You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Johannes Michler <jo...@promatis.de> on 2016/10/01 17:50:01 UTC
Fwd: No longer able to use my own org.apache.catalina.authenticator.BasicAuthenticator
in Tomcat 8.5.5
Hi,
for our own web-application we overwrite the standard way of how Tomcat
BasicAuthenticator is working in order to avoid the popup of a
"Basic-Auth-Dialog" in some situations (where we're calling a service
provided by the tomcat over a script). Therefore our context.xml in the app
looks as follows:
<Context cookies="false">
<Valve
className="biz.horus.database.server.servletscript.HorusTomcatBasicAuthenticator"
/>
</Context>
HorusTomcatBasicAuthenticator is implemented as follows:
public class HorusTomcatBasicAuthenticator extends BasicAuthenticator
implements Authenticator {
@Override
public boolean authenticate( Request request, HttpServletResponse
response) throws IOException {
System.out.println( "XXXX start out");
boolean result = super.authenticate( request, response);
System.out.println( "XXXX authenticate: " + result);
modifyResponse( request, response);
return result;
}
private void modifyResponse( Request request, HttpServletResponse
response) {
String url = request.getPathInfo();
System.out.println( "XX URL=" + url);
System.out.println( "XX Auth Header:" + response.getHeader(
AUTH_HEADER_NAME));
if ( response.getHeader( AUTH_HEADER_NAME) != null &&
url.startsWith( "/rest"))
response.setHeader( AUTH_HEADER_NAME, "HCP_BASIC");
}
}
This is working great with Tomcat 8.0(.37). Though with Tomcat 8.5.5 that
code in "authenticate" is no longer called. Instead it seams that the
"standard" BasicAuthenticator is being used.
However if I entirely remove my jar-file that contains
HorusTomcatBasicAuthenticator.jar from the tomcat/lib-folder I'm getting an
error.
Any ideas on that? I've looked into the tomcat 8.5 migration guide but
could not find any hints on changed behaviour. Also when comparing the
Valve-Documentation of Tomcat 8.5 and 8.0 I do not see a difference.
Or would it be better to address this with dev@tomcat.apache.org since it
might as well be a bug?
Or is there a more elegant way to solve this problem to not reply with
"WWW-Authenticate: Basic" if authentication is not succesful?
Any help would be highly appreciated,
BR
Johannes
--
______________________________________________________________
Johannes Michler -- Senior Principal Consultant
PROMATIS software GmbH
Pforzheimer Str. 160
76275 Ettlingen, Deutschland
Tel.: +49 7243 2179 0 -- Fax: +49 7243 2179 99
mailto: johannes.michler@promatis.de
Knowledge powered business processes: www.promatis.de
[image: Bild]
______________________________________________________________
Sitz der Gesellschaft: Ettlingen
Registergericht: Mannheim, HRB 361772
Geschäftsführer: Dr. Frank Schönthaler, Rainer Mann, Michael Mohl
[image: Bild]
Re: Fwd: No longer able to use my own
org.apache.catalina.authenticator.BasicAuthenticator in Tomcat 8.5.5
Posted by Mark Thomas <ma...@apache.org>.
On 03/10/2016 14:20, Johannes Michler wrote:
> Hi Mark,
>
> Thanks a lot for pointing out. Indeed I relied to much that I did not get
> any faults and didn't check that part. I'll try with the renamed method
> tomorrow, but I'm quite sure that will solve the issue.
Great.
> Regarding returning http 403 you suggest to do that in our custom
> basicauthenticator as well, correct? But this would still require us to
> install a tomcat version specific library globally, wouldn't it?
It would. I don't see a way to avoid this with custom code at this point.
Mark
>
> Br
> Johannes
>
> Am 03.10.2016 15:01 schrieb "Mark Thomas" <ma...@apache.org>:
>
> On 01/10/2016 18:50, Johannes Michler wrote:
>> Hi,
>>
>> for our own web-application we overwrite the standard way of how Tomcat
>> BasicAuthenticator is working in order to avoid the popup of a
>> "Basic-Auth-Dialog" in some situations (where we're calling a service
>> provided by the tomcat over a script). Therefore our context.xml in the
>> app looks as follows:
>>
>> <Context cookies="false">
>> <Valve
>> className="biz.horus.database.server.servletscript.
