Re: Realms getting confused in context reload
I was equally surprised to see this behavior, but my hat is off to the people who read this specification, and implemented it - the RFCs are a can of worms. The RFC for this (#2617 - HTTP Authentication: Basic and Digest Access Authentication - http://www.ietf.org/rfc/rfc2617.txt) says that The realm directive (case-insensitive) is required for all authentication schemes that issue a challenge. The realm value (case-sensitive), in combination with the canonical root URL (the absoluteURI for the server whose abs_path is empty; see section 5.1.2 of [2]) of the server being accessed, defines the protection space. The reference to [2] there is to RFC #2616 - Hypertext Transfer Protocol -- HTTP/1.1 (http://www.ietf.org/rfc/rfc2616.txt), and section 5.1.2 of that says nothing about abs_path, which is defined in RFC #2396 - Uniform Resource Identifiers (URI): Generic Syntax (http://www.ietf.org/rfc/rfc2396.txt), and says that abs_path is essentially any path starting with a / character. Bottom line: Server name + Realm name = protection space. The protocol HTTP knows nothing of contexts, so when we define a realm in tomcat, and do not specify a name that includes the context, this should be expected. It would be nice if there were a way in tomcat to say include the context in the authentication realm name. Larry On Wed, 26 Jan 2005 15:31:46 -0700, Brandon Goodin [EMAIL PROTECTED] wrote: Here is what solved this. My web.xml in the admin and in the customer app were defined as follows: login-config auth-methodBASIC/auth-method realm-nameOrder Inquiry/realm-name /login-config Apparently in tomcat you cannot have two contexts with a web.xml that shares the the same login-config/realm-name. The behavior is VERY bizarre. It would seem that the right way to deal with this would be to identify the realms based on context. So, if i use the same realm name in my web.xml it is totally irrelevant, because the realm is scoped in the context. Is this a bug? Brandon On Wed, 26 Jan 2005 11:51:54 -0700, Brandon Goodin [EMAIL PROTECTED] wrote: I have some strange behavior showing up with Tomcat 5.0.30. I have a host configured with two contexts. The contexts are deployed as wars. But, they have configuration information in the server.xml. Each context has it's own realm defined within the context tag. The contexts are named /admin and /customer. The /customer context is configured to use a DatasourceRealm for authentication. The /admin is configured to use a custom realm called ReverseProxyRealm5. Both contexts share a jndi datasource resource defined in the DefaultContext tag. The odd behavior that i am experiencing happens during an auto reload of the context after both of the war files have been changed. Once the contexts have reloaded and the new war files have been autoDeployed I lose the use of my ReverseProxyRealm5 on the admin context. But, not only do i lose it, it also switches to using the DatasourceRealm as defined in the customer context. After i stop and start tomcat everything is fine again. I have tested this out running Tomcat from the command line and within eclipse with the same resulting behavior. I deleted the /conf/Catalina directory and the /work/Catalina directory for good measure. But, all the behavior continues. Attached is my server.xml host file without the sensitive info. Host name=oi debug=0 autoDeploy=true appBase=D:\myappbase\projects\oi\dist\war Logger className=org.apache.catalina.logger.FileLogger directory=logs prefix=orderinquiry_log. suffix=.txt timestamp=true / DefaultContext Resource name=jdbc/oi auth=Container type=javax.sql.DataSource / ResourceParams name=jdbc/oi parameter namefactory/name value org.apache.commons.dbcp.BasicDataSourceFactory /value /parameter parameter namedriverClassName/name valuecom.ibm.as400.access.AS400JDBCDriver/value /parameter parameter nameurl/name value jdbc:as400://some.url.here.org;naming=system;date format=iso /value /parameter parameter nameusername/name valuedudesusername/value /parameter parameter namepassword/name valuedudespassword/value /parameter parameter namemaxActive/name value20/value /parameter parameter namemaxIdle/name value10/value /parameter parameter namemaxWait/name value-1/value
Realms getting confused in context reload
I have some strange behavior showing up with Tomcat 5.0.30. I have a host configured with two contexts. The contexts are deployed as wars. But, they have configuration information in the server.xml. Each context has it's own realm defined within the context tag. The contexts are named /admin and /customer. The /customer context is configured to use a DatasourceRealm for authentication. The /admin is configured to use a custom realm called ReverseProxyRealm5. Both contexts share a jndi datasource resource defined in the DefaultContext tag. The odd behavior that i am experiencing happens during an auto reload of the context after both of the war files have been changed. Once the contexts have reloaded and the new war files have been autoDeployed I lose the use of my ReverseProxyRealm5 on the admin context. But, not only do i lose it, it also switches to using the DatasourceRealm as defined in the customer context. After i stop and start tomcat everything is fine again. I have tested