You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Sachin Mehrotra <ge...@gmail.com> on 2012/02/16 13:30:22 UTC
Basic Authentication Valve not hitting on Tomcat7.0.20
Hi
After upgrade from Tomcat 6 to Tomcat 7.0.20, our Basic Authentication
valve is not hitting. It seems it is overlooking our implementation of
Basic Authentication.
Below is the implementation:
We are having Realm that is doing authentication using our
authentication server. Before that we are having a Valve defined in
/META-INF/context.xml that is doing some pre-authentication based on
the token define in the HTTPs request.
If the token matches our creteria then Realm is hitting for actual Auth.
This was working fine when Tomcat 6 was there and we were able to see
the logging coming that was added to our Implementation of Baisc
Authenticator.
Plz help.
--
With Regards
Sachin Mehrotra
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Basic Authentication Valve not hitting on Tomcat7.0.20
Posted by Pid <pi...@pidster.com>.
On 17/02/2012 17:56, Michela, Andrew J (LABOR) wrote:
> I am sorry this code was in the web.xml NOT server.xml
Please don't top post.
Are you actually replying to someone else's thread with your own
problem? Or are you also known as "Sachin Mehrotra"?
p
> -----Original Message-----
> From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
> Sent: Friday, February 17, 2012 11:07 AM
> To: Tomcat Users List
> Subject: RE: Basic Authentication Valve not hitting on Tomcat7.0.20
>
>> From: Michela, Andrew J (LABOR) [mailto:Andrew.Michela@labor.ny.gov]
>> Subject: RE: Basic Authentication Valve not hitting on Tomcat7.0.20
>
>> I have that in the server.xml(see below) still no luck.
>> <security-constraint>
>
> ??? Please read the servlet spec and the Tomcat doc, and show us where there's even a hint about putting <security-constraint> in server.xml. Security configuration goes into each webapp's WEB-INF/web.xml, as clearly stated in the docs.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
>
--
[key:62590808]
RE: Basic Authentication Valve not hitting on Tomcat7.0.20
Posted by "Michela, Andrew J (LABOR)" <An...@labor.ny.gov>.
I am sorry this code was in the web.xml NOT server.xml
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: Friday, February 17, 2012 11:07 AM
To: Tomcat Users List
Subject: RE: Basic Authentication Valve not hitting on Tomcat7.0.20
> From: Michela, Andrew J (LABOR) [mailto:Andrew.Michela@labor.ny.gov]
> Subject: RE: Basic Authentication Valve not hitting on Tomcat7.0.20
> I have that in the server.xml(see below) still no luck.
> <security-constraint>
??? Please read the servlet spec and the Tomcat doc, and show us where there's even a hint about putting <security-constraint> in server.xml. Security configuration goes into each webapp's WEB-INF/web.xml, as clearly stated in the docs.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: Basic Authentication Valve not hitting on Tomcat7.0.20
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Michela, Andrew J (LABOR) [mailto:Andrew.Michela@labor.ny.gov]
> Subject: RE: Basic Authentication Valve not hitting on Tomcat7.0.20
> I have that in the server.xml(see below) still no luck.
> <security-constraint>
??? Please read the servlet spec and the Tomcat doc, and show us where there's even a hint about putting <security-constraint> in server.xml. Security configuration goes into each webapp's WEB-INF/web.xml, as clearly stated in the docs.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: Basic Authentication Valve not hitting on Tomcat7.0.20
Posted by "Michela, Andrew J (LABOR)" <An...@labor.ny.gov>.
I have that in the server.xml(see below) still no luck.
