BASIC authentication SSO with a separate IIS application
I've been told our working application must coexist with other applications using BASIC authentication, the same domain name and a shared authentication store to achieve single sign on (SSO). Our application has been working fine without IIS or Apache sitting in front of it. The application is almost entirely dynamic so I didn't feel a need before. Now that we've thrown the switch on our QA tier the SSO is not working. The other application seems to generate a key to store the authentication in the browser of qa.ourserver.com, while our application generates a key of qa.ourserver.com:80. The browser then treats these as separate domains. I do not see anywhere in the config files where this is set. Q1: Can I configure Tomcat to not include the :80 at the end of the domain name? Q2: Should I configure Tomcat to run behind the same IIS the other application runs behind? I'm developing in Java and the other application is developed in C## and .net. Q3: If the BASIC authentication solution weren't already dictated, what would the preferred SSO solution be? Any additional insight is also appreciated. Thanks! -Steve-
basic authentication problem 5.5.9
Hi I suspect I am running into this bug in tomcat 5.5.9 which has been solved in tomcat 5.5.11 and I was wondering if there is a workaround: http://issues.apache.org/bugzilla/show_bug.cgi?id=22617 Let me first explain my situation. I have a webapplication which we use in production on multiple sites on tomcat 5.0.28. We have a major version upcoming in a few months and want to take the opportunity to move to tomcat 5.5.x (several technical reasons and not much going on on the 5.0 branch). We need a stable version of course (our customers don't like alpha stuff) and 5.5.9 appears to be it for the moment. Yesterday when I tried our web application in 5.5.9 it mostly worked as far as I could see. The only thing that didn't work was that our admin context was no longer password protected. I spent quite some time rechecking the configuration (which works fine on 5.0.28). Quite annoyingly the server.xml has a different, semantically equivalent notation for defining user databases but that was easy to fix. Still no luck. Then I searched google and eventually came up with the bug above which might explain things. The simple workaround there of defining a null user or a user didn't work though. To confirm I was running into a (solved) bug I tested on 5.5.11 and indeed authentication works fine there with identical configuration. So my question is threefold: - Is the bug above the problem I am running into or is it something else - Is there a workaround for it in 5.5.9. We can't support alpha versions on production sites so we need this fixed in the stable release. - If the answer is no, we'll have to put off support for 5.5.x until there is a stable version with the fix (and hopefully no new issues): is there a rough time schedule when that might happen? Regards, Jilles - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How to Configure IIS/Tomcat to perform basic authentication
Hi Ben, Thanks for responding to my question, here is my operating environment: IIS 5.0 Tomcat 5.5.9 Note also that I have tried this setup with tomcat/apache and everything works, my problem comes when I do similar thing with IIS/Tomcat and I get HTTP 401 error message. Thanks, Ike -Original Message- From: Ben Ricker [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 13, 2005 6:04 PM To: Tomcat Users List Subject: Re: How to Configure IIS/Tomcat to perform basic authentication To answer your question, it would help to at least include the relevant OS and tomcat version information. In Tomcat, you can set a resource valvel that does the auth for you. Docs for 4.1: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html. Docs for 5.0: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html. You may be most interested in the Memory Realm if you want simple, file-based auth. Ben Ricker On 7/13/05, Ikonne, Ike [EMAIL PROTECTED] wrote: Hi all, I have been trying to configure IIS/Tomcat to perform basic authentication and have not had any success yet, I would appreciate it if someone could give me some pointers on how to make this to work. Thanks, Ike - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Ben Ricker He's just this guy, you know? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: basic authentication won't accept password (intermittent)
Hi again, I just discovered bug 33157: basic authentication fails in some cases, reported in Tomcat 5.5.4. http://issues.apache.org/bugzilla/show_bug.cgi?id=33157 It doesn't describe my exact problem, but it's the best theory so far. Unfortunately the hosting provider is unlikely to install 5.5.9 in the near future ;-) Will report back to the list when the resolution is known. Best, Eric:) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
basic authentication won't accept password (intermittent)
