Re: basic authentication won't accept password (intermittent)
Hi again, I just discovered bug 33157: basic authentication fails in some cases, reported in Tomcat 5.5.4. http://issues.apache.org/bugzilla/show_bug.cgi?id=33157 It doesn't describe my exact problem, but it's the best theory so far. Unfortunately the hosting provider is unlikely to install 5.5.9 in the near future ;-) Will report back to the list when the resolution is known. Best, Eric:) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: BASIC Authentication for Custom Realm
Based on my own experience, the quickest way to work out what is happening will be to debug your way through it. See the FAQ for how to set this up: http://jakarta.apache.org/tomcat/faq/development.html Mark Mudumbai, Kalyan wrote: Hi All, I am trying to write a custom realm for my web application. I have added the realm in the sever.xml file as below: Realm className=com.web.tomcat.security.CustomRealm debug=0/ and I had the following entries in my web.xml file. security-constraint web-resource-collection web-resource-namewebfiles/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameeveryone/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameCustomRealm/realm-name /login-config security-role role-nameeveryone/role-name /security-role When I access a page in my app, I'm expecting to get a Login Dialog box that's provided by the web browser. But it doesn't happen, when I try to access a web page. If I remove my custom realm entry in the server.xml, the login dialog appears. Has the appearance of the Login Dialog got to do anything with the Realm? Can someone please let me know what's going wrong here? Thanks, Kalyan. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Basic Authentication Window
If you are using basic authentication, that is out of your control - the browser will resend the authentication with every request. I does not care at all about your session. I think your simplest solution is to switch to form-based authentication. Larry On Thu, 27 Jan 2005 19:58:16 -0800 (PST), Gia Thornton [EMAIL PROTECTED] wrote: Hi, I am using Tomcat Container managed security: Basic Authentication by adding the following to web.xml. security-constraint web-resource-collection web-resource-nameThe Entire Web Application/web-resource-name url-pattern/XMLServlet/url-pattern /web-resource-collection auth-constraint role-nametomcat/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameUserDatabase/realm-name /login-config security-role description An example role defined in conf/tomcat-users.xml /description role-nametomcat/role-name /security-role - I have used a form in my jsp: form name=update method=POST action=/abc/XMLServlet input type=button name=save_change value=Save onclick=saveChange(event) input type=button name=cancel_change value=Cancel onclick=cancelChange(event) input type=button name=edit value=Edit onclick=checkLogin(event) /form If I click on Edit button, the javascript checkLogin will submit the form. If the user has not logged in, an authentication window will pop up. After the first-time authentication, the page is directed to the same page containing the above form. I intentionally set setMaxInactiveInterval to be like 10 seconds in XMLServlet. When the session expires, I click the Edit button again, now the page directly go to XMLServlet without the authentication window poped up. Does anyone know what causes this? How can I get the authentication window pop up when the session expires? Thank you for your help. Gia - Do you Yahoo!? Yahoo! Search presents - Jib Jab's 'Second Term' - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Basic Authentication Window
Hi Larry, Thank you for your reply! Yes, I have tried the form authentication. It does redirect to the login page when session expires. Gia Larry Meadors [EMAIL PROTECTED] wrote: If you are using basic authentication, that is out of your control - the browser will resend the authentication with every request. I does not care at all about your session. I think your simplest solution is to switch to form-based authentication. Larry On Thu, 27 Jan 2005 19:58:16 -0800 (PST), Gia Thornton wrote: Hi, I am using Tomcat Container managed security: Basic Authentication by adding the following to web.xml. The Entire Web Application /XMLServlet tomcat BASIC UserDatabase An example role defined in conf/tomcat-users.xml tomcat - I have used a form in my jsp: [input] [input] [input] If I click on Edit button, the javascript checkLogin will submit the form. If the user has not logged in, an authentication window will pop up. After the first-time authentication, the page is directed to the same page containing the above form. I intentionally set setMaxInactiveInterval to be like 10 seconds in XMLServlet. When the session expires, I click the Edit button again, now the page directly go to XMLServlet without the authentication window poped up. Does anyone know what causes this? How can I get the authentication window pop up when the session expires? Thank you for your help. Gia - Do you Yahoo!? Yahoo! Search presents - Jib Jab's 'Second Term' - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: BASIC Authentication
Ashish Kulkarni ha scritto: Hi May be try putting the following in web.xml file just before taglib ( i am not sure but works with 2.2) error-page error-code403/error-code location/pages/error/noaccess.jsp/location /error-page error-page error-code401/error-code location/pages/error/noaccess.jsp/location /error-page Ashish Thanks for the answer, but this method doesnt work. Infact if a resourse is under authentication (like manager) and i setup a 401 page error, the system does not ask for user and password but presents immediately the error page. I think i have to use something other than basic auth, at least to create my own login page :D Tx all Giorgio Ponza --- Omar Adobati [EMAIL PROTECTED] wrote: Oh, I'm sorry... you are using the basic auth mode... there was a missunderstanding... sorry again... On Mon, 24 Jan 2005 14:29:44 +0100, Giorgio Ponza [EMAIL PROTECTED] wrote: Omar Adobati ha scritto: I never try it, but maybe u can write your own code into the login page that redirect you on a different page if the login taske will not completed as needed... I can't try this :D There is no login page, only a box appearing over the browser asking user and password. Thanks anyway Giorgio - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Adobati Omar [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- --- Giorgio Ponza Web Developer Opla.com Ltd Tel. +39 011 7506233 Fax. +39 011 746179 http://www.opla.it --- Ci sono persone che hanno soldi e persone che sono ricche (Coco Chanel) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: BASIC Authentication
