-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Sreyan,
On 9/7/15 9:56 AM, Sreyan Chakravarty wrote:
> I did what you said. That is pointing the web browser to a
> protected resource without authentication and then logging in. It
> works perfectly IF AND ONLY IF the credentials are ABSOLUTELY
> correct. Otherwise I am getting undefined behavior an thats where I
> need your help now.
>
> First-: If I provide an invalid user-id and valid/invalid password
> I am getting the following error-:
>
> HTTP Status 500 -
>
> java.lang.NullPointerException
> org.apache.catalina.realm.DigestCredentialHandlerBase.matchesSaltItera
tionsEncoded(DigestCredentialHandlerBase.java:147)
What
>
version of Tomcat are you running? That line number is a javadoc
comment in both Tomcat 8/trunk and Tomcat 9/trunk.
> Now I thought that when invalid credentials of any kind are given
> Tomcat is supposed to take you to the <form-error-page>. Then why
> is it I am getting a 500 error. Clearly something is wrong from my
> side or else the <form-error-page> is invoked under different
> circumstances.
It's possible there is a bug in there; the CredentialHandlers are
fairly new. But I'm gong to need a test case to check it out. Can you
create a quick WAR file containing whatever is necessary to reproduce
this on an up-to-date Tomcat 7/8/trunk? I'll need a copy of your
custom credential handler as well, and any configuration from
server.xml that is necessary.
> Secondly-: If I provide a valid user-id and invalid password I am
> again not redirected to the form-error-page I am kept in
> j_security_check.
What do you mean by that? Were you expecting a formal redirect response?
> How do I show the user that is credentials are wrong?
The form-error-page should be used when credentials are invalid.
> Also can I webapp have different realms?
Yes and no. The web application can only have a single Realm, but
there is a Realm called CombinedRealm that allows you to register as
many realms with it as you want.
> If so how do you distinguish them?
- From client code, I'm not sure it's possible.
> I was looking at the RealmBase source and I haven't noticed a
> place for realmName. If not then what is the use of the <realmName>
> element in web.xml?
That's for HTTP Basic and HTTP Digest authentication: it's the "realm"
name that is displayed to the user when the username/password pop-up
is shown to them.
> The example that you have provided -:
>
> request.login(req.getParameter("username"),
> req.getParameter("password"));
>
> Which realm would it use if there were multiple realms available ?
The only realm for the web application (which may be a CombinedRealm,
in which case you won't be able to tell which realm successfully
performed the authentication).
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJV8DcwAAoJEBzwKT+lPKRYWIgP/jd1st1bvPD5xojhLl/D+fdz
zVQGejG9dCIW7RHNIt8BrHi/CL+Nf2Q1bEFrnIPbCHsBMQwsCvKdCf8dR9iWf6jH
LHiX9hHakf04aFc0LEkYHUkFIU9rFNKNTggSv1OKMb4JIcBZYyTS9bB8PZsWeWJM
qCJmn0Ga9zntDUzBwpnJXT8LKxAGqV1N980crmIjXLLVcbPhNSaK/+PmMn2cnYVc
nLuFOcO2ssrCp6/AcQrrP7w0sD9duzPIesLsebbxbiyw9ME15o0OTFbJ902itzPF
oBmH48sgh6z3vYzGoQHT7uh+jl8iCKLn3AqSucC2dkCcEiIWjRC4g2vtdbPtUyiy
3diqXYiDUonIRk4Xat3wScxmriOSbcX/LCgNIHTagpcXbfGnt40QgfjKuO+dm4bV
65SK/iJjswcmvJa1J0aRXs8gmPQ9Y1UbTdDIOZ5gMfCxY6rF4HkzroW8r7+zuuqF
ZUq870vCsAJk3+VOfzS0Uv3SoKBZgTc+6tReIp/CWT7gLoCysoqeXeWvDLB82v71
bHe5s+UQNYxDSJhrLZ+Y4ic1YzwffJEbI0+1+DvSuq3SaE+WFjZiinPjIhv1R6i7
WNVp25v5cyfdC6ihRztmlrVKwEniUUjm9ocKAcZgASXPOdAXrkwJ7ybBa5Ez8DbS
gi/jxgOSZZw7ddZC0rzK
=5Uty
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