Hello, My client has a password-protected folder (as shown in the snippet from my web.xml below). The problem is that, when accessing a protected resource (/members/jobs/index.html), it sometimes asks for the login several times before returning the requested page. (This is using BASIC authentication, so the browser pops up a dialog in response to the 401.) Occasionally it gives up and shows the 401 Unauthorized error page instead. This problem is reproducible across several browsers on Windows 2000 (IE6, Firefox, Opera, lynx ...). The Authorization header is the same for both successful and unsuccessful requests. Hosting provider's environment: Linux 2.4.24 on i686 Apache 2.0.47 Tomcat 5.5.4 Java: Blackdown-1.4.2-rc1 In server.xml, I've increased maxThreads to 250, although this is not a high-volume site. (Obviously I'm shooting in the dark at this point ;-) My questions are: (1) Where should we look for misconfiguration, whether in my app or in the hosting environment? (2) Is there any other explanation for this behavior? This is my first Tomcat site in production, so hopefully it's a configuration problem. I appreciate any suggestions! Thanks, Eric:) === from my web.xml === login-config auth-methodBASIC/auth-method realm-nameMembers Area/realm-name /login-config security-role descriptionAuthorized members/description role-namemembers/role-name /security-role security-constraint !-- the admin sections -- web-resource-collection web-resource-nameSearch Engine/web-resource-name url-pattern/jsp/admin/*/url-pattern /web-resource-collection web-resource-collection web-resource-nameData Listing/web-resource-name url-pattern/list.do/url-pattern /web-resource-collection auth-constraint role-nameadmin/role-name /auth-constraint /security-constraint security-constraint !-- the members-only section -- web-resource-collection web-resource-namemembers area/web-resource-name url-pattern/members/*/url-pattern /web-resource-collection auth-constraint role-namemembers/role-name /auth-constraint /security-constraint - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How to configure Tomcat and IIS to perform Basic authentication
Hi all, I have been trying to configure IIS/Tomcat to perform basic authentication and have not had any success yet, I would appreciate it if someone could give me some pointers on how to make this to work. Thanks, Ike
How to configure IIS/Tomcat to perform basic authentication
Hi all, I have been trying to configure IIS/Tomcat to perform basic authentication and have not had any success yet, I would appreciate it if someone could give me some pointers on how to make this to work. Thanks, Ike
How to Configure IIS/Tomcat to perform basic authentication
Hi all, I have been trying to configure IIS/Tomcat to perform basic authentication and have not had any success yet, I would appreciate it if someone could give me some pointers on how to make this to work. Thanks, Ike - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to Configure IIS/Tomcat to perform basic authentication
To answer your question, it would help to at least include the relevant OS and tomcat version information. In Tomcat, you can set a resource valvel that does the auth for you. Docs for 4.1: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html. Docs for 5.0: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html. You may be most interested in the Memory Realm if you want simple, file-based auth. Ben Ricker On 7/13/05, Ikonne, Ike [EMAIL PROTECTED] wrote: Hi all, I have been trying to configure IIS/Tomcat to perform basic authentication and have not had any success yet, I would appreciate it if someone could give me some pointers on how to make this to work. Thanks, Ike - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Ben Ricker He's just this guy, you know? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Mix form based and basic authentication in one web-app?
Hi there, I have two servlets. One is configured to listen to /forms/* and the other to /documents/*. I configured a security realm, so users need to use form based authentication when accessing /forms/*. Can I, in the same web.xml configure a second security realm that uses basic authentication? We need the basic since the /documents/* servlet serves webDAV and Webfolders doesn't do form based authentication. Would that work? :-) stw
Re: Mix form based and basic authentication in one web-app?
[EMAIL PROTECTED] wrote: Hi there, I have two servlets. One is configured to listen to /forms/* and the other to /documents/*. I configured a security realm, so users need to use form based authentication when accessing /forms/*. Can I, in the same web.xml configure a second security realm that uses basic authentication? We need the basic since the /documents/* servlet serves webDAV and Webfolders doesn't do form based authentication. Would that work? :-) stw No can do. webapps are allowed no more than 1 form of authentication. Maybe use two web applications? Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Problem with redirection for Tomcat Basic Authentication
Hello,
I am running Tomcat 5.5.9 on Windows 2000. I configured the ISAPI
redirector (version 1.2.12) so that Tomcat worked along with IIS and
everything seemed to work fine, but...
I have a Tomcat application which requires basic authentication. Everything
works fine if I access from http://localhost:8080/mywebapp/, I get
authenticated and can navigate, so I think the realm is configured
correctly. But if I try to access from http://localhost/mywebapp/ (the path
to my app is added to uriworkermap.properties) I get a Windows
authentication prompt window ('Enter network password' with fields to
introduce username, password plus domain) instead of Tomcat's basic
authentication prompt window. However, once I login (using
http://localhost:8080/mywebapp/) I can navigate without problems through
the application pages without using the ':8080' part. So it seems like
redirection works except for the authentication part.