I never try it, but maybe u can write your own code into the login page that redirect you on a different page if the login taske will not completed as needed... On Mon, 24 Jan 2005 14:21:19 +0100, Giorgio Ponza [EMAIL PROTECTED] wrote: Hi all I have a small problem trying to configure BASIC auth. Everything works good, but i'd like to know if i can change the default page when the user is not authenticated. I try to eplain better: if i write wrong 3 times the password, or i click on cancel button, a default Tomcat page appears saying type Status report message description This request requires HTTP authentication (). Is possible to change this default page? Tx everybody Giorgio - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Adobati Omar [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: BASIC Authentication
Omar Adobati ha scritto: I never try it, but maybe u can write your own code into the login page that redirect you on a different page if the login taske will not completed as needed... I can't try this :D There is no login page, only a box appearing over the browser asking user and password. Thanks anyway Giorgio - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: BASIC Authentication
Oh, I'm sorry... you are using the basic auth mode... there was a missunderstanding... sorry again... On Mon, 24 Jan 2005 14:29:44 +0100, Giorgio Ponza [EMAIL PROTECTED] wrote: Omar Adobati ha scritto: I never try it, but maybe u can write your own code into the login page that redirect you on a different page if the login taske will not completed as needed... I can't try this :D There is no login page, only a box appearing over the browser asking user and password. Thanks anyway Giorgio - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Adobati Omar [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: BASIC Authentication
Hi May be try putting the following in web.xml file just before taglib ( i am not sure but works with 2.2) error-page error-code403/error-code location/pages/error/noaccess.jsp/location /error-page error-page error-code401/error-code location/pages/error/noaccess.jsp/location /error-page Ashish --- Omar Adobati [EMAIL PROTECTED] wrote: Oh, I'm sorry... you are using the basic auth mode... there was a missunderstanding... sorry again... On Mon, 24 Jan 2005 14:29:44 +0100, Giorgio Ponza [EMAIL PROTECTED] wrote: Omar Adobati ha scritto: I never try it, but maybe u can write your own code into the login page that redirect you on a different page if the login taske will not completed as needed... I can't try this :D There is no login page, only a box appearing over the browser asking user and password. Thanks anyway Giorgio - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Adobati Omar [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Basic authentication
Hello, The answer to your question is that you cannot serve the User database (now tomcat-users.xml) from inside a .war file as it cannot be read from in there but you can change its location to be below your webapps directory. This can be achieved by changing the path to it which is currently in Server.xml. You need not use a flat file format though to serve your username/password combinations just because you are using Basic Authentication. The two are separate issues: issue one is: What type of authentication do I want? Form, Basic, Digest, Client-Cert. This is a Sun servlet secification issue/list version 2.2 of which can be found here: http://java.sun.com/products/servlet/2.2/ Issue two is: Where am I going to store my database of users? Database (JDBC Realm), LDAP directory (JNDI Realm), Flat File (Memory Realm), etc. This is a Tomcat container specific issue/list which can be found here: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html Hope this all helps, Andoni. - Original Message - From: Michal Kwiatek [EMAIL PROTECTED] Newsgroups: gmane.comp.jakarta.tomcat.user Sent: Thursday, November 11, 2004 4:25 PM Subject: Basic authentication I would like to use container-based declarative authentication without the need to modify any files in $CATALINA_HOME/conf directory. To simplify my question a bit: is it somehow possible to make tomcat read tomcat-users.xml from the war file, and not from $CATALINA_HOME/conf? Michal. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: BASIC authentication without Popup Verification window
Nevermind. I had a 401 page defined in web.xml, so it was being sent there instead of the browser. My mistake. - Original Message - From: e-Denton Subscriber [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Saturday, October 23, 2004 4:06 PM Subject: BASIC authentication without Popup Verification window Hi! I can't figure out why my BASIC authorization isn't working for my app. The pages show up as 401 Not Authorized, but no popup authorization window pops up! Further, the admin and manager apps are working using my JDBCRealm (:Enter Password window does pop up). Help appreciated. server.xml: --- !-- Realm className=org.apache.catalina.realm.UserDatabaseRealm debug=0 resourceName=UserDatabase/ Realm className=org.apache.catalina.realm.MemoryRealm / -- Realm resourceName=PortalDatabase className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=com.mysql.jdbc.Driver connectionURL=jdbc:mysql://127.0.0.1:3306/myDB connectionName=myUser connectionPassword=myPassword userTable=users userNameCol=user_name userCredCol=user_pass userRoleTable=user_roles roleNameCol=role_name / web.xml: security-constraint web-resource-collection web-resource-nameMaintenance/web-resource-name url-pattern/maint/*/url-pattern url-pattern/maintenance.do/url-pattern /web-resource-collection auth-constraint role-namemanager/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-namePortal/realm-name /login-config security-role descriptionmanager/description role-namemanager/role-name /security-role - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: basic authentication and custom 401 error page
Hi Ross, Simply adding an error page will not do. You need to have a servlet that will set the status of the response-page as 403 (HttpServletResponse.SC_UNAUTHORIZED) Look at the code-implementation of Security-Filter. It's good. http://sf.net/projects/securityfilter HTH Happy Hacking, Gaurav Vaish http://www.mastergaurav.org - On Fri, 24 Sep 2004 09:33:13 -0500, Angelov, Rossen [EMAIL PROTECTED] wrote: Hi, We are running our applications on Tomcat 4 and 5. On both versions we are having problems with the basic authentication. The problem is that I haven't found a way to overwrite the default 401 error page with a custom page. If I add an error-page element in web.xml for error 401 error-page error-code401/error-code location/err401.html/location /error-page then the username/password window is completely ignored and the err401.html page displayed. I searched the archives and different forums but there are a lot of people asking for help with similar problems without any responses. I found two reported bugs related to that issue: 12194 and 22617 for tomcat 3 and 4 I didn't find any bugs for tomcat 5 but it still not working for me. Any suggestions will be appreciated. Thanks, Ross This communication is intended solely for the addressee and is confidential and not for third party unauthorized distribution. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: BASIC authentication not working, PLEASE HELP !