> HorusTomcatBasicAuthenticator"
>> />
>> </Context>
>>
>> HorusTomcatBasicAuthenticator is implemented as follows:
>> public class HorusTomcatBasicAuthenticator extends BasicAuthenticator
>> implements Authenticator {
>>
>> @Override
>> public boolean authenticate( Request request, HttpServletResponse
>> response) throws IOException {
>> System.out.println( "XXXX start out");
>> boolean result = super.authenticate( request, response);
>> System.out.println( "XXXX authenticate: " + result);
>> modifyResponse( request, response);
>> return result;
>> }
>> private void modifyResponse( Request request, HttpServletResponse
>> response) {
>> String url = request.getPathInfo();
>> System.out.println( "XX URL=" + url);
>> System.out.println( "XX Auth Header:" + response.getHeader(
>> AUTH_HEADER_NAME));
>> if ( response.getHeader( AUTH_HEADER_NAME) != null &&
>> url.startsWith( "/rest"))
>> response.setHeader( AUTH_HEADER_NAME, "HCP_BASIC");
>> }
>>
>> }
>>
>>
>> This is working great with Tomcat 8.0(.37). Though with Tomcat 8.5.5
>> that code in "authenticate" is no longer called. Instead it seams that
>> the "standard" BasicAuthenticator is being used.
>>
>> However if I entirely remove my jar-file that contains
>> HorusTomcatBasicAuthenticator.jar from the tomcat/lib-folder I'm getting
>> an error.
>>
>> Any ideas on that? I've looked into the tomcat 8.5 migration guide but
>> could not find any hints on changed behaviour.
>
>
> <quote>
> Whilst the Tomcat 8.5 internal API is broadly compatible with Tomcat 8.0
> there have been many changes at the detail level and they are not binary
> compatible. Developers of custom components that interact with Tomcat's
> internals should review the JavaDoc for the relevant API.
> </quote>
>
> ->
> http://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/
> catalina/authenticator/AuthenticatorBase.html
>
> and
>
> http://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/
> catalina/authenticator/BasicAuthenticator.html
>
>
> Of particular note will be changes related to authenticate() and
> doAuthenticate().
>
>
>> Also when comparing the
>> Valve-Documentation of Tomcat 8.5 and 8.0 I do not see a difference.
>>
>> Or would it be better to address this with dev@tomcat.apache.org
>> <ma...@tomcat.apache.org> since it might as well be a bug?
>
> No. The users list is the right place for this.
>
>> Or is there a more elegant way to solve this problem to not reply with
>> "WWW-Authenticate: Basic" if authentication is not succesful?
>
> Maybe just change the status code to 403?
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Fwd: No longer able to use my own org.apache.catalina.authenticator.BasicAuthenticator
in Tomcat 8.5.5
Posted by Johannes Michler <jo...@promatis.de>.
Hi Mark,
Thanks a lot for pointing out. Indeed I relied to much that I did not get
any faults and didn't check that part. I'll try with the renamed method
tomorrow, but I'm quite sure that will solve the issue.
Regarding returning http 403 you suggest to do that in our custom
basicauthenticator as well, correct? But this would still require us to
install a tomcat version specific library globally, wouldn't it?
Br
Johannes
Am 03.10.2016 15:01 schrieb "Mark Thomas" <ma...@apache.org>:
On 01/10/2016 18:50, Johannes Michler wrote:
> Hi,
>
> for our own web-application we overwrite the standard way of how Tomcat
> BasicAuthenticator is working in order to avoid the popup of a
> "Basic-Auth-Dialog" in some situations (where we're calling a service
> provided by the tomcat over a script). Therefore our context.xml in the
> app looks as follows:
>
> <Context cookies="false">
> <Valve
> className="biz.horus.database.server.servletscript.
HorusTomcatBasicAuthenticator"
> />
> </Context>
>
> HorusTomcatBasicAuthenticator is implemented as follows:
> public class HorusTomcatBasicAuthenticator extends BasicAuthenticator
> implements Authenticator {
>
> @Override
> public boolean authenticate( Request request, HttpServletResponse
> response) throws IOException {
> System.out.println( "XXXX start out");
> boolean result = super.authenticate( request, response);
> System.out.println( "XXXX authenticate: " + result);
> modifyResponse( request, response);
> return result;
> }
> private void modifyResponse( Request request, HttpServletResponse
> response) {
> String url = request.getPathInfo();
> System.out.println( "XX URL=" + url);
> System.out.println( "XX Auth Header:" + response.getHeader(
> AUTH_HEADER_NAME));
> if ( response.getHeader( AUTH_HEADER_NAME) != null &&
> url.startsWith( "/rest"))
> response.setHeader( AUTH_HEADER_NAME, "HCP_BASIC");
> }
>
> }
>
>
> This is working great with Tomcat 8.0(.37). Though with Tomcat 8.5.5
> that code in "authenticate" is no longer called. Instead it seams that
> the "standard" BasicAuthenticator is being used.