Does anyone have any ideas so that I can login to my application from
without the need to specify the port?
Thanks in advance,
Javier Santos
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with redirection for Tomcat Basic Authentication
I suspect the IE and IIS are conspiring to use Windows Native
Authentication. I think this is a browser setting where IE tries this by
default if talking to IIS.
The settings should be under something like:
IE Tools Internet options security custom level user
authentication
I can't remember what setting you need to use but try the various
options and see what happens.
Mark
Javier Santos Martin-Moreno wrote:
Hello,
I am running Tomcat 5.5.9 on Windows 2000. I configured the ISAPI
redirector (version 1.2.12) so that Tomcat worked along with IIS and
everything seemed to work fine, but...
I have a Tomcat application which requires basic authentication. Everything
works fine if I access from http://localhost:8080/mywebapp/, I get
authenticated and can navigate, so I think the realm is configured
correctly. But if I try to access from http://localhost/mywebapp/ (the path
to my app is added to uriworkermap.properties) I get a Windows
authentication prompt window ('Enter network password' with fields to
introduce username, password plus domain) instead of Tomcat's basic
authentication prompt window. However, once I login (using
http://localhost:8080/mywebapp/) I can navigate without problems through
the application pages without using the ':8080' part. So it seems like
redirection works except for the authentication part.
Does anyone have any ideas so that I can login to my application from
without the need to specify the port?
Thanks in advance,
Javier Santos
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can't do logout in basic authentication
You can try google: http://www.modpython.org/pipermail/mod_python/2001-August/012120.html Otgonbayar wrote: I am using basic authentication in my application and I need to create logout link in my JSP that does LOGOUT. It seems session.invalidate() doesn't work. How can I do this? Please help me! Thanks Otgo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Robert r. Sanders Chief Technologist iPOV (334) 821-5412 www.ipov.net - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Can't do logout in basic authentication
If you read the docs on BASIC authentication, you will find that the browser caches the login information and will provide it every time you return to that site. The way to log out is to close the browser. Apparently this has been a problem for web developers for some time. Browser developers have not seen this as a problem. Instead they seem to feel that the caching is a benefit to the user by not requiring them to renter the same information. Robert S. Harper 801.265.8800 ext. 255 [EMAIL PROTECTED] -Original Message- From: Robert r. Sanders [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 20, 2005 10:07 AM To: Tomcat Users List Subject: Re: Can't do logout in basic authentication You can try google: http://www.modpython.org/pipermail/mod_python/2001-August/012120.html Otgonbayar wrote: I am using basic authentication in my application and I need to create logout link in my JSP that does LOGOUT. It seems session.invalidate() doesn't work. How can I do this? Please help me! Thanks Otgo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Robert r. Sanders Chief Technologist iPOV (334) 821-5412 www.ipov.net - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can't do logout in basic authentication
In most applications this is one of those *perceived* problems that corporate users get uptight about. The best way to prevent abuse of an idle authenticated browser window is a screensaver with password lock -- as it protects the rest of the computer, the documents thereon, etc. The only really good case for a logout is where you have a shared computer with many different users coming and going -- and all using a single guest account on the client itself rather than separate logins. In this case a logoff button that closed down the browser would not be a half bad idea :-) -- Jess Holle P.S. Yes, I know transfering the name/password only on initial authentication and using a session key of some sort from thereon out is fractionally more secure -- but you still need HTTPS to really be secure in either case. Robert Harper wrote: If you read the docs on BASIC authentication, you will find that the browser caches the login information and will provide it every time you return to that site. The way to log out is to close the browser. Apparently this has been a problem for web developers for some time. Browser developers have not seen this as a problem. Instead they seem to feel that the caching is a benefit to the user by not requiring them to renter the same information. Robert S. Harper 801.265.8800 ext. 255 [EMAIL PROTECTED] -Original Message- From: Robert r. Sanders [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 20, 2005 10:07 AM To: Tomcat Users List Subject: Re: Can't do logout in basic authentication You can try google: http://www.modpython.org/pipermail/mod_python/2001-August/012120.html Otgonbayar wrote: I am using basic authentication in my application and I need to create logout link in my JSP that does LOGOUT. It seems session.invalidate() doesn't work. How can I do this? Please help me! Thanks Otgo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can't do logout in basic authentication