Salut Michele, Thanks for the tip. I didn't know about this option. However, I found what the problem was. If you look at my web.xml file, you'll see I fogot the 's' in security-conStraint. The most incredible thing is that Tomcat 5 didn't complain at all !!! And guess how I figured out ? I though there was a bug in the container so I downloaded Tomcat 4. And immediately this version complained about the mispelling... I'm quite surprised (and disappointed) because I did change the level of traces in the server.xml and no valuable information came out :-(. I hope this post will avoid other newbies to be stuck like I was. Merci, Laurent Message du 23/07/04 à 21h36 De : Michele Ouellet [EMAIL PROTECTED] A : Laurent Le Moux [EMAIL PROTECTED] Copie à : Objet : Re: BASIC authentication not working, PLEASE HELP ! Salut Laurent, Did you start tomcat with the -security flag on the command line? Michele Ouellet Stelvio Inc. - Original Message - From: Laurent Le Moux [EMAIL PROTECTED] Newsgroups: comp.lang.java.security Sent: Thursday, July 22, 2004 10:27 AM Subject: BASIC authentication not working, PLEASE HELP ! Hye ! I struggle for two days now with Tomcat 5 BASIC authentication. I read many posts about the problem but most of the people seem to have a login window appearing. I don't :-( jsp security examples, manager and admin work fine but my application just acts as if no authentication was required... I really don't see what's wrong with my config files. Can anybody help me, please ?!! Hereafter are the xml files : -- tomcat-users.xml : ?xml version='1.0' encoding='utf-8'? tomcat-users role rolename=tomcat/ role rolename=role1/ role rolename=standard/ role rolename=manager/ user username=llemoux password=llemoux roles=standard,manager/ user username=tomcat password=tomcat roles=tomcat/ user username=both password=tomcat roles=tomcat,role1/ user username=role1 password=tomcat roles=role1/ /tomcat-users -- web.xml : ?xml version=1.0 encoding=ISO-8859-1? web-app version=2.4 security-contraint web-resource-collection url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namestandard/role-name /auth-constraint /security-contraint login-config auth-methodBASIC/auth-method /login-config security-role role-namestandard/role-name /security-role /web-app -- server.xml : Server port=8005 shutdown=SHUTDOWN GlobalNamingResources !-- Used by Manager webapp -- Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved /Resource ResourceParams name=UserDatabase parameter namefactory/name valueorg.apache.catalina.users.MemoryUserDatabaseFactory/value /parameter parameter namepathname/name valueconf/tomcat-users.xml/value /parameter /ResourceParams /GlobalNamingResources Service name=Catalina Connector port=8080 / !-- This is here for compatibility only, not required -- Connector port=8009 protocol=AJP/1.3 / Engine name=Catalina defaultHost=localhost Logger className=org.apache.catalina.logger.FileLogger/ Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase / Host name=localhost appBase=webapps/ DefaultContext Resource name=jdbc/JSDB auth=Container type=javax.sql.DataSource/ ResourceParams name=jdbc/JSDB parameter namefactory/name valueorg.apache.commons.dbcp.BasicDataSourceFactory/value /parameter parameter namemaxActive/name value3/value /parameter parameter namemaxIdle/name value1/value /parameter parameter nameusername/name valuejSDB/value /parameter parameter namepassword/name valuejSDB/value /parameter parameter namedriverClassName/name valueorg.hsqldb.jdbcDriver/value /parameter parameter nameurl/name valuejdbc:hsqldb:hsql://localhost/value /parameter /ResourceParams /DefaultContext /Engine /Service /Server -- Faites un voeu et puis Voila ! www.voila.fr - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: basic authentication or not?
(Please, create new messages when mailing the list. Responding to unrelated messages causes confusion for those of us who use thread-aware mailers.) : In a nutshell, I'm wondering if it's better NOT to use basic : authentication. My understanding is that FORM vs BASIC is just that the former lets you create a custom login page that maintains your app's look and feel. (read: that's all *I* have used it for ;) : At the moment, I'm not even sure we're using : basic authentication, and below I will outline my attempt to determine : if we're even using it... You mention that there are no security-constraint or login-config elements in the web.xml. You're checking the app-specific web.xml in WEB-INF, and not the general one in the Tomcat install dir? (Sorry to ask; I have to check.) Yet, there's a Real def in server.xml? Perhaps auth is being done elsewhere (say, the web server), hence the Realm isn't being used, and is leftover from an earlier configuration. Unlikely, but worth investigating. : Aside the big database used by our web application, we have a small : MySQL database whose sole purpose is to authenticate users. Would it be : just as simple to continue using that for authentication if we moved : away from this popup box authentication? If you move to FORM auth and use JDBCRealm, yes, you should be able to continue using this database. Provided, of course, the passwords are hashed in the way JDBCRealm expects. : Is there any good reason to : have this authentication database outside of our main database? One reason is load: separate auth traffic from app traffic. This also lets you share that single auth DB among several apps, and each app can have its own database for its data. -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: basic authentication or not?
as long as you authenticate your users in https, to prevent the passwords from travel across the internet unencrypted, you can use any method. Filip - Original Message - From: QM [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, June 17, 2004 4:04 PM Subject: Re: basic authentication or not? (Please, create new messages when mailing the list. Responding to unrelated messages causes confusion for those of us who use thread-aware mailers.) : In a nutshell, I'm wondering if it's better NOT to use basic : authentication. My understanding is that FORM vs BASIC is just that the former lets you create a custom login page that maintains your app's look and feel. (read: that's all *I* have used it for ;) : At the moment, I'm not even sure we're using : basic authentication, and below I will outline my attempt to determine : if we're even using it... You mention that there are no security-constraint or login-config elements in the web.xml. You're checking the app-specific web.xml in WEB-INF, and not the general one in the Tomcat install dir? (Sorry to ask; I have to check.) Yet, there's a Real def in server.xml? Perhaps auth is being done elsewhere (say, the web server), hence the Realm isn't being used, and is leftover from an earlier configuration. Unlikely, but worth investigating. : Aside the big database used by our web application, we have a small : MySQL database whose sole purpose is to authenticate users. Would it be : just as simple to continue using that for authentication if we moved : away from this popup box authentication? If you move to FORM auth and use JDBCRealm, yes, you should be able to continue using this database. Provided, of course, the passwords are hashed in the way JDBCRealm expects. : Is there any good reason to : have this authentication database outside of our main database? One reason is load: separate auth traffic from app traffic. This also lets you share that single auth DB among several apps, and each app can have its own database for its data. -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: basic authentication or not?