this out running Tomcat from the command line and within eclipse with the same resulting behavior. I deleted the /conf/Catalina directory and the /work/Catalina directory for good measure. But, all the behavior continues. Attached is my server.xml host file without the sensitive info. Host name=oi debug=0 autoDeploy=true appBase=D:\myappbase\projects\oi\dist\war Logger className=org.apache.catalina.logger.FileLogger directory=logs prefix=orderinquiry_log. suffix=.txt timestamp=true / DefaultContext Resource name=jdbc/oi auth=Container type=javax.sql.DataSource / ResourceParams name=jdbc/oi parameter namefactory/name value org.apache.commons.dbcp.BasicDataSourceFactory /value /parameter parameter namedriverClassName/name valuecom.ibm.as400.access.AS400JDBCDriver/value /parameter parameter nameurl/name value jdbc:as400://some.url.here.org;naming=system;date format=iso /value /parameter parameter nameusername/name valuedudesusername/value /parameter parameter namepassword/name valuedudespassword/value /parameter parameter namemaxActive/name value20/value /parameter parameter namemaxIdle/name value10/value /parameter parameter namemaxWait/name value-1/value /parameter parameter namevalidationQuery/name valueSELECT 0 FROM qsqptabl/value /parameter /ResourceParams /DefaultContext Context path=/customer debug=0 reloadable=true crossContext=false Realm className=org.apache.catalina.realm.DataSourceRealm debug=0 dataSourceName=jdbc/orderinquiry localDataSource=true userTable=UTABLE userNameCol=UNAMECOL userCredCol=PAZZWORD userRoleTable=UTABLERL roleNameCol=UROLE / /Context Context path=/admin debug=0 reloadable=true crossContext=false Realm className=com.plumcreek.commons.security.ReverseProxyRealm5 / /Context /Host Thanks, Brandon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Realms getting confused in context reload
Here is what solved this. My web.xml in the admin and in the customer app were defined as follows: login-config auth-methodBASIC/auth-method realm-nameOrder Inquiry/realm-name /login-config Apparently in tomcat you cannot have two contexts with a web.xml that shares the the same login-config/realm-name. The behavior is VERY bizarre. It would seem that the right way to deal with this would be to identify the realms based on context. So, if i use the same realm name in my web.xml it is totally irrelevant, because the realm is scoped in the context. Is this a bug? Brandon On Wed, 26 Jan 2005 11:51:54 -0700, Brandon Goodin [EMAIL PROTECTED] wrote: I have some strange behavior showing up with Tomcat 5.0.30. I have a host configured with two contexts. The contexts are deployed as wars. But, they have configuration information in the server.xml. Each context has it's own realm defined within the context tag. The contexts are named /admin and /customer. The /customer context is configured to use a DatasourceRealm for authentication. The /admin is configured to use a custom realm called ReverseProxyRealm5. Both contexts share a jndi datasource resource defined in the DefaultContext tag. The odd behavior that i am experiencing happens during an auto reload of the context after both of the war files have been changed. Once the contexts have reloaded and the new war files have been autoDeployed I lose the use of my ReverseProxyRealm5 on the admin context. But, not only do i lose it, it also switches to using the DatasourceRealm as defined in the customer context. After i stop and start tomcat everything is fine again. I have tested this out running Tomcat from the command line and within eclipse with the same resulting behavior. I deleted the /conf/Catalina directory and the /work/Catalina directory for good measure. But, all the behavior continues. Attached is my server.xml host file without the sensitive info. Host name=oi debug=0 autoDeploy=true appBase=D:\myappbase\projects\oi\dist\war Logger className=org.apache.catalina.logger.FileLogger directory=logs prefix=orderinquiry_log. suffix=.txt timestamp=true / DefaultContext Resource name=jdbc/oi auth=Container type=javax.sql.DataSource / ResourceParams name=jdbc/oi parameter namefactory/name value org.apache.commons.dbcp.BasicDataSourceFactory /value /parameter parameter namedriverClassName/name valuecom.ibm.as400.access.AS400JDBCDriver/value /parameter parameter nameurl/name value jdbc:as400://some.url.here.org;naming=system;date format=iso /value /parameter parameter nameusername/name valuedudesusername/value /parameter parameter namepassword/name valuedudespassword/value /parameter parameter namemaxActive/name value20/value /parameter parameter namemaxIdle/name value10/value /parameter parameter namemaxWait/name value-1/value /parameter parameter namevalidationQuery/name valueSELECT 0 FROM qsqptabl/value /parameter /ResourceParams /DefaultContext Context path=/customer debug=0 reloadable=true crossContext=false Realm className=org.apache.catalina.realm.DataSourceRealm debug=0 dataSourceName=jdbc/orderinquiry localDataSource=true userTable=UTABLE userNameCol=UNAMECOL userCredCol=PAZZWORD userRoleTable=UTABLERL roleNameCol=UROLE / /Context Context path=/admin debug=0 reloadable=true crossContext=false Realm className=com.plumcreek.commons.security.ReverseProxyRealm5 / /Context /Host Thanks, Brandon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]