Problem with protecting pages in Tomcat 5.5
Hi, I have the following web.xml = web-app ... display-nametesteweb/display-name security-constraint web-resource-collection web-resource-nameTeste/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-name*/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/erro.html/form-error-page /form-login-config /login-config welcome-file-list welcome-fileindex.html/welcome-file /welcome-file-list /web-app = and the following contex.xml = ?xml version=1.0 encoding=UTF-8? Context debug=99 docBase=${catalina.home}/webapps/testeweb path=/testeweb Realm className=org.apache.catalina.realm.JDBCRealm driverName=oracle.jdbc.driver.OracleDriver connectionURL=jdbc:oracle:thin:@localhost:1521/XE connectionName=saps connectionPassword=saps userTable=USUARIODOSISTEMA userNameCol=NOME userCredCol=NOME userRoleTable=PAPEISDOUSUARIO roleNameCol=NOMEDOPAPEL / /Context = The application runs ok in Tomcat 5.0 but in 5.5.20 and 5.5.25 I have the error page = HTTP Status 403 - Access to the requested resource has been denied type Status report message Access to the requested resource has been denied description Access to the specified resource (Access to the requested resource has been denied) has been forbidden. Apache Tomcat/5.5.20 = and a log segment (the very final lines in the log's file before the HTTP 403) = ... DEBUG http-80-Processor24 org.apache.catalina.authenticator.FormAuthenticator - Save request in session 'C47C8398E47E5894DB8531EDBC2E0630' DEBUG http-80-Processor24 org.apache.catalina.authenticator.FormAuthenticator - Authenticating username 'usuario1' DEBUG http-80-Processor24 org.apache.catalina.authenticator.FormAuthenticator - Authentication of 'usuario1' was successful DEBUG http-80-Processor24 org.apache.catalina.authenticator.FormAuthenticator - Redirecting to original '/testeweb/' DEBUG http-80-Processor24 org.apache.catalina.authenticator.FormAuthenticator - Restore request from session 'C47C8398E47E5894DB8531EDBC2E0630' DEBUG http-80-Processor24 org.apache.catalina.authenticator.FormAuthenticator - Proceed to restored request = It seems to be a bug. Does anybody know a workaround? Is there a mistake in my configuration files? Thanks in advance. Diogenes Gomes - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Problem with protecting pages in Tomcat 5.5
From: Diogenes Gomes [mailto:[EMAIL PROTECTED] Subject: Problem with protecting pages in Tomcat 5.5 auth-constraint role-name*/role-name /auth-constraint IIRC, 5.0 misinterpreted a role-name setting of *; this was corrected in 5.5 and above. The asterisk does not mean any role, but rather all defined roles. (See section 12 of the servlet spec.) You need to provide a set of valid roles via security-role in your web.xml file. Context debug=99 docBase=${catalina.home}/webapps/testeweb path=/testeweb Take out the docBase and path attributes - they're not allowed when the Context element is in META-INF/context.xml (where it should be). - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with protecting pages in Tomcat 5.5
Thank you very much Caldarale. Please, do you know how to define any role? The framework I use takes care of authorization (based on service's methods). I only need to authenticate the user, otherwise I would double the access configuration. Diogenes 2008/1/24, Caldarale, Charles R [EMAIL PROTECTED]: From: Diogenes Gomes [mailto:[EMAIL PROTECTED] Subject: Problem with protecting pages in Tomcat 5.5 auth-constraint role-name*/role-name /auth-constraint IIRC, 5.0 misinterpreted a role-name setting of *; this was corrected in 5.5 and above. The asterisk does not mean any role, but rather all defined roles. (See section 12 of the servlet spec.) You need to provide a set of valid roles via security-role in your web.xml file. Context debug=99 docBase=${catalina.home}/webapps/testeweb path=/testeweb Take out the docBase and path attributes - they're not allowed when the Context element is in META-INF/context.xml (where it should be). - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Problem with protecting pages in Tomcat 5.5