Duh. I was looking in the general Tomcat web.xml--yes, in my app-specific one, we're using BASIC authentication. Ok, so Tomcat knows to use the additional MySQL database for authentication. Right now, if you go to www.ourDomain.com it'll make you authenticate and then it will forward you to the default web application at www.ourDomain.com/DefaultApp/Welcome.jsp, and we have several web apps and you can cross from one to the other without authenticating, so you could go up and modify the URL to www.ourDomain.com/OtherApp/index.jsp and you'd be there instantly. So my question is, if we changed to form-based authentication so we could present our look and feel from the start, would it work for authenticating all the web apps if the login page was under a particular web app's folder? In other words, where would and could we stick a Login.jsp that would be presented to the user when you type www.ourDomain.com? Thanks so much, Stephen - Original message - From: QM [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Date: Thu, 17 Jun 2004 16:04:21 -0500 Subject: Re: basic authentication or not? (Please, create new messages when mailing the list. Responding to unrelated messages causes confusion for those of us who use thread-aware mailers.) : In a nutshell, I'm wondering if it's better NOT to use basic : authentication. My understanding is that FORM vs BASIC is just that the former lets you create a custom login page that maintains your app's look and feel. (read: that's all *I* have used it for ;) : At the moment, I'm not even sure we're using : basic authentication, and below I will outline my attempt to determine : if we're even using it... You mention that there are no security-constraint or login-config elements in the web.xml. You're checking the app-specific web.xml in WEB-INF, and not the general one in the Tomcat install dir? (Sorry to ask; I have to check.) Yet, there's a Real def in server.xml? Perhaps auth is being done elsewhere (say, the web server), hence the Realm isn't being used, and is leftover from an earlier configuration. Unlikely, but worth investigating. : Aside the big database used by our web application, we have a small : MySQL database whose sole purpose is to authenticate users. Would it be : just as simple to continue using that for authentication if we moved : away from this popup box authentication? If you move to FORM auth and use JDBCRealm, yes, you should be able to continue using this database. Provided, of course, the passwords are hashed in the way JDBCRealm expects. : Is there any good reason to : have this authentication database outside of our main database? One reason is load: separate auth traffic from app traffic. This also lets you share that single auth DB among several apps, and each app can have its own database for its data. -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Basic Authentication
Maybe through navigator object in user´s browser, you must check if there´s not permission constraint for that. -- De: Bui, Bao-Ha D[SMTP:[EMAIL PROTECTED] Responder:Tomcat Users List Enviada: sexta-feira, 5 de dezembro de 2003 13:45 Para: 'Tomcat Users List' Assunto: Basic Authentication Hi all, I need to capture the WinNT account name of users to a jsp page. We have Active Directory at our company. We can have a basic login form (that standard pop up login form from Window). Could anyone tell me where to start and how to set it up? I have looked at the HowTo for Tomcat Realm on Apache website but not quite get it. Thanks very much for any help. Bao-Ha Dam Bui [EMAIL PROTECTED] St. Jude Medical, Inc 651.765.1018 * This communication may contain information that is proprietary, privileged, confidential or legally exempt from disclosure. If you are not a named addressee, you are notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so may be unlawful. If you have received this communication in error, please notify the sender via return e-mail and delete it from your computer. Thank you. St. Jude Medical, Inc. *
Re: Basic Authentication
You might want to read the comments on the following URL - it shows how to configure authentication with a Windows domain, but apparently, it's out of date: http://www.raibledesigns.com/page/rd? anchor=easy_windows_authentication_with_tomcat Matt On Dec 5, 2003, at 9:45 AM, Bui, Bao-Ha D wrote: Hi all, I need to capture the WinNT account name of users to a jsp page. We have Active Directory at our company. We can have a basic login form (that standard pop up login form from Window). Could anyone tell me where to start and how to set it up? I have looked at the HowTo for Tomcat Realm on Apache website but not quite get it. Thanks very much for any help. Bao-Ha Dam Bui [EMAIL PROTECTED] St. Jude Medical, Inc 651.765.1018 * This communication may contain information that is proprietary, privileged, confidential or legally exempt from disclosure. If you are not a named addressee, you are notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so may be unlawful. If you have received this communication in error, please notify the sender via return e-mail and delete it from your computer. Thank you. St. Jude Medical, Inc. * smime.p7s Description: S/MIME cryptographic signature
Re: Basic Authentication
http://jakarta.apache.org/tomcat/faq/windows.html#ntlm -Tim Bui, Bao-Ha D wrote: Hi all, I need to capture the WinNT account name of users to a jsp page. We have Active Directory at our company. We can have a basic login form (that standard pop up login form from Window). Could anyone tell me where to start and how to set it up? I have looked at the HowTo for Tomcat Realm on Apache website but not quite get it. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Basic Authentication
Here is the exact code to do it my friend. Redirect or whatever you want, after the System.out.println -Jesse = import javax.servlet.*; import javax.servlet.http.*; import java.io.*; import java.util.*; public class AuthenticationServlet extends HttpServlet { // Step 2: Challenge message final private static byte[] CHALLENGE_MESSAGE = {(byte)'N', (byte)'T', (byte)'L', (byte)'M', (byte)'S', (byte)'S', (byte)'P', 0, 2, 0, 0, 0, 0, 0, 0, 0, 40, 0, 0, 0, 1, (byte)130, 0, 0, 0, 2, 2, 2, 0, 0, 0, 0, // nonce 0, 0, 0, 0, 0, 0, 0, 0}; private String user; /** * Obtain the network ID from the HTTP request */ public void doPost(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException { try { String auth = req.getHeader(Authorization); if (auth == null) { res.setContentLength(0); res.setStatus(res.SC_UNAUTHORIZED); res.setHeader(WWW-Authenticate, NTLM); res.flushBuffer(); return; } if (!auth.startsWith(NTLM )) { return; } byte[] msg = new sun.misc.BASE64Decoder().decodeBuffer(auth.substring(5)); // Step 1: Negotiation message received if (msg[8] == 1) { // Send challenge message (Step 2) res.setContentLength(2); res.setStatus(res.SC_UNAUTHORIZED); res.setHeader(WWW-Authenticate, NTLM + new sun.misc.BASE64Encoder().encodeBuffer(CHALLENGE_MESSAGE)); res.flushBuffer(); return; } // Step 3: Authentication message received if (msg[8] == 3) { int off = 30; int length, offset; length = (msg[off+1]8) + msg[off]; offset = (msg[off+3]8) + msg[off+2]; String domain = new String(msg, offset, length); length = (msg[off+9]8) + msg[off+8]; offset = (msg[off+11]8) + msg[off+10]; user = new String(msg, offset, length); length = (msg[off+17]8) + msg[off+16]; offset = (msg[off+19]8) + msg[off+18]; String ws = new String(msg, offset, length); System.out.println(Username: + removeBlanks(user) + Domain: + removeBlanks(domain) + Workstation: + removeBlanks(ws)); } } catch (Throwable ex){ ex.printStackTrace(); } } /** * Removes non-printable characters from a string */ private String removeBlanks(String s) { StringBuffer sb = new StringBuffer(); for (int i = 0; i s.length(); i++) { char c = s.charAt(i); if (c ' ') sb.append(c); } return sb.toString(); } } -Original Message- From: Tim Funk [mailto:[EMAIL PROTECTED] Sent: Friday, December 05, 2003 11:58 AM To: Tomcat Users List Subject: Re: Basic Authentication http://jakarta.apache.org/tomcat/faq/windows.html#ntlm -Tim Bui, Bao-Ha D wrote: Hi all, I need to capture the WinNT account name of users to a jsp page. We have Active Directory at our company. We can have a basic login form (that standard pop up login form from Window). Could anyone tell me where to start and how to set it up? I have looked at the HowTo for Tomcat Realm on Apache website but not quite get it. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Basic Authentication