<security-constraint>
<display-name>Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>secure</web-resource-name>
<web-resource-name>Restricted Access - Get Only</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>
<!-- Default login configuration uses form-based authentication -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Management Reports</realm-name>
<form-login-config>
<form-login-page>/index.jsp</form-login-page>
<form-error-page>/errorpage.jsp</form-error-page>
</form-login-config>
</login-config>
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Friday, February 17, 2012 10:50 AM
To: Tomcat Users List
Subject: Re: Basic Authentication Valve not hitting on Tomcat7.0.20
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Michael,
On 2/16/12 2:28 PM, Michela, Andrew J (LABOR) wrote:
> I have that in the server.xml still no luck
You have *what* in server.xml, and what does "no luck" mean?
Did you reply to the wrong thread?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8+d0EACgkQ9CaO5/Lv0PDNhQCbB2V+V4WWXCjphhSuz2BS5gUf
X70An3hmcCLm+8+NHQ7USceI+9eAL6kf
=NIc1
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Basic Authentication Valve not hitting on Tomcat7.0.20
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Michael,
On 2/16/12 2:28 PM, Michela, Andrew J (LABOR) wrote:
> I have that in the server.xml still no luck
You have *what* in server.xml, and what does "no luck" mean?
Did you reply to the wrong thread?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8+d0EACgkQ9CaO5/Lv0PDNhQCbB2V+V4WWXCjphhSuz2BS5gUf
X70An3hmcCLm+8+NHQ7USceI+9eAL6kf
=NIc1
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Basic Authentication Valve not hitting on Tomcat7.0.20
Posted by "Michela, Andrew J (LABOR)" <An...@labor.ny.gov>.
I have that in the server.xml still no luck
<security-constraint>
<display-name>Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>secure</web-resource-name>
<web-resource-name>Restricted Access - Get Only</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>
<!-- Default login configuration uses form-based authentication -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Management Reports</realm-name>
<form-login-config>
<form-login-page>/index.jsp</form-login-page>
<form-error-page>/errorpage.jsp</form-error-page>
</form-login-config>
</login-config>
-----Original Message-----
From: Konstantin Kolinko [mailto:knst.kolinko@gmail.com]
Sent: Thursday, February 16, 2012 1:59 PM
To: Tomcat Users List
Subject: Re: Basic Authentication Valve not hitting on Tomcat7.0.20
2012/2/16 Christopher Schultz <ch...@christopherschultz.net>:
>
> On 2/16/12 8:26 AM, Sachin Mehrotra wrote:
>> <login-config> <auth-method>BASIC</auth-method> <realm-name>My App
>> Realm</realm-name> </login-config>
>
> I believe if you set <auth-method> to BASIC, Tomcat will add its own
> Valve to the valve chain. If you don't set the <auth-method> here but
> still add your <Valve> to context.xml, does that improve things?
>
IIRC Tomcat would not add Authenticator valve if one is already there, so this tip is useless.
Anyway you can always run Tomcat under debugger (see FAQ ->
Development) and see what really is going on.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Basic Authentication Valve not hitting on Tomcat7.0.20
Posted by Konstantin Kolinko <kn...@gmail.com>.
2012/2/16 Christopher Schultz <ch...@christopherschultz.net>:
>
> On 2/16/12 8:26 AM, Sachin Mehrotra wrote:
>> <login-config> <auth-method>BASIC</auth-method> <realm-name>My App
>> Realm</realm-name> </login-config>
>
> I believe if you set <auth-method> to BASIC, Tomcat will add its own
> Valve to the valve chain. If you don't set the <auth-method> here but
> still add your <Valve> to context.xml, does that improve things?
>
IIRC Tomcat would not add Authenticator valve if one is already there,
so this tip is useless.
Anyway you can always run Tomcat under debugger (see FAQ ->
Development) and see what really is going on.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Basic Authentication Valve not hitting on Tomcat7.0.20
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sachin,
On 2/16/12 8:26 AM, Sachin Mehrotra wrote:
> <login-config> <auth-method>BASIC</auth-method> <realm-name>My App
> Realm</realm-name> </login-config>
I believe if you set <auth-method> to BASIC, Tomcat will add its own
Valve to the valve chain. If you don't set the <auth-method> here but
still add your <Valve> to context.xml, does that improve things?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk89G/cACgkQ9CaO5/Lv0PBJ7gCfSh2yiMKzX2J92jLSGLHn0hI7
Ia0AoI4nlntBd4lQ5+T9fO8qKep/1hc5
=rzun
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Basic Authentication Valve not hitting on Tomcat7.0.20
Posted by Pid <pi...@pidster.com>.
