-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Sreyan,
On 9/7/15 9:56 AM, Sreyan Chakravarty wrote: > I did what you said. That is pointing the web browser to a > protected resource without authentication and then logging in. It > works perfectly IF AND ONLY IF the credentials are ABSOLUTELY > correct. Otherwise I am getting undefined behavior an thats where I > need your help now. > > First-: If I provide an invalid user-id and valid/invalid password > I am getting the following error-: > > HTTP Status 500 - > > java.lang.NullPointerException > org.apache.catalina.realm.DigestCredentialHandlerBase.matchesSaltItera tionsEncoded(DigestCredentialHandlerBase.java:147) What > version of Tomcat are you running? That line number is a javadoc comment in both Tomcat 8/trunk and Tomcat 9/trunk. > Now I thought that when invalid credentials of any kind are given > Tomcat is supposed to take you to the <form-error-page>. Then why > is it I am getting a 500 error. Clearly something is wrong from my > side or else the <form-error-page> is invoked under different > circumstances. It's possible there is a bug in there; the CredentialHandlers are fairly new. But I'm gong to need a test case to check it out. Can you create a quick WAR file containing whatever is necessary to reproduce this on an up-to-date Tomcat 7/8/trunk? I'll need a copy of your custom credential handler as well, and any configuration from server.xml that is necessary. > Secondly-: If I provide a valid user-id and invalid password I am > again not redirected to the form-error-page I am kept in > j_security_check. What do you mean by that? Were you expecting a formal redirect response? > How do I show the user that is credentials are wrong? The form-error-page should be used when credentials are invalid. > Also can I webapp have different realms? Yes and no. The web application can only have a single Realm, but there is a Realm called CombinedRealm that allows you to register as many realms with it as you want. > If so how do you distinguish them? - From client code, I'm not sure it's possible. > I was looking at the RealmBase source and I haven't noticed a > place for realmName. If not then what is the use of the <realmName> > element in web.xml? That's for HTTP Basic and HTTP Digest authentication: it's the "realm" name that is displayed to the user when the username/password pop-up is shown to them. > The example that you have provided -: > > request.login(req.getParameter("username"), > req.getParameter("password")); > > Which realm would it use if there were multiple realms available ? The only realm for the web application (which may be a CombinedRealm, in which case you won't be able to tell which realm successfully performed the authentication). - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV8DcwAAoJEBzwKT+lPKRYWIgP/jd1st1bvPD5xojhLl/D+fdz zVQGejG9dCIW7RHNIt8BrHi/CL+Nf2Q1bEFrnIPbCHsBMQwsCvKdCf8dR9iWf6jH LHiX9hHakf04aFc0LEkYHUkFIU9rFNKNTggSv1OKMb4JIcBZYyTS9bB8PZsWeWJM qCJmn0Ga9zntDUzBwpnJXT8LKxAGqV1N980crmIjXLLVcbPhNSaK/+PmMn2cnYVc nLuFOcO2ssrCp6/AcQrrP7w0sD9duzPIesLsebbxbiyw9ME15o0OTFbJ902itzPF oBmH48sgh6z3vYzGoQHT7uh+jl8iCKLn3AqSucC2dkCcEiIWjRC4g2vtdbPtUyiy 3diqXYiDUonIRk4Xat3wScxmriOSbcX/LCgNIHTagpcXbfGnt40QgfjKuO+dm4bV 65SK/iJjswcmvJa1J0aRXs8gmPQ9Y1UbTdDIOZ5gMfCxY6rF4HkzroW8r7+zuuqF ZUq870vCsAJk3+VOfzS0Uv3SoKBZgTc+6tReIp/CWT7gLoCysoqeXeWvDLB82v71 bHe5s+UQNYxDSJhrLZ+Y4ic1YzwffJEbI0+1+DvSuq3SaE+WFjZiinPjIhv1R6i7 WNVp25v5cyfdC6ihRztmlrVKwEniUUjm9ocKAcZgASXPOdAXrkwJ7ybBa5Ez8DbS gi/jxgOSZZw7ddZC0rzK =5Uty -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org