Can somebody suggest how to implement Basic Authentication in Tomcat4.1 or use an existing Basic Authentication being used by other application. Thanks -sumit -Original Message- From: Kumar, Sumit Sent: Thursday, November 20, 2003 11:44 AM To: 'Tomcat Users List' Subject: Basic Authentication Hello, I have a third party application named Intraspect5.6. It uses Tomcat 4.1 as servlet engine. It uses Basic Authentication. I want to use the same Basic Authentication used by Intraspect for my custom application that I have deployed in the same Tomcat instance. From my webapp, can I go to the table where intraspect stores the userid and passwords and decode the password Or is their a better way. I also donot understand how Basic Authentication is implemented. Any help please. Thnaks -sumit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE : Basic Authentication
It s not use in the class java.net.Authenticator ? See it -Original Message- From: Kumar, Sumit [mailto:[EMAIL PROTECTED] Sent: Thursday, November 20, 2003 7:01 PM To: 'Tomcat Users List' Subject: RE: Basic Authentication Can somebody suggest how to implement Basic Authentication in Tomcat4.1 or use an existing Basic Authentication being used by other application. Thanks -sumit -Original Message- From: Kumar, Sumit Sent: Thursday, November 20, 2003 11:44 AM To: 'Tomcat Users List' Subject: Basic Authentication Hello, I have a third party application named Intraspect5.6. It uses Tomcat 4.1 as servlet engine. It uses Basic Authentication. I want to use the same Basic Authentication used by Intraspect for my custom application that I have deployed in the same Tomcat instance. From my webapp, can I go to the table where intraspect stores the userid and passwords and decode the password Or is their a better way. I also donot understand how Basic Authentication is implemented. Any help please. Thnaks -sumit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Basic Authentication not work for directory
try /document/* as the url-pattern or /document/*.doc if you want the .doc files under /document to be protected ... -Original Message- From: Daniel Zhang [mailto:[EMAIL PROTECTED] Sent: 22. juli 2003 14:48 To: Tomcat Users List Subject: Basic Authentication not work for directory Hi, all - I've configured Tomcat 4.1.18 on RH Linux 8 server. Then I need some authentication for certain directories under webapps. So I configured server.xml, web.xml and tomcat-users.xml creating a role and its username with password. It works only for individual file with an extension name. But never work for a directory. As you see following code, it pops up basic authentication window for all *.doc files, but does not work for files under /document directory. Anyone had the same experience? = web.xml === security-constraint display-nameSecurity Check/display-name web-resource-collection web-resource-nameBasic Authentication/web-resource-name url-pattern*.doc/url-pattern url-pattern/document/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodHEAD/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nametom/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameDoc Authentication/realm-name /login-config security-role role-nametom/role-name /security-role == tomcat-users.xml = tomcat-users role rolename=tom / role rolename=role1 / user name=tomcat password=tomcat roles=tom / user name=role1 password=tomcat roles=role1 / user name=both password=tomcat roles=tom,role1 / /tomcat-users - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Basic Authentication not work for directory
As you see in my web.xml file, I've already put /document/* as a url-pattern(url-pattern/document/*/url-pattern), the question is under /document directory, there are some other types of file like *.pdf, *.txt which need to be protected. I also have these types of file in other directory which need to be public. So if I put *.doc, it will block all doc files. BTW, /document/*.doc never work. You still can get doc file under document without authentication window pop-up. The only way to block doc file is to put *.doc between url-pattern and /url-pattern. It is not right as what many tomcat documents state, is it? -Daniel Abid Ali Teepo wrote: try /document/* as the url-pattern or /document/*.doc if you want the .doc files under /document to be protected ... -Original Message- From: Daniel Zhang [mailto:[EMAIL PROTECTED] Sent: 22. juli 2003 14:48 To: Tomcat Users List Subject: Basic Authentication not work for directory Hi, all - I've configured Tomcat 4.1.18 on RH Linux 8 server. Then I need some authentication for certain directories under webapps. So I configured server.xml, web.xml and tomcat-users.xml creating a role and its username with password. It works only for individual file with an extension name. But never work for a directory. As you see following code, it pops up basic authentication window for all *.doc files, but does not work for files under /document directory. Anyone had the same experience? = web.xml === security-constraint display-nameSecurity Check/display-name web-resource-collection web-resource-nameBasic Authentication/web-resource-name url-pattern*.doc/url-pattern url-pattern/document/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodHEAD/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nametom/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameDoc Authentication/realm-name /login-config security-role role-nametom/role-name /security-role == tomcat-users.xml = tomcat-users role rolename=tom / role rolename=role1 / user name=tomcat password=tomcat roles=tom / user name=role1 password=tomcat roles=role1 / user name=both password=tomcat roles=tom,role1 / /tomcat-users - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Basic authentication question
add this to the web.xml error-page error-code401/error-code location/errorpage.jsp/location /error-page - Original Message - From: Koes, Derrick [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 25, 2003 6:22 PM Subject: Basic authentication question I wish to replace tomcat's 401 error page with something more elegant and specific to my web app. How can I do this? Thanks, Derrick This electronic transmission is strictly confidential to Smith Nephew and intended solely for the addressee. It may contain information which is covered by legal, professional or other privilege. If you are not the intended addressee, or someone authorized by the intended addressee to receive transmissions on behalf of the addressee, you must not retain, disclose in any form, copy or take any action in reliance on this transmission. If you have received this transmission in error, please notify the sender as soon as possible and destroy this message. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Basic authentication question
Unfortunately, this does not work. Tomcat seems to use 401 as a prompt to put up the basic auth login dialog. If you add the configuration below, it goes to this page first without ever prompting for user login. Do you have any other suggestions? Thanks, Derrick -Original Message- From: Boon Seong [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 25, 2003 5:27 PM To: Tomcat Users List Subject: Re: Basic authentication question add this to the web.xml error-page error-code401/error-code location/errorpage.jsp/location /error-page - Original Message - From: Koes, Derrick [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 25, 2003 6:22 PM Subject: Basic authentication question I wish to replace tomcat's 401 error page with something more elegant and specific to my web app. How can I do this? Thanks, Derrick This electronic transmission is strictly confidential to Smith Nephew and intended solely for the addressee. It may contain information which is covered by legal, professional or other privilege. If you are not the intended addressee, or someone authorized by the intended addressee to receive transmissions on behalf of the addressee, you must not retain, disclose in any form, copy or take any action in reliance on this transmission. If you have received this transmission in error, please notify the sender as soon as possible and destroy this message. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This electronic transmission is strictly confidential to Smith Nephew and intended solely for the addressee. It may contain information which is covered by legal, professional or other privilege. If you are not the intended addressee, or someone authorized by the intended addressee to receive transmissions on behalf of the addressee, you must not retain, disclose in any form, copy or take any action in reliance on this transmission. If you have received this transmission in error, please notify the sender as soon as possible and destroy this message. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Basic authentication question