On 16/02/2012 13:26, Sachin Mehrotra wrote:
> Do your logs indicate your custom authenticator is active or does it
> throw an error?
> ANS-->>> tomcat logs and other logs doesn't show any exception or even
> traces added in the valve class. In Tomcat 6 we are able to see logs
> added in our implemementation of AuthenticatorBase class.
>
>
> How had you configured the authenticator to work in Tomcat 6.0?
> ANS-->>>
> In Server.xml we have defined Realm under Engine
>
> <Realm className="com.xyz.platform.realm.Realm"
> realmPluginClass="com.xyz.org.realm.MyRealmPlugin"/>
> </Engine>
> In Web.xml of the application we have defined following
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Web application
> name</web-resource-name>
> <description>Simple constraint for web
> resources</description>
> <url-pattern>/*</url-pattern>
> <http-method>HEAD</http-method>
> <http-method>POST</http-method>
> <http-method>GET</http-method>
> <http-method>PUT</http-method>
> <http-method>DELETE</http-method>
> </web-resource-collection>
> <auth-constraint>
> <description>Simple constraint</description>
> <role-name>app-user</role-name>
> </auth-constraint>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>My App Realm</realm-name>
> </login-config>
Does BASIC authentication happen at all, or is this config ignored?
> In context.xml inside META-INF of the application we have defined Valve
>
> <Context path="/myapp" docBase="myapp" debug="0" privileged="true">
path isn't valid here.
docBase isn't valid here.
debug isn't a valid attribute.
Why do you need privileged set to true?
> <ResourceLink name="tomcatHelper" global="MyTomcatHelper"
> type="com.my.app.tools.tomcat.MyTomcatHelper" />
> <Valve className="com.my.realm.valve.AuthenticationValve"
> characterEncoding="UTF-8"/>
What happens if you remove this valve?
p
> </Context>
> ----------------------------------------------------------------------------------------
> The same is present in Tomcat 7.0.20 but the AuthenticatioValve is not hitting.
>
> One more thing that we have observed that in
> CATALINA_HOME/conf/Catalina/localhost/ directory in7.0.20 we are not
> having any xml while in Tomcat 6 we are having application context.xml
> like files.
>
>
> Thanks
> Sachin
>
>
> On 2/16/12, Pid <pi...@pidster.com> wrote:
>> On 16/02/2012 12:30, Sachin Mehrotra wrote:
>>> Hi
>>>
>>> After upgrade from Tomcat 6 to Tomcat 7.0.20, our Basic Authentication
>>> valve is not hitting. It seems it is overlooking our implementation of
>>> Basic Authentication.
>>> Below is the implementation:
>>> We are having Realm that is doing authentication using our
>>> authentication server. Before that we are having a Valve defined in
>>> /META-INF/context.xml that is doing some pre-authentication based on
>>> the token define in the HTTPs request.
>>> If the token matches our creteria then Realm is hitting for actual Auth.
>>>
>>> This was working fine when Tomcat 6 was there and we were able to see
>>> the logging coming that was added to our Implementation of Baisc
>>> Authenticator.
>>
>> There's no guarantee that the internals of Tomcat remain the same
>> between releases.
>>
>> Do your logs indicate your custom authenticator is active or does it
>> throw an error?
>>
>> How had you configured the authenticator to work in Tomcat 6.0?
>>
>>
>> p
>>
>>
>>
>> --
>>
>> [key:62590808]
>>
>>
>
>
--
[key:62590808]
Re: Basic Authentication Valve not hitting on Tomcat7.0.20
Posted by Sachin Mehrotra <ge...@gmail.com>.