>
> However if I entirely remove my jar-file that contains
> HorusTomcatBasicAuthenticator.jar from the tomcat/lib-folder I'm getting
> an error.
>
> Any ideas on that? I've looked into the tomcat 8.5 migration guide but
> could not find any hints on changed behaviour.
<quote>
Whilst the Tomcat 8.5 internal API is broadly compatible with Tomcat 8.0
there have been many changes at the detail level and they are not binary
compatible. Developers of custom components that interact with Tomcat's
internals should review the JavaDoc for the relevant API.
</quote>
->
http://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/
catalina/authenticator/AuthenticatorBase.html
and
http://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/
catalina/authenticator/BasicAuthenticator.html
Of particular note will be changes related to authenticate() and
doAuthenticate().
> Also when comparing the
> Valve-Documentation of Tomcat 8.5 and 8.0 I do not see a difference.
>
> Or would it be better to address this with dev@tomcat.apache.org
> <ma...@tomcat.apache.org> since it might as well be a bug?
No. The users list is the right place for this.
> Or is there a more elegant way to solve this problem to not reply with
> "WWW-Authenticate: Basic" if authentication is not succesful?
Maybe just change the status code to 403?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Fwd: No longer able to use my own
org.apache.catalina.authenticator.BasicAuthenticator in Tomcat 8.5.5
Posted by Mark Thomas <ma...@apache.org>.
On 01/10/2016 18:50, Johannes Michler wrote:
> Hi,
>
> for our own web-application we overwrite the standard way of how Tomcat
> BasicAuthenticator is working in order to avoid the popup of a
> "Basic-Auth-Dialog" in some situations (where we're calling a service
> provided by the tomcat over a script). Therefore our context.xml in the
> app looks as follows:
>
> <Context cookies="false">
> <Valve
> className="biz.horus.database.server.servletscript.HorusTomcatBasicAuthenticator"
> />
> </Context>
>
> HorusTomcatBasicAuthenticator is implemented as follows:
> public class HorusTomcatBasicAuthenticator extends BasicAuthenticator
> implements Authenticator {
>
> @Override
> public boolean authenticate( Request request, HttpServletResponse
> response) throws IOException {
> System.out.println( "XXXX start out");
> boolean result = super.authenticate( request, response);
> System.out.println( "XXXX authenticate: " + result);
> modifyResponse( request, response);
> return result;
> }
> private void modifyResponse( Request request, HttpServletResponse
> response) {
> String url = request.getPathInfo();
> System.out.println( "XX URL=" + url);
> System.out.println( "XX Auth Header:" + response.getHeader(
> AUTH_HEADER_NAME));
> if ( response.getHeader( AUTH_HEADER_NAME) != null &&
> url.startsWith( "/rest"))
> response.setHeader( AUTH_HEADER_NAME, "HCP_BASIC");
> }
>
> }
>
>
> This is working great with Tomcat 8.0(.37). Though with Tomcat 8.5.5
> that code in "authenticate" is no longer called. Instead it seams that
> the "standard" BasicAuthenticator is being used.
>
> However if I entirely remove my jar-file that contains
> HorusTomcatBasicAuthenticator.jar from the tomcat/lib-folder I'm getting
> an error.
>
> Any ideas on that? I've looked into the tomcat 8.5 migration guide but
> could not find any hints on changed behaviour.
<quote>
Whilst the Tomcat 8.5 internal API is broadly compatible with Tomcat 8.0
there have been many changes at the detail level and they are not binary
compatible. Developers of custom components that interact with Tomcat's
internals should review the JavaDoc for the relevant API.
</quote>
->
http://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/authenticator/AuthenticatorBase.html
and
http://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/authenticator/BasicAuthenticator.html
Of particular note will be changes related to authenticate() and
doAuthenticate().
> Also when comparing the
> Valve-Documentation of Tomcat 8.5 and 8.0 I do not see a difference.
>
> Or would it be better to address this with dev@tomcat.apache.org
> <ma...@tomcat.apache.org> since it might as well be a bug?
No. The users list is the right place for this.
> Or is there a more elegant way to solve this problem to not reply with
> "WWW-Authenticate: Basic" if authentication is not succesful?
Maybe just change the status code to 403?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org