In that case, meaning it is a protected resource right ? Maybe u can try using the container's security feature such as putting this configuration in your web application's web.xml file. security-constraint web-resource-collection web-resource-nameadmin page/web-resource-name url-pattern/admin/*/url-pattern /web-resource-collection /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/admin/login.jsp/form-login-page form-error-page/admin/error.jsp/form-error-page /form-login-config /login-config - Original Message - From: Koes, Derrick [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Tuesday, March 25, 2003 6:31 PM Subject: RE: Basic authentication question Unfortunately, this does not work. Tomcat seems to use 401 as a prompt to put up the basic auth login dialog. If you add the configuration below, it goes to this page first without ever prompting for user login. Do you have any other suggestions? Thanks, Derrick -Original Message- From: Boon Seong [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 25, 2003 5:27 PM To: Tomcat Users List Subject: Re: Basic authentication question add this to the web.xml error-page error-code401/error-code location/errorpage.jsp/location /error-page - Original Message - From: Koes, Derrick [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 25, 2003 6:22 PM Subject: Basic authentication question I wish to replace tomcat's 401 error page with something more elegant and specific to my web app. How can I do this? Thanks, Derrick This electronic transmission is strictly confidential to Smith Nephew and intended solely for the addressee. It may contain information which is covered by legal, professional or other privilege. If you are not the intended addressee, or someone authorized by the intended addressee to receive transmissions on behalf of the addressee, you must not retain, disclose in any form, copy or take any action in reliance on this transmission. If you have received this transmission in error, please notify the sender as soon as possible and destroy this message. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This electronic transmission is strictly confidential to Smith Nephew and intended solely for the addressee. It may contain information which is covered by legal, professional or other privilege. If you are not the intended addressee, or someone authorized by the intended addressee to receive transmissions on behalf of the addressee, you must not retain, disclose in any form, copy or take any action in reliance on this transmission. If you have received this transmission in error, please notify the sender as soon as possible and destroy this message. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Basic authentication question
Sorry, it is a protected resource and I want to continue to use basic authentication, not form authentication. I still don't see a way around the problem. The relevant part of my web.xml: security-constraint web-resource-collection web-resource-namedora/web-resource-name url-pattern/index.jsp/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-name1/role-name role-name2/role-name role-name3/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameDORA/realm-name /login-config -Original Message- From: Boon Seong [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 25, 2003 5:37 PM To: Tomcat Users List Subject: Re: Basic authentication question In that case, meaning it is a protected resource right ? Maybe u can try using the container's security feature such as putting this configuration in your web application's web.xml file. security-constraint web-resource-collection web-resource-nameadmin page/web-resource-name url-pattern/admin/*/url-pattern /web-resource-collection /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/admin/login.jsp/form-login-page form-error-page/admin/error.jsp/form-error-page /form-login-config /login-config - Original Message - From: Koes, Derrick [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Tuesday, March 25, 2003 6:31 PM Subject: RE: Basic authentication question Unfortunately, this does not work. Tomcat seems to use 401 as a prompt to put up the basic auth login dialog. If you add the configuration below, it goes to this page first without ever prompting for user login. Do you have any other suggestions? Thanks, Derrick -Original Message- From: Boon Seong [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 25, 2003 5:27 PM To: Tomcat Users List Subject: Re: Basic authentication question add this to the web.xml error-page error-code401/error-code location/errorpage.jsp/location /error-page - Original Message - From: Koes, Derrick [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 25, 2003 6:22 PM Subject: Basic authentication question I wish to replace tomcat's 401 error page with something more elegant and specific to my web app. How can I do this? Thanks, Derrick This electronic transmission is strictly confidential to Smith Nephew and intended solely for the addressee. It may contain information which is covered by legal, professional or other privilege. If you are not the intended addressee, or someone authorized by the intended addressee to receive transmissions on behalf of the addressee, you must not retain, disclose in any form, copy or take any action in reliance on this transmission. If you have received this transmission in error, please notify the sender as soon as possible and destroy this message. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This electronic transmission is strictly confidential to Smith Nephew and intended solely for the addressee. It may contain information which is covered by legal, professional or other privilege. If you are not the intended addressee, or someone authorized by the intended addressee to receive transmissions on behalf of the addressee, you must not retain, disclose in any form, copy or take any action in reliance on this transmission. If you have received this transmission in error, please notify the sender as soon as possible and destroy this message. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This electronic transmission is strictly confidential to Smith Nephew and intended solely for the addressee. It may contain information which is covered by legal, professional or other privilege. If you are not the intended addressee, or someone authorized by the intended addressee to receive transmissions on behalf of the addressee, you must not retain, disclose in any form, copy or take any action in reliance on this transmission. If you have received this transmission in error, please notify the sender as soon as possible and destroy this message
Re: Solved! Re: Basic authentication and custom 401 Not Authorizederror page
It can be made to work... Put the error-page directive in as per web.xml spec On the jsp / servlet it points at, response.addHeader(WWW-Authenticate, BASIC realm=\ + realm + \); response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); and then write custom page And it will challenge (well it did for me...) No need for filters or any of that jazz. Joe Tomcat wrote: Here is how you can create a custom 401 (Not Authorized) error response in Tomcat. Putting a directive like this: error-page error-code401/error-code location/errors/401.html/location /error-page in web.xml will not work. If you put that in web.xml, it will deny all authorization. The thing to do is to create a filter for the resources you want to protect. Do the conventional basic authentication in the filter. However, here is the part which is different: String errorFile = /errors/401.html; response.addHeader(WWW-Authenticate, BASIC realm=\ + realm + \); response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); RequestDispatcher rd = request.getRequestDispatcher(errorFile); try { rd.forward(request,response); } So instead of letting the container generate the html for the 401 response, you always generate it using the RequestDispatcher. The RequestDispatcher can of course be an html or jsp file. So that is the solution to custom 401 errors in Tomcat. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
More info Re: Basic authentication and custom 401 Not Authorizederror page
