At 06:05 PM 7/13/2007, you wrote:
Thomas Hicks [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
I have a web application which uses BASIC authentication.
In Tomcat 5.0.28 (under Java 1.5 and Fedora Core 4) accessing
the protected webapp causes the browser to popup a login box
where username and password are entered. This works well, no
matter whether passwords are plain or SHA digested and no
matter whether I access the protected webapp using the HTTP
port or the HTTPS port. It also works with a wide variety of browsers.
Moving to Tomcat 5.5.x, however, causes the BASIC authentication
not to work anymore. The login box pops up but no username/password
combination ever allows access. The login box just clears the entries
and one is stuck at the login box. Again, I have tried plain and SHA
digested passwords in the tomcat-users.xml file with no luck either way.
This behavior is the same across different web browsers.
The web.xml file for the web application contains the following security
configuration portion, which enables password access in 5.0.x but
doesn't work in 5.5.x:
!-- --
!-- Container-Security Configuration --
!-- --
security-constraint
web-resource-collection
web-resource-nameReports Browser/web-resource-name
url-pattern/*/url-pattern
/web-resource-collection
auth-constraint
role-name*/role-name
/auth-constraint
/security-constraint
In TC 5.0, the special role-name '*' was incorrectly (according to the spec)
being treated as 'any authenticated user'. In TC 5.5 this was fixed to mean
'any role that is declared in a security-role'. You can set the attribute
allRolesMode=authOnly on the Realm / to have Tomcat revert to it's
previous behavior.
Thank-you very much!
I didn't actually try reverting the behavior -- I took the other
solution implied
by your crucial information; I just declared a security role in my web.xml
file, added that role to the tomcat-users.xml file and BASIC auth
works again. Thanks again for your timely response.
regards,
-tom
!-- Currently using only BASIC authentication. Use with HTTPS. --
login-config
auth-methodBASIC/auth-method
realm-nameProtected Area/realm-name
/login-config
I have searched online for answers and have reviewed the Servlet 2.4
specification (i.e. for Tomcat 5.5.x) but have found nothing. Surely,
BASIC authentication is such a wellbasic thing that there must be
some small change I need to make, between the Tomcat versions, to get
this to work again. Any help is greatly appreciated.
-tom
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
