You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Micky Mimo <mi...@truexchange.com> on 2000/10/06 20:47:12 UTC
BASIC Authentication
I have tried setting up Basic Authentication for tomcat and can not seem to
get it to work on directories that are not part of the basic install. It
works fine when I set this up with the /ROOT directory. I have read through
the news groups and have not found a solution to this problem. Although, I
see a lot of similar problems. Do I need to do more with the other xml files
in the conf directory. I am running tomcat 3.2 beta4. I can not get this to
work on 3.1 as well. My web.xml looks like the following.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/secure/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Admin</realm-name>
</login-config>
</web-app>
/===============================\
| Micky Mimo |
| Systems Specialist |
| (781) 869 - 3677 ext.505 |
| micky@truexchange.com |
\===============================/
RE: Craig - BASIC Authentication
Posted by Tom Lager <tl...@vc.fortdearborn.com>.
Thanks, I'll switch to 4.0 to fix this problem!
-----Original Message-----
From: Craig R. McClanahan [mailto:Craig.McClanahan@eng.sun.com]
Sent: Wednesday, October 11, 2000 4:10 PM
To: tomcat-user@jakarta.apache.org
Subject: Re: Craig - BASIC Authentication
Tom Lager wrote:
> Hi Craig,
>
> Let's say that my context is called "secure" and I want everything
> in this context protected. So the URL
> http://localhost:8080/secure/index.html
> would cause the form base login to appear.
>
So you would propose to use a URL pattern like "/*" in your security
constraint,
right?
>
> Now the problem is that the <form-login-page> and <form-error-page>
> attributes
> cannot reside within the secure context or an infinite loop of
> authentication will
> occur because you need to be authenticated before you can see these
pages...
>
This should work fine in 4.0 because I put a bunch of special cases to take
care
of it. I haven't tried it in 3.2.
What version are you testing with?
>
> So I tried to put these pages in the ROOT context by saying
>
> <form-login-page>../login.jsp</form-login-page>
> <form-error-page>../error.jsp</form-error-page>
>
> and then I succesfully got the login form page to display... however when
I
> submitted the form Tomcat Complained (Standard Output) saying
>
> No handler for request R( + j_security_check + null) 401
>
> so it seems that the pages used to display the login form cannot reside
> outside
> the context they are to protect... I'm using Tomcat 3.2b4.. do you have
any
> solution
> for this other than putting it in the web.xml for ROOT and making /secure
> NOT a context??
>
Any attempt to go "above" the directory space of your web application using
".."
should fail, because such actions are disallowed.
>
> Thanks,
>
> Tom Lager
>
Craig
====================
See you at ApacheCon Europe <http://www.apachecon.com>!
Session VS01 (23-Oct 13h00-17h00): Sun Technical Briefing
Session T06 (24-Oct 14h00-15h00): Migrating Apache JServ
Applications to Tomcat
Re: Craig - BASIC Authentication
Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.
Tom Lager wrote:
> Hi Craig,
>
> Let's say that my context is called "secure" and I want everything
> in this context protected. So the URL
> http://localhost:8080/secure/index.html
> would cause the form base login to appear.
>
So you would propose to use a URL pattern like "/*" in your security constraint,
right?
>
> Now the problem is that the <form-login-page> and <form-error-page>
> attributes
> cannot reside within the secure context or an infinite loop of
> authentication will
> occur because you need to be authenticated before you can see these pages...
>
This should work fine in 4.0 because I put a bunch of special cases to take care
of it. I haven't tried it in 3.2.
What version are you testing with?
>
> So I tried to put these pages in the ROOT context by saying
>
> <form-login-page>../login.jsp</form-login-page>
> <form-error-page>../error.jsp</form-error-page>
>
> and then I succesfully got the login form page to display... however when I
> submitted the form Tomcat Complained (Standard Output) saying
>
> No handler for request R( + j_security_check + null) 401
>
> so it seems that the pages used to display the login form cannot reside
> outside
> the context they are to protect... I'm using Tomcat 3.2b4.. do you have any
> solution
> for this other than putting it in the web.xml for ROOT and making /secure
> NOT a context??
>
Any attempt to go "above" the directory space of your web application using ".."
should fail, because such actions are disallowed.
>
> Thanks,
>
> Tom Lager
>
Craig
====================
See you at ApacheCon Europe <http://www.apachecon.com>!
Session VS01 (23-Oct 13h00-17h00): Sun Technical Briefing
Session T06 (24-Oct 14h00-15h00): Migrating Apache JServ
Applications to Tomcat
Craig - BASIC Authentication
Posted by Tom Lager <tl...@vc.fortdearborn.com>.
Hi Craig,
Let's say that my context is called "secure" and I want everything
in this context protected. So the URL
http://localhost:8080/secure/index.html
would cause the form base login to appear.