I did some more research on this. It looks like it was a Known Bug in Tomcat 4.0.2, and it doesn't look like it has been fixed since then (I'm using 4.0.4). Tomcat developers, is there any patch or workaround known for this? I did some digging in the Tomcat source, and it looks like the html error pages are generated by this valve: org.apache.catalina.valves.ErrorReportValve I could definitely edit that valve, putting in my own custom html, and then recompile and redploy Catalina. If there is no other way to fix that, then that is what I'll do, but I would rather do this in some more portable (and easier) way. Any tips will be appreciated. Thanks! On Thu, 2002-09-05 at 13:01, Joe Tomcat wrote: I have written an filter that uses Basic Http authorization to control access to pages. I want to be able to define a custom 401 error page to show users if they are unable to log in. I should be able to do this by putting a section like this in my web.xml: error-page error-code401/error-code location/errors/401.html/location /error-page However, when I put that entry into the web.xml, when the user clicks to log in, it goes immediately to the error page, without even hitting my filter. I know what is happening: The filter sends a 401 back to the browser to prompt the user for the password. The container intercepts this 401, sees that it's an error, and then displays the error page resource. Is there a way to change or work around this behavior? Surely there is a way to display a custom 401 error page and still have basic authentication work? -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: More info Re: Basic authentication and custom 401 NotAuthorized error page
On Thu, 2002-09-05 at 13:55, Eric Hollander wrote: I did some more research on this. It looks like it was a Known Bug in Tomcat 4.0.2, and it doesn't look like it has been fixed since then (I'm using 4.0.4). Tomcat developers, is there any patch or workaround known for this? I did some digging in the Tomcat source, and it looks like the html error pages are generated by this valve: org.apache.catalina.valves.ErrorReportValve More information: There's a method in org.apache.catalina.core.StandardHost that does this: private String errorReportValveClass = org.apache.catalina.valves.ErrorReportValve; So if there were some way to set the value of errorReportValveClass through a config file, at least I wouldn't have to recompile catalina to make it show a custom 401 response. I couldn't find out if this value is read in from a properties file somewhere, but I sure would love to be able to not have to recompile catalina to get this to work. Thanks for any tips. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Solved! Re: Basic authentication and custom 401 Not Authorizederror page
Here is how you can create a custom 401 (Not Authorized) error response in Tomcat. Putting a directive like this: error-page error-code401/error-code location/errors/401.html/location /error-page in web.xml will not work. If you put that in web.xml, it will deny all authorization. The thing to do is to create a filter for the resources you want to protect. Do the conventional basic authentication in the filter. However, here is the part which is different: String errorFile = /errors/401.html; response.addHeader(WWW-Authenticate, BASIC realm=\ + realm + \); response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); RequestDispatcher rd = request.getRequestDispatcher(errorFile); try { rd.forward(request,response); } So instead of letting the container generate the html for the 401 response, you always generate it using the RequestDispatcher. The RequestDispatcher can of course be an html or jsp file. So that is the solution to custom 401 errors in Tomcat. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Basic authentication and Tomcat servlets
If 'b' is not protected, then Apache will neither ask for authorization nor include authorization info in the request headers when a document in 'b' is requested. One thing you could try is to use a symbolic link to 'b' from 'a' so that /htdocs/a/b points to /htdocs/b. Then a request for /htdocs/a/b will require authorization, but /htdocs/b will not. Of course it all depends on how your documents link to 'b' and if you don't mind maintaining 2 routes to 'b' in your links. Jeff - Original Message - From: Barris, Wes (LI, Uni of Queensland) [EMAIL PROTECTED] To: Tomcat User (E-mail) [EMAIL PROTECTED] Sent: Tuesday, March 26, 2002 10:37 PM Subject: Basic authentication and Tomcat servlets I am running Tomcat 4.0.1 connected to Apache 1.3.23 via mod_webapp 1.0 on a Redhat 7.2 system. Directory 'a' is protected using Basic Apache authentication: /htdocs/a Directory 'b' is where my servlets are deployed via webapp: /htdocs/b I want to allow anyone access to 'b', but inside a servlet in 'b' I want to test to see if they authenticated themselves in 'a'. Is there a way to do this? So far, I have only been able to do this using: String auth = request.getHeader(Authorization); IFF 'b' is under 'a' like this: /htdocs/a/b -- Wes Barris E-Mail: [EMAIL PROTECTED] Phone: 07-3346-2504 -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: BASIC Authentication Question
Have you turn on the SingleSignOn valve in server.xml? -Paul Mark Shaw wrote: I'm hoping someone can shed some light on a particular behavior I'm experiencing with BASIC authentication and session cookies: I've set up my servlet to use BASIC authentication and I'm my own very simple realm implementation: protected String getPassword(String username) { return tomcat; } protected Principal getPrincipal(String username) { List roles = new ArrayList(); roles.add(test); return new GenericPrincipal(this, tomcat, tomcat, roles); } I have a Java client that connects to my servlet via a URL connection, identical to the code in org.apache.catalina.ant.AbstractCatalinaTask, passing in tomcat for user and password in the first request which works great! In subsequent requests I pass back the sessionID (in a cookie labeled jsessionid...) instead of the BASIC authentication, but my request fails [This request requires HTTP authentication (Unauthorized)] although my session ID is recognized by the servlet. I figured my initial authentication was cached so that I only needed to send the session ID and not pass the authentication string in the header each time - this seems to be the behavior of the Manager App when I dump its Request/Response headers. Any ideas how I can accomplish this from a Java client: only sending authentication once, then using the session ID cookie from then on? What's even stranger is that if I pass both the BASIC authentication header and my session ID every time it works great and my session is recognized, but my realm methods (see above) are never called, so the authentication must be stashed somewhere? Thanks for any help, -Mark -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: BASIC Authentication Question
Mark Shaw wrote: In subsequent requests I pass back the sessionID (in a cookie labeled jsessionid...) instead of the BASIC authentication You need to include the authentication information with every request for a protected resource, or you're going to get another challenge. rfc2617 says: 2 Basic Authentication Scheme ... A client SHOULD assume that all paths at or deeper than the depth of the last symbolic element in the path field of the Request-URI also are within the protection space specified by the Basic realm value of the current challenge. A client MAY preemptively send the corresponding Authorization header with requests for resources in that space without receipt of another challenge from the server. -- Christopher St. John [EMAIL PROTECTED] DistribuTopia http://www.distributopia.com -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: BASIC Authentication Question
