You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Tom Lager <tl...@vc.fortdearborn.com> on 2000/10/11 21:54:45 UTC

Craig - BASIC Authentication

Hi Craig,

Let's say that my context is called "secure" and I want everything
in this context protected.  So the URL
http://localhost:8080/secure/index.html
would cause the form base login to appear.

Now the problem is that the <form-login-page> and <form-error-page>
attributes
cannot reside within the secure context or an infinite loop of
authentication will
occur because you need to be authenticated before you can see these pages...

So I tried to put these pages in the ROOT context by saying

	<form-login-page>../login.jsp</form-login-page>
	<form-error-page>../error.jsp</form-error-page>

and then I succesfully got the login form page to display... however when I
submitted the form Tomcat Complained (Standard Output) saying

No handler for request R( + j_security_check + null) 401

so it seems that the pages used to display the login form cannot reside
outside
the context they are to protect... I'm using Tomcat 3.2b4.. do you have any
solution
for this other than putting it in the web.xml for ROOT and making /secure
NOT a context??

Thanks,

Tom Lager

-----Original Message-----
From: Craig R. McClanahan [mailto:Craig.McClanahan@eng.sun.com]
Sent: Friday, October 06, 2000 2:40 PM
To: tomcat-user@jakarta.apache.org
Subject: Re: BASIC Authentication

Micky Mimo wrote:

> What is not working is that no authentication page is coming up prompting
me
> for a login and password. The context-relative path is
> http://localhost:8080/secure/index.html . This path does not pop up an
> authentication dialog. The logical path is
/usr/local/tomcat/webapps/secure
>

And here is where your problem is.  The security constraint you originally
posted will work if you put it in the root context's web.xml, and there is
no
"/secure" webapp.

>
> I put the web.xml in /usr/local/tomcat/webapps/secure/WEB-INF/web.xml
>

In other words, your *context path* is "/secure", right?  If you want to
protect
everything in this web app, use a context-relative URL pattern like this:

    <url-pattern>/*</url-pattern>

Remember, the "context relative" part that you put into the url pattern
starts
*after* the context path.

>
> I want the index.html in /usr/local/tomcat/webapps/secure to prompt the
user
> for a login dialog box.
>
> Eventually I will want this to function outside of the tomcat directory.
> Such as /home/me/secure
>

You would do this by configuring a <Context> entry in the server.xml file,
something like this:

    <Context path="/secure"
        docBase="/home/me/secure"
        debug="0"
        reloadable="true"
        trusted="false"/>

and the URL pattern would still remain "/*" to protect all of this webapp.

>
> /===============================\
> | Micky Mimo                    |

Craig McClanahan

====================
See you at ApacheCon Europe <http://www.apachecon.com>!
Session VS01 (23-Oct 13h00-17h00):  Sun Technical Briefing
Session T06  (24-Oct 14h00-15h00):  Migrating Apache JServ
                                    Applications to Tomcat

RE: Craig - BASIC Authentication

Posted by Tom Lager <tl...@vc.fortdearborn.com>.

Thanks, I'll switch to 4.0 to fix this problem!

-----Original Message-----
From: Craig R. McClanahan [mailto:Craig.McClanahan@eng.sun.com]
Sent: Wednesday, October 11, 2000 4:10 PM
To: tomcat-user@jakarta.apache.org
Subject: Re: Craig - BASIC Authentication


Tom Lager wrote:

> Hi Craig,
>
> Let's say that my context is called "secure" and I want everything
> in this context protected.  So the URL
> http://localhost:8080/secure/index.html
> would cause the form base login to appear.
>

So you would propose to use a URL pattern like "/*" in your security
constraint,
right?

>
> Now the problem is that the <form-login-page> and <form-error-page>
> attributes
> cannot reside within the secure context or an infinite loop of
> authentication will
> occur because you need to be authenticated before you can see these
pages...
>

This should work fine in 4.0 because I put a bunch of special cases to take
care
of it.    I haven't tried it in 3.2.

What version are you testing with?

>
> So I tried to put these pages in the ROOT context by saying
>
>         <form-login-page>../login.jsp</form-login-page>
>         <form-error-page>../error.jsp</form-error-page>
>
> and then I succesfully got the login form page to display... however when
I
> submitted the form Tomcat Complained (Standard Output) saying
>
> No handler for request R( + j_security_check + null) 401
>
> so it seems that the pages used to display the login form cannot reside
> outside
> the context they are to protect... I'm using Tomcat 3.2b4.. do you have
any
> solution
> for this other than putting it in the web.xml for ROOT and making /secure
> NOT a context??
>

Any attempt to go "above" the directory space of your web application using
".."
should fail, because such actions are disallowed.

>
> Thanks,
>
> Tom Lager
>

Craig

====================
See you at ApacheCon Europe <http://www.apachecon.com>!
Session VS01 (23-Oct 13h00-17h00):  Sun Technical Briefing
Session T06  (24-Oct 14h00-15h00):  Migrating Apache JServ
                                    Applications to Tomcat

Re: Craig - BASIC Authentication

Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.

Tom Lager wrote:

> Hi Craig,
>
> Let's say that my context is called "secure" and I want everything
> in this context protected.  So the URL
> http://localhost:8080/secure/index.html
> would cause the form base login to appear.
>

So you would propose to use a URL pattern like "/*" in your security constraint,
right?

>
> Now the problem is that the <form-login-page> and <form-error-page>
> attributes
> cannot reside within the secure context or an infinite loop of
> authentication will
> occur because you need to be authenticated before you can see these pages...
>

This should work fine in 4.0 because I put a bunch of special cases to take care
of it.    I haven't tried it in 3.2.

What version are you testing with?

>
> So I tried to put these pages in the ROOT context by saying
>
>         <form-login-page>../login.jsp</form-login-page>
>         <form-error-page>../error.jsp</form-error-page>
>
> and then I succesfully got the login form page to display... however when I
> submitted the form Tomcat Complained (Standard Output) saying
>
> No handler for request R( + j_security_check + null) 401
>
> so it seems that the pages used to display the login form cannot reside
> outside
> the context they are to protect... I'm using Tomcat 3.2b4.. do you have any
> solution
> for this other than putting it in the web.xml for ROOT and making /secure
> NOT a context??
>

Any attempt to go "above" the directory space of your web application using ".."
should fail, because such actions are disallowed.

>
> Thanks,
>
> Tom Lager
>

Craig

====================
See you at ApacheCon Europe <http://www.apachecon.com>!
Session VS01 (23-Oct 13h00-17h00):  Sun Technical Briefing
Session T06  (24-Oct 14h00-15h00):  Migrating Apache JServ
                                    Applications to Tomcat