Now the problem is that the <form-login-page> and <form-error-page>
attributes
cannot reside within the secure context or an infinite loop of
authentication will
occur because you need to be authenticated before you can see these pages...
So I tried to put these pages in the ROOT context by saying
<form-login-page>../login.jsp</form-login-page>
<form-error-page>../error.jsp</form-error-page>
and then I succesfully got the login form page to display... however when I
submitted the form Tomcat Complained (Standard Output) saying
No handler for request R( + j_security_check + null) 401
so it seems that the pages used to display the login form cannot reside
outside
the context they are to protect... I'm using Tomcat 3.2b4.. do you have any
solution
for this other than putting it in the web.xml for ROOT and making /secure
NOT a context??
Thanks,
Tom Lager
-----Original Message-----
From: Craig R. McClanahan [mailto:Craig.McClanahan@eng.sun.com]
Sent: Friday, October 06, 2000 2:40 PM
To: tomcat-user@jakarta.apache.org
Subject: Re: BASIC Authentication
Micky Mimo wrote:
> What is not working is that no authentication page is coming up prompting
me
> for a login and password. The context-relative path is
> http://localhost:8080/secure/index.html . This path does not pop up an
> authentication dialog. The logical path is
/usr/local/tomcat/webapps/secure
>
And here is where your problem is. The security constraint you originally
posted will work if you put it in the root context's web.xml, and there is
no
"/secure" webapp.
>
> I put the web.xml in /usr/local/tomcat/webapps/secure/WEB-INF/web.xml
>
In other words, your *context path* is "/secure", right? If you want to
protect
everything in this web app, use a context-relative URL pattern like this:
<url-pattern>/*</url-pattern>
Remember, the "context relative" part that you put into the url pattern
starts
*after* the context path.
>
> I want the index.html in /usr/local/tomcat/webapps/secure to prompt the
user
> for a login dialog box.
>
> Eventually I will want this to function outside of the tomcat directory.
> Such as /home/me/secure
>
You would do this by configuring a <Context> entry in the server.xml file,
something like this:
<Context path="/secure"
docBase="/home/me/secure"
debug="0"
reloadable="true"
trusted="false"/>
and the URL pattern would still remain "/*" to protect all of this webapp.
>
> /===============================\
> | Micky Mimo |
Craig McClanahan
====================
See you at ApacheCon Europe <http://www.apachecon.com>!
Session VS01 (23-Oct 13h00-17h00): Sun Technical Briefing
Session T06 (24-Oct 14h00-15h00): Migrating Apache JServ
Applications to Tomcat
Re: BASIC Authentication
Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.
Micky Mimo wrote:
> What is not working is that no authentication page is coming up prompting me
> for a login and password. The context-relative path is
> http://localhost:8080/secure/index.html . This path does not pop up an
> authentication dialog. The logical path is /usr/local/tomcat/webapps/secure
>
And here is where your problem is. The security constraint you originally
posted will work if you put it in the root context's web.xml, and there is no
"/secure" webapp.
>
> I put the web.xml in /usr/local/tomcat/webapps/secure/WEB-INF/web.xml
>
In other words, your *context path* is "/secure", right? If you want to protect
everything in this web app, use a context-relative URL pattern like this:
<url-pattern>/*</url-pattern>
Remember, the "context relative" part that you put into the url pattern starts
*after* the context path.
>
> I want the index.html in /usr/local/tomcat/webapps/secure to prompt the user
> for a login dialog box.
>
> Eventually I will want this to function outside of the tomcat directory.
> Such as /home/me/secure
>
You would do this by configuring a <Context> entry in the server.xml file,
something like this:
<Context path="/secure"
docBase="/home/me/secure"
debug="0"
reloadable="true"
trusted="false"/>
and the URL pattern would still remain "/*" to protect all of this webapp.
>
> /===============================\
> | Micky Mimo |
Craig McClanahan
====================
See you at ApacheCon Europe <http://www.apachecon.com>!
Session VS01 (23-Oct 13h00-17h00): Sun Technical Briefing
Session T06 (24-Oct 14h00-15h00): Migrating Apache JServ
Applications to Tomcat
RE: BASIC Authentication
Posted by Micky Mimo <mi...@truexchange.com>.
What is not working is that no authentication page is coming up prompting me
for a login and password. The context-relative path is
http://localhost:8080/secure/index.html . This path does not pop up an
authentication dialog. The logical path is /usr/local/tomcat/webapps/secure
I put the web.xml in /usr/local/tomcat/webapps/secure/WEB-INF/web.xml
I want the index.html in /usr/local/tomcat/webapps/secure to prompt the user
for a login dialog box.
Eventually I will want this to function outside of the tomcat directory.