On Wed, 6 Mar 2002, Mark Shaw wrote: Date: Wed, 6 Mar 2002 22:37:17 -0800 From: Mark Shaw [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: BASIC Authentication Question I'm hoping someone can shed some light on a particular behavior I'm experiencing with BASIC authentication and session cookies: I've set up my servlet to use BASIC authentication and I'm my own very simple realm implementation: protected String getPassword(String username) { return tomcat; } protected Principal getPrincipal(String username) { List roles = new ArrayList(); roles.add(test); return new GenericPrincipal(this, tomcat, tomcat, roles); } I have a Java client that connects to my servlet via a URL connection, identical to the code in org.apache.catalina.ant.AbstractCatalinaTask, passing in tomcat for user and password in the first request which works great! One of the best aspects of open source ... you can see what worked for somebody else :-). In subsequent requests I pass back the sessionID (in a cookie labeled jsessionid...) instead of the BASIC authentication, but my request fails [This request requires HTTP authentication (Unauthorized)] although my session ID is recognized by the servlet. I figured my initial authentication was cached so that I only needed to send the session ID and not pass the authentication string in the header each time - this seems to be the behavior of the Manager App when I dump its Request/Response headers. Any ideas how I can accomplish this from a Java client: only sending authentication once, then using the session ID cookie from then on? What's even stranger is that if I pass both the BASIC authentication header and my session ID every time it works great and my session is recognized, but my realm methods (see above) are never called, so the authentication must be stashed somewhere? When you use BASIC authentication, Tomcat 4 currently expects that you will include the Authorization header on every request, even though it does cache the authenticated Principal when you are in a session. Looking at the specs (http://www.ietf.org/rfc/rfc2617.txt, it is not stated that this is required, so this behavior could probably be relaxed (when within a session) without ill effects. One possibly negative side effect would be the case where the server's user database changes the password for this username (or removes it entirely) -- the previous authentication would still work for the duration of the current session. That's what happens already with form-based login, so it's probably ok. Could you please post this as an enhancement request to our bug tracking system (http://nagoya.apache.org/bugzilla) to make sure it does not get lost? Thanks for any help, -Mark Craig PS: Has anyone had any success trying to force a logout (and subsequent re-authentication) of a BASIC authentication when the current session is invalidated or times out, without requiring that the user close down and restart the browser? It would be very useful in Servlet 2.4 to know whether or not this is techically feasible -- if it is, we can think about mandating it as standard behavior so that applications do not have to care which login method is being used. -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: Basic authentication password caching
De: EDV Systembetrieb [mailto:[EMAIL PROTECTED]] Enviado el: lunes 17 de diciembre de 2001 14:33 My problem is, that there seems to be a permanent connection between the browser and the servlet or the logininformation a cached by the browser until the browser is restartet THis question has beat the list, so many times before, the short answer is no, at least with BASIC auth.., you cannot make the browser disregard a previously done auth, wihtout closing it.. And this is a behavior of all browsers, the solution is to use FORM instead of BASIC, and simply invalidate the session, if you try this with basic, next the browser request a protected page, it simply sends the cached auth previously done.. Saludos , Ignacio J. Ortega -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: Basic authentication password caching
-Original Message- From: EDV Systembetrieb [mailto:[EMAIL PROTECTED]] Sent: Monday, December 17, 2001 8:33 AM To: [EMAIL PROTECTED] Subject: Basic authentication password caching Hi everybody, I setup Tomcat 3.3 with JDBCRealm and a mysql-database using basic authenticattion. We use a servlet for fileuploading to our server. Before sending the files, the user is prompted for loginname and password. My problem is, that there seems to be a permanent connection between the browser and the servlet or the logininformation a cached by the browser until the browser is restartet But I'd like to force the user to enter his ID and password each time he sends files, no matter if he restarts his browser or not. Any hints?? Besides another question: Is there any documentation about parameters usable in web.xml and apps-XXX.xml and what they mean. This would be very helpfull. The web.xml is docummented by the Servlet spec (version 2.2 for Tomcat 3.3). It may be obtained here: http://java.sun.com/products/servlet/download.html The apps-XXX.xml is documented in the User Guide under the Adding and Customizing Contexts section. The online version may be found at: http://jakarta.apache.org/tomcat/tomcat-3.3-doc/tomcat-ug.html#context_addcust Cheers, Larry Thanks Sabine -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: Basic authentication password caching
On Mon, 17 Dec 2001, EDV Systembetrieb wrote: Date: Mon, 17 Dec 2001 14:32:34 +0100 From: EDV Systembetrieb [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Basic authentication password caching Hi everybody, I setup Tomcat 3.3 with JDBCRealm and a mysql-database using basic authenticattion. We use a servlet for fileuploading to our server. Before sending the files, the user is prompted for loginname and password. My problem is, that there seems to be a permanent connection between the browser and the servlet or the logininformation a cached by the browser until the browser is restartet But I'd like to force the user to enter his ID and password each time he sends files, no matter if he restarts his browser or not. Any hints?? As you noted, it is the *browser* that's caching the username/password, so there is nothing the server can do about it. An alternative would be to use form-based login instead -- invalidating the user's session logs them off. Besides another question: Is there any documentation about parameters usable in web.xml and apps-XXX.xml and what they mean. This would be very helpfull. For web.xml the important document is the Servlet Specification, which you can download from: http://java.sun.com/products/servlet/download.html For apps-XXX.xml you need to ask the 3.3 developers about it -- there's lots of docs about configuring Tomcat 4 :-). Thanks Sabine Craig -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: basic authentication with IIS - error 404 - tomcat 3.2.3
Hello, Well, I just write a response to myself ;) The following problem is not there with NT4/IIS 4. I have it only with W2K/IIS 5. Using tomcat for the authentication is not working completely: the authentication is going well, but the result of it is not the jsp page I wanted to see, but a 404 error, saying the page does not exist. If I switch off the authentication, the page can be displayed very well. -- SWIPe Software Engineering Project Management GmbH Solutions with Individual Profile Web: http://www.swipe.de -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: basic authentication -- where is there a simple example?
Betty, Take a look at the web.xml --- from servlet spec ---and do not forget the security vulnerability when you use the BASIC authentication without SSL. Pae Hi -- Can someone point me to a simple example of how to setup tomcat for basic HTTP authentication? Thanks Betty Portal Wave, Inc.Catalyst for Collaborative Commercewww.portalwave.com
Re: Basic Authentication via .htaccess
you can add a user / password in tomcat-users.xml and assign the roles=admin to this user. Can you restrict access to a servlet using .htaccess in tomcat. I am pretty interseted in it also. - Original Message - From: Cory L Hubert [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, May 03, 2001 4:20 AM Subject: Basic Authentication via .htaccess Can someone point me in the right direction. I need to setup Basic Authenication. I am currently using a .htaccess file and I would like to use it to authenticate users. So I have in my web.xml security-constraint web-resource-collection web-resource-nameProtected Area/web-resource-name url-pattern/free?action=getMemberform/url-pattern http-methodDELETE/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nameadmin/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameAdmin/realm-name /login-config Obviously I don't have a realm named Admin or a role named Admin. Does anyone know how to get it to use the .htaccess?
Re: Basic Authentication w/ Tomcat 3.1
[EMAIL PROTECTED] wrote: It works fine with Tomcat 3.2, but it should run on Tomcat 3.1 ... don't ask me why, I have no idea :-) This is one of the many bugs in Tomcat 3.1. If you want to use container managed security, you need to use 3.2 or later. Any ideas what is wrong? Thanks in advance. Regards, Juergen Craig McClanahan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: Basic authentication
Marino Vittorio wrote: I am using Basic authentication with Tomcat v3.2.1 Everything works just fine, but I'd like to know how to grab User and Password during the authentication process to put them in a bean. Any clue? Thanks, Vittorio The username is already available, via request.getRemoteUser(). Is there a particular reason you need the password as well? Craig McClanahan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]