Problem with protecting pages in Tomcat 5.5
Hi,
I have the following web.xml
=
web-app ...
display-nametesteweb/display-name
security-constraint
web-resource-collection
web-resource-nameTeste/web-resource-name
url-pattern/*/url-pattern
/web-resource-collection
auth-constraint
role-name*/role-name
/auth-constraint
user-data-constraint
transport-guaranteeNONE/transport-guarantee
/user-data-constraint
/security-constraint
login-config
auth-methodFORM/auth-method
form-login-config
form-login-page/login.jsp/form-login-page
form-error-page/erro.html/form-error-page
/form-login-config
/login-config
welcome-file-list
welcome-fileindex.html/welcome-file
/welcome-file-list
/web-app
=
and the following contex.xml
=
?xml version=1.0 encoding=UTF-8?
Context debug=99 docBase=${catalina.home}/webapps/testeweb
path=/testeweb
Realm className=org.apache.catalina.realm.JDBCRealm
driverName=oracle.jdbc.driver.OracleDriver
connectionURL=jdbc:oracle:thin:@localhost:1521/XE
connectionName=saps connectionPassword=saps
userTable=USUARIODOSISTEMA
userNameCol=NOME userCredCol=NOME
userRoleTable=PAPEISDOUSUARIO roleNameCol=NOMEDOPAPEL /
/Context
=
The application runs ok in Tomcat 5.0 but in 5.5.20 and 5.5.25 I have
the error page
=
HTTP Status 403 - Access to the requested resource has been denied
type Status report
message Access to the requested resource has been denied
description Access to the specified resource (Access to the requested
resource has been denied) has been forbidden.
Apache Tomcat/5.5.20
=
and a log segment (the very final lines in the log's file before the HTTP 403)
=
...
DEBUG http-80-Processor24
org.apache.catalina.authenticator.FormAuthenticator - Save request in
session 'C47C8398E47E5894DB8531EDBC2E0630'
DEBUG http-80-Processor24
org.apache.catalina.authenticator.FormAuthenticator - Authenticating
username 'usuario1'
DEBUG http-80-Processor24
org.apache.catalina.authenticator.FormAuthenticator - Authentication
of 'usuario1' was successful
DEBUG http-80-Processor24
org.apache.catalina.authenticator.FormAuthenticator - Redirecting to
original '/testeweb/'
DEBUG http-80-Processor24
org.apache.catalina.authenticator.FormAuthenticator - Restore request
from session 'C47C8398E47E5894DB8531EDBC2E0630'
DEBUG http-80-Processor24
org.apache.catalina.authenticator.FormAuthenticator - Proceed to
restored request
=
It seems to be a bug. Does anybody know a workaround? Is there a
mistake in my configuration files?
Thanks in advance.
Diogenes Gomes
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Problem with protecting pages in Tomcat 5.5
From: Diogenes Gomes [mailto:[EMAIL PROTECTED]
Subject: Problem with protecting pages in Tomcat 5.5
auth-constraint
role-name*/role-name
/auth-constraint
IIRC, 5.0 misinterpreted a role-name setting of *; this was corrected
in 5.5 and above. The asterisk does not mean any role, but rather
all defined roles. (See section 12 of the servlet spec.) You need to
provide a set of valid roles via security-role in your web.xml file.
Context debug=99 docBase=${catalina.home}/webapps/testeweb
path=/testeweb
Take out the docBase and path attributes - they're not allowed when the
Context element is in META-INF/context.xml (where it should be).
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with protecting pages in Tomcat 5.5
Thank you very much Caldarale.
Please, do you know how to define any role? The framework I use
takes care of authorization (based on service's methods). I only need
to authenticate the user, otherwise I would double the access
configuration.
Diogenes
2008/1/24, Caldarale, Charles R [EMAIL PROTECTED]:
From: Diogenes Gomes [mailto:[EMAIL PROTECTED]
Subject: Problem with protecting pages in Tomcat 5.5
auth-constraint
role-name*/role-name
/auth-constraint
IIRC, 5.0 misinterpreted a role-name setting of *; this was corrected
in 5.5 and above. The asterisk does not mean any role, but rather
all defined roles. (See section 12 of the servlet spec.) You need to
provide a set of valid roles via security-role in your web.xml file.