Such as /home/me/secure
/===============================\
| Micky Mimo |
| Systems Specialist |
| (781) 869 - 3677 ext.505 |
| micky@truexchange.com |
\===============================/
-----Original Message-----
From: Craig R. McClanahan [mailto:Craig.McClanahan@eng.sun.com]
Sent: Friday, October 06, 2000 3:09 PM
To: tomcat-user@jakarta.apache.org
Subject: Re: BASIC Authentication
Micky Mimo wrote:
> I have tried setting up Basic Authentication for tomcat and can not seem
to
> get it to work on directories that are not part of the basic install. It
> works fine when I set this up with the /ROOT directory. I have read
through
> the news groups and have not found a solution to this problem. Although, I
> see a lot of similar problems. Do I need to do more with the other xml
files
> in the conf directory. I am running tomcat 3.2 beta4. I can not get this
to
> work on 3.1 as well. My web.xml looks like the following.
Don't bother trying to get this to work in 3.1 ... it will not.
In 3.2b4, exactly what is "not working" for you? The setup in your web.xml
below looks good -- you are saying that any context-relative path starting
with
"/secure/*" should be protected.
In other words, if your context path is "/myapp" the following request
should
trigger the authentication dialog:
http://localhost:8080/myapp/secure/index.html
Craig McClanahan
>
> <?xml version="1.0" encoding="ISO-8859-1"?>
>
> <!DOCTYPE web-app
> PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
> "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
>
> <web-app>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Protected Area</web-resource-name>
> <url-pattern>/secure/*</url-pattern>
> <http-method>DELETE</http-method>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> <http-method>PUT</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>admin</role-name>
> </auth-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>Admin</realm-name>
> </login-config>
>
> </web-app>
>
> /===============================\
> | Micky Mimo |
> | Systems Specialist |
> | (781) 869 - 3677 ext.505 |
> | micky@truexchange.com |
> \===============================/
--
====================
See you at ApacheCon Europe <http://www.apachecon.com>!
Session VS01 (23-Oct 13h00-17h00): Sun Technical Briefing
Session T06 (24-Oct 14h00-15h00): Migrating Apache JServ
Applications to Tomcat
Re: BASIC Authentication
Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.
Micky Mimo wrote:
> I have tried setting up Basic Authentication for tomcat and can not seem to
> get it to work on directories that are not part of the basic install. It
> works fine when I set this up with the /ROOT directory. I have read through
> the news groups and have not found a solution to this problem. Although, I
> see a lot of similar problems. Do I need to do more with the other xml files
> in the conf directory. I am running tomcat 3.2 beta4. I can not get this to
> work on 3.1 as well. My web.xml looks like the following.
Don't bother trying to get this to work in 3.1 ... it will not.
In 3.2b4, exactly what is "not working" for you? The setup in your web.xml
below looks good -- you are saying that any context-relative path starting with
"/secure/*" should be protected.
In other words, if your context path is "/myapp" the following request should
trigger the authentication dialog:
http://localhost:8080/myapp/secure/index.html
Craig McClanahan
>
> <?xml version="1.0" encoding="ISO-8859-1"?>
>
> <!DOCTYPE web-app
> PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
> "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
>
> <web-app>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Protected Area</web-resource-name>
> <url-pattern>/secure/*</url-pattern>
> <http-method>DELETE</http-method>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> <http-method>PUT</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>admin</role-name>
> </auth-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>Admin</realm-name>
> </login-config>
>
> </web-app>
>
> /===============================\
> | Micky Mimo |
> | Systems Specialist |
> | (781) 869 - 3677 ext.505 |
> | micky@truexchange.com |
> \===============================/
--
====================
See you at ApacheCon Europe <http://www.apachecon.com>!
Session VS01 (23-Oct 13h00-17h00): Sun Technical Briefing
Session T06 (24-Oct 14h00-15h00): Migrating Apache JServ
Applications to Tomcat
RE: BASIC Authentication
Posted by Tom Lager <tl...@vc.fortdearborn.com>.
I'm having the same problem! Anyone out there know anything?
Thanks,
Tom
-----Original Message-----
From: Micky Mimo [mailto:micky@truexchange.com]
Sent: Friday, October 06, 2000 1:47 PM
To: tomcat-user@jakarta.apache.org
Subject: BASIC Authentication
I have tried setting up Basic Authentication for tomcat and can not seem to
get it to work on directories that are not part of the basic install. It
works fine when I set this up with the /ROOT directory. I have read through
the news groups and have not found a solution to this problem. Although, I
see a lot of similar problems. Do I need to do more with the other xml files
in the conf directory. I am running tomcat 3.2 beta4. I can not get this to
work on 3.1 as well. My web.xml looks like the following.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/secure/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Admin</realm-name>
</login-config>
</web-app>
/===============================\
| Micky Mimo |
| Systems Specialist |
| (781) 869 - 3677 ext.505 |
| micky@truexchange.com |
\===============================/