you cannot do that in basic .. you need to do a form based one ... - Original Message - From: Otgonbayar [EMAIL PROTECTED] To: 'Tomcat Users List' tomcat-user@jakarta.apache.org Sent: Wednesday, April 20, 2005 4:28 AM Subject: Can't do logout in basic authentication I am using basic authentication in my application and I need to create logout link in my JSP that does LOGOUT. It seems session.invalidate() doesn't work. How can I do this? Please help me! Thanks Otgo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can't do logout in basic authentication
P.S. Freeing one's *session* on leaving works with any type of authentication and makes sense in many cases -- it's just harder to communicate this concept to the user... Jess Holle wrote: In most applications this is one of those *perceived* problems that corporate users get uptight about. The best way to prevent abuse of an idle authenticated browser window is a screensaver with password lock -- as it protects the rest of the computer, the documents thereon, etc. The only really good case for a logout is where you have a shared computer with many different users coming and going -- and all using a single guest account on the client itself rather than separate logins. In this case a logoff button that closed down the browser would not be a half bad idea :-) -- Jess Holle P.S. Yes, I know transfering the name/password only on initial authentication and using a session key of some sort from thereon out is fractionally more secure -- but you still need HTTPS to really be secure in either case.
Can't do logout in basic authentication
I am using basic authentication in my application and I need to create logout link in my JSP that does LOGOUT. It seems session.invalidate() doesn't work. How can I do this? Please help me! Thanks Otgo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Changing from BASIC authentication to FORM-based
I have Tomcat 5.5.4 running on WindowsXP with BASIC authentication working via the Memory Realm and it works fine. I want to change to FORM-based authentication. I've 'BASIC' to 'FORM' in web.xml and have a logon.html page with a form action=j_security_check (but it gives a HTTP 408 timeout error immediately... any ideas? Are there any online tutorials to help configure this? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Changing from BASIC authentication to FORM-based
Did you restart Tomcat after making the web.xml change? It's been my experience that authentication method changes like this actually get handled from deeper within Tomcat's internal code, not just the application, and the only way to register the change is by a full restart. Brent Sims Systems Analyst 2 KC Human Services - Road rage, air rage. Why should I be forced to divide my rage into separate categories? To me, it's just one big, all-round, everyday rage. I don't have time for fine distinctions. I'm too busy screaming at people. - George Carlin [EMAIL PROTECTED] 04/09/05 11:00 AM I have Tomcat 5.5.4 running on WindowsXP with BASIC authentication working via the Memory Realm and it works fine. I want to change to FORM-based authentication. I've 'BASIC' to 'FORM' in web.xml and have a logon.html page with a form action=j_security_check (but it gives a HTTP 408 timeout error immediately... any ideas? Are there any online tutorials to help configure this? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: BASIC Authentication for Custom Realm
Based on my own experience, the quickest way to work out what is happening will be to debug your way through it. See the FAQ for how to set this up: http://jakarta.apache.org/tomcat/faq/development.html Mark Mudumbai, Kalyan wrote: Hi All, I am trying to write a custom realm for my web application. I have added the realm in the sever.xml file as below: Realm className=com.web.tomcat.security.CustomRealm debug=0/ and I had the following entries in my web.xml file. security-constraint web-resource-collection web-resource-namewebfiles/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameeveryone/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameCustomRealm/realm-name /login-config security-role role-nameeveryone/role-name /security-role When I access a page in my app, I'm expecting to get a Login Dialog box that's provided by the web browser. But it doesn't happen, when I try to access a web page. If I remove my custom realm entry in the server.xml, the login dialog appears. Has the appearance of the Login Dialog got to do anything with the Realm? Can someone please let me know what's going wrong here? Thanks, Kalyan. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
BASIC Authentication for Custom Realm
Hi All, I am trying to write a custom realm for my web application. I have added the realm in the sever.xml file as below: Realm className=com.web.tomcat.security.CustomRealm debug=0/ and I had the following entries in my web.xml file. security-constraint web-resource-collection web-resource-namewebfiles/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameeveryone/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameCustomRealm/realm-name /login-config security-role role-nameeveryone/role-name /security-role When I access a page in my app, I'm expecting to get a Login Dialog box that's provided by the web browser. But it doesn't happen, when I try to access a web page. If I remove my custom realm entry in the server.xml, the login dialog appears. Has the appearance of the Login Dialog got to do anything with the Realm? Can someone please let me know what's going wrong here? Thanks, Kalyan.