Do your logs indicate your custom authenticator is active or does it
throw an error?
ANS-->>> tomcat logs and other logs doesn't show any exception or even
traces added in the valve class. In Tomcat 6 we are able to see logs
added in our implemementation of AuthenticatorBase class.
How had you configured the authenticator to work in Tomcat 6.0?
ANS-->>>
In Server.xml we have defined Realm under Engine
<Realm className="com.xyz.platform.realm.Realm"
realmPluginClass="com.xyz.org.realm.MyRealmPlugin"/>
</Engine>
In Web.xml of the application we have defined following
<security-constraint>
<web-resource-collection>
<web-resource-name>Web application
name</web-resource-name>
<description>Simple constraint for web
resources</description>
<url-pattern>/*</url-pattern>
<http-method>HEAD</http-method>
<http-method>POST</http-method>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description>Simple constraint</description>
<role-name>app-user</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>My App Realm</realm-name>
</login-config>
In context.xml inside META-INF of the application we have defined Valve
<Context path="/myapp" docBase="myapp" debug="0" privileged="true">
<ResourceLink name="tomcatHelper" global="MyTomcatHelper"
type="com.my.app.tools.tomcat.MyTomcatHelper" />
<Valve className="com.my.realm.valve.AuthenticationValve"
characterEncoding="UTF-8"/>
</Context>
----------------------------------------------------------------------------------------
The same is present in Tomcat 7.0.20 but the AuthenticatioValve is not hitting.
One more thing that we have observed that in
CATALINA_HOME/conf/Catalina/localhost/ directory in7.0.20 we are not
having any xml while in Tomcat 6 we are having application context.xml
like files.
Thanks
Sachin
On 2/16/12, Pid <pi...@pidster.com> wrote:
> On 16/02/2012 12:30, Sachin Mehrotra wrote:
>> Hi
>>
>> After upgrade from Tomcat 6 to Tomcat 7.0.20, our Basic Authentication
>> valve is not hitting. It seems it is overlooking our implementation of
>> Basic Authentication.
>> Below is the implementation:
>> We are having Realm that is doing authentication using our
>> authentication server. Before that we are having a Valve defined in
>> /META-INF/context.xml that is doing some pre-authentication based on
>> the token define in the HTTPs request.
>> If the token matches our creteria then Realm is hitting for actual Auth.
>>
>> This was working fine when Tomcat 6 was there and we were able to see
>> the logging coming that was added to our Implementation of Baisc
>> Authenticator.
>
> There's no guarantee that the internals of Tomcat remain the same
> between releases.
>
> Do your logs indicate your custom authenticator is active or does it
> throw an error?
>
> How had you configured the authenticator to work in Tomcat 6.0?
>
>
> p
>
>
>
> --
>
> [key:62590808]
>
>
--
With Regards
Sachin Mehrotra
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Basic Authentication Valve not hitting on Tomcat7.0.20
Posted by Pid <pi...@pidster.com>.
On 16/02/2012 12:30, Sachin Mehrotra wrote:
> Hi
>
> After upgrade from Tomcat 6 to Tomcat 7.0.20, our Basic Authentication
> valve is not hitting. It seems it is overlooking our implementation of
> Basic Authentication.
> Below is the implementation:
> We are having Realm that is doing authentication using our
> authentication server. Before that we are having a Valve defined in
> /META-INF/context.xml that is doing some pre-authentication based on
> the token define in the HTTPs request.
> If the token matches our creteria then Realm is hitting for actual Auth.
>
> This was working fine when Tomcat 6 was there and we were able to see
> the logging coming that was added to our Implementation of Baisc
> Authenticator.
There's no guarantee that the internals of Tomcat remain the same
between releases.
Do your logs indicate your custom authenticator is active or does it
throw an error?
How had you configured the authenticator to work in Tomcat 6.0?
p
--
[key:62590808]