookie = cookies[i];
    cookie.setMaxAge(0); //delete the cookie
    }

    response.sendRedirect("loggedout.vm");
  }
}


I'm using Tomcat 6 with the VRaptor and Velocity frameworks. 

If anyone can help me with this it would be greatly appreciated!

Erik Rumppe
PAII
University of California, Berkeley - LSO

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Authentication Issues

Posted by Mark Thomas <ma...@apache.org>.

Erik Rumppe wrote:
> For right now I am using BASIC authentication.  There are 3 roles
> defined in the tomcat-users.xml file.  To access different areas of my
> application requires different levels of roles.  I want my users to be
> able to click on a link and if they don't meet the role requirement have
> the Authentication Requested login box pop-up so someone with the proper
> level of access can simply login right there and go to the requested
> screen.  Instead of this happening all I get is an HTTP error page
> saying  that the request resource is protected.  The user then has to
> close their browser and re-open it to log in as another user with a
> different role.  It would make sense to me that Tomcat has a way of
> handling this issue, but I can't for the life of me find it.  HELP!!!!

There is no way built in to handle this since this is how BASIC
authentication is meant to work.

> I have also tried to simply implement a logout function that removes the
> current session and (supposedly) deletes the persistent cookie and
> presents the user with a screen that has a link to a page that requires
> a login.  It should (IMHO) present them with the login box once they
> click the link since the session and cookie were removed, but it
> doesn't.  I've monitored the Tomcat sessions through the manager
> application and I know that the session is being removed for sure but it
> doesn't seem that the cookie is being removed.  Here is the code for the
> utility that removes the session and cookie:

The cookie isn't relevant. The root cause is that the browser is caching
the credentials and presenting them along with all requests.

There are some hacks to get around this but there aren't pretty.
See https://issues.apache.org/bugzilla/show_bug.cgi?id=44299 for a summary.

I never did get around to implementing any of them. It is still on the todo
list.

You could also look at switching to form authentication.

Mark



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org