From: Diogenes Gomes [mailto:[EMAIL PROTECTED] Subject: Re: Problem with protecting pages in Tomcat 5.5 Please, do you know how to define any role? I don't believe the servlet spec allows for such a weak constraint. You may want to consider using programmatic authentication (as defined in the servlet spec) rather than declarative. Take a look at: http://sourceforge.net/projects/securityfilter Although the last update was in 2004, it's recently become active again (thank you, Chris), and is much more flexible than what's allowed in the spec. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with protecting pages in Tomcat 5.5
I would think the simplest way to go is to define a role and add all registered users to it. Nothing says a user can't have more than one role. --David Diogenes Gomes wrote: Thank you very much Caldarale. Please, do you know how to define any role? The framework I use takes care of authorization (based on service's methods). I only need to authenticate the user, otherwise I would double the access configuration. Diogenes 2008/1/24, Caldarale, Charles R [EMAIL PROTECTED]: From: Diogenes Gomes [mailto:[EMAIL PROTECTED] Subject: Problem with protecting pages in Tomcat 5.5 auth-constraint role-name*/role-name /auth-constraint IIRC, 5.0 misinterpreted a role-name setting of *; this was corrected in 5.5 and above. The asterisk does not mean any role, but rather all defined roles. (See section 12 of the servlet spec.) You need to provide a set of valid roles via security-role in your web.xml file. Context debug=99 docBase=${catalina.home}/webapps/testeweb path=/testeweb Take out the docBase and path attributes - they're not allowed when the Context element is in META-INF/context.xml (where it should be). - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with protecting pages in Tomcat 5.5
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck, Caldarale, Charles R wrote: | From: Diogenes Gomes [mailto:[EMAIL PROTECTED] | Subject: Re: Problem with protecting pages in Tomcat 5.5 | | Please, do you know how to define any role? | | I don't believe the servlet spec allows for such a weak constraint. You | may want to consider using programmatic authentication (as defined in | the servlet spec) rather than declarative. | | Take a look at: | http://sourceforge.net/projects/securityfilter | | Although the last update was in 2004, it's recently become active again | (thank you, Chris), and is much more flexible than what's allowed in the | spec. Yes, sf is a bit more flexible than Tomcat's built-in authentication and authorization. sf currently interprets the * role to mean any authenticated user, much like TC 5.0 (erroneously) did. Technically, we should be checking against the list of defined roles, but we're not. I expect this to be fixed in a future version, but we will probably provide either a backward-compatibility setting to allow * to mean i don't care at all or make it easy to re-implement the algorithm yourself to get the same effect. Diogenes, what's the problem with simply defining all of your roles in the web.xml file? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkeY1Y0ACgkQ9CaO5/Lv0PCIDgCfe9KQT7St7Usf7qanEU8XGGFT nDkAnjPSMAAZmzIQSaooClaGUZxybdFh =kW3r -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with protecting pages in Tomcat 5.5
Diogenes Gomes [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Thank you very much Caldarale. Please, do you know how to define any role? The framework I use takes care of authorization (based on service's methods). I only need to authenticate the user, otherwise I would double the access configuration. There is a backwards compatible setting on the Realm /. You add the attribute allRolesMode=authOnly, and Tomcat will revert to it's 5.0 behavior. Diogenes 2008/1/24, Caldarale, Charles R [EMAIL PROTECTED]: From: Diogenes Gomes [mailto:[EMAIL PROTECTED] Subject: Problem with protecting pages in Tomcat 5.5 auth-constraint role-name*/role-name /auth-constraint IIRC, 5.0 misinterpreted a role-name setting of *; this was corrected in 5.5 and above. The asterisk does not mean any role, but rather all defined roles. (See section 12 of the servlet spec.) You need to provide a set of valid roles via security-role in your web.xml file. Context debug=99 docBase=${catalina.home}/webapps/testeweb path=/testeweb Take out the docBase and path attributes - they're not allowed when the Context element is in META-INF/context.xml (where it should be). - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]