Context debug=99 docBase=${catalina.home}/webapps/testeweb
path=/testeweb
Take out the docBase and path attributes - they're not allowed when the
Context element is in META-INF/context.xml (where it should be).
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Problem with protecting pages in Tomcat 5.5
From: Diogenes Gomes [mailto:[EMAIL PROTECTED] Subject: Re: Problem with protecting pages in Tomcat 5.5 Please, do you know how to define any role? I don't believe the servlet spec allows for such a weak constraint. You may want to consider using programmatic authentication (as defined in the servlet spec) rather than declarative. Take a look at: http://sourceforge.net/projects/securityfilter Although the last update was in 2004, it's recently become active again (thank you, Chris), and is much more flexible than what's allowed in the spec. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with protecting pages in Tomcat 5.5
I would think the simplest way to go is to define a role and add all
registered users to it. Nothing says a user can't have more than one role.
--David
Diogenes Gomes wrote:
Thank you very much Caldarale.
Please, do you know how to define any role? The framework I use
takes care of authorization (based on service's methods). I only need
to authenticate the user, otherwise I would double the access
configuration.
Diogenes
2008/1/24, Caldarale, Charles R [EMAIL PROTECTED]:
From: Diogenes Gomes [mailto:[EMAIL PROTECTED]
Subject: Problem with protecting pages in Tomcat 5.5
auth-constraint
role-name*/role-name
/auth-constraint
IIRC, 5.0 misinterpreted a role-name setting of *; this was corrected
in 5.5 and above. The asterisk does not mean any role, but rather
all defined roles. (See section 12 of the servlet spec.) You need to
provide a set of valid roles via security-role in your web.xml file.
Context debug=99 docBase=${catalina.home}/webapps/testeweb
path=/testeweb
Take out the docBase and path attributes - they're not allowed when the
Context element is in META-INF/context.xml (where it should be).
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with protecting pages in Tomcat 5.5
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck, Caldarale, Charles R wrote: | From: Diogenes Gomes [mailto:[EMAIL PROTECTED] | Subject: Re: Problem with protecting pages in Tomcat 5.5 | | Please, do you know how to define any role? | | I don't believe the servlet spec allows for such a weak constraint. You | may want to consider using programmatic authentication (as defined in | the servlet spec) rather than declarative. | | Take a look at: | http://sourceforge.net/projects/securityfilter | | Although the last update was in 2004, it's recently become active again | (thank you, Chris), and is much more flexible than what's allowed in the | spec. Yes, sf is a bit more flexible than Tomcat's built-in authentication and authorization. sf currently interprets the * role to mean any authenticated user, much like TC 5.0 (erroneously) did. Technically, we should be checking against the list of defined roles, but we're not. I expect this to be fixed in a future version, but we will probably provide either a backward-compatibility setting to allow * to mean i don't care at all or make it easy to re-implement the algorithm yourself to get the same effect. Diogenes, what's the problem with simply defining all of your roles in the web.xml file? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkeY1Y0ACgkQ9CaO5/Lv0PCIDgCfe9KQT7St7Usf7qanEU8XGGFT nDkAnjPSMAAZmzIQSaooClaGUZxybdFh =kW3r -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with protecting pages in Tomcat 5.5
Diogenes Gomes [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Thank you very much Caldarale.
Please, do you know how to define any role? The framework I use
takes care of authorization (based on service's methods). I only need
to authenticate the user, otherwise I would double the access
configuration.
There is a backwards compatible setting on the Realm /. You add the
attribute allRolesMode=authOnly, and Tomcat will revert to it's 5.0
behavior.
Diogenes
2008/1/24, Caldarale, Charles R [EMAIL PROTECTED]:
From: Diogenes Gomes [mailto:[EMAIL PROTECTED]
Subject: Problem with protecting pages in Tomcat 5.5
auth-constraint
role-name*/role-name
/auth-constraint
IIRC, 5.0 misinterpreted a role-name setting of *; this was corrected
in 5.5 and above. The asterisk does not mean any role, but rather
all defined roles. (See section 12 of the servlet spec.) You need to
provide a set of valid roles via security-role in your web.xml file.
Context debug=99 docBase=${catalina.home}/webapps/testeweb
path=/testeweb
Take out the docBase and path attributes - they're not allowed when the
Context element is in META-INF/context.xml (where it should be).
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