Re: Problem with BASIC authentication
Hi, Compared to Manager's web.xml, it seems you don't have the section resource-env-ref with the link to your user DataBase. Perhaps, try to put the role names without a - (rather a _ or nothing) Cheers. On Thu, 17 Mar 2005 10:49:29 +0530 Karanjkar, Sanjay V \(IT\) [EMAIL PROTECTED] wrote: Hi, Anyone had a chance to look at this one yet? Thanks Sanjay -Original Message- From: Karanjkar, Sanjay V (IT) Sent: 15 March 2005 11:19 To: tomcat-user@jakarta.apache.org Subject: Problem with BASIC authentication Hi, I have the following setup: 1. A copied version of Tomcat 4.1.24 on Unix (i.e. I have merely *copied* the entire tomcat folder from another installed location instead of installing it) 2. My application WAR file referenced by the following Context in Server.xml: Context path=/ieg-sc docBase=/var/tmp/DEV/install/common/lib/tc.ieg.war reloadable=true debug=99 privileged=true ResourceLink name=users type=org.apache.catalina.UserDatabase global=UserDatabase/ /Context 3. My app's web.xml has the following: security-constraint web-resource-collection web-resource-nameMy Application/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameieg-sc-user/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint !-- Define the Login Configuration for this Application -- login-config auth-methodBASIC/auth-method realm-nameMy Application/realm-name /login-config security-role role-nameieg-sc-user/role-name /security-role 4. I have defined the user/role in conf/tomcat-users.xml: ?xml version='1.0' encoding='utf-8'? tomcat-users role rolename=ieg-sc-user/ user username=userid password=passwd roles=ieg-sc-user/ /tomcat-users When I start tomcat, everything seems to run fine except that I do not get a login window! I have gone over the setup so many times now, I'm going madHave I missed something? Is it because I've copied the tomcat binaries instead of installing it? If so, why does authentication work correctly for the inbuilt Manager application..? Appreciate if you could help me.. Thanks and regards Sanjay Karanjkar NOTICE: If received in error, please destroy and notify sender. Sender does not waive confidentiality or privilege, and use is prohibited. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] NOTICE: If received in error, please destroy and notify sender. Sender does not waive confidentiality or privilege, and use is prohibited. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Problem with BASIC authentication
Hi Lionel, Thanks for your response. I tried both suggestions but no luck.. Maybe it's something to do with the fact that I've not *installed* tomcat but only copied the binaries from an installed location (then how come the maanger app works? :-( Anyways, I also have a problem when shutting down tomcat. When I run shutdown.sh, I get the following error and there are process threads that I have to kill manually I have not altered the default server.xml (Ajp13 connector is not commented out) so can someone help me? Catalina.stop: java.net.ConnectException: Connection refused java.net.ConnectException: Connection refused at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:350) at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:137) at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:124) at java.net.Socket.init(Socket.java:268) at java.net.Socket.init(Socket.java:95) at org.apache.catalina.startup.Catalina.stop(Catalina.java:581) at org.apache.catalina.startup.Catalina.execute(Catalina.java:402) at org.apache.catalina.startup.Catalina.process(Catalina.java:180) at java.lang.reflect.Method.invoke(Native Method) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:203) gmake: *** [stop_tomcat] Error 1 Thanks in advance Sanjay Karanjkar fc3sdi team -Original Message- From: Lionel Farbos [mailto:[EMAIL PROTECTED] Sent: 17 March 2005 09:58 To: Tomcat Users List Cc: Karanjkar, Sanjay V (IT) Subject: Re: Problem with BASIC authentication Hi, Compared to Manager's web.xml, it seems you don't have the section resource-env-ref with the link to your user DataBase. Perhaps, try to put the role names without a - (rather a _ or nothing) Cheers. On Thu, 17 Mar 2005 10:49:29 +0530 Karanjkar, Sanjay V \(IT\) [EMAIL PROTECTED] wrote: Hi, Anyone had a chance to look at this one yet? Thanks Sanjay -Original Message- From: Karanjkar, Sanjay V (IT) Sent: 15 March 2005 11:19 To: tomcat-user@jakarta.apache.org Subject: Problem with BASIC authentication Hi, I have the following setup: 1. A copied version of Tomcat 4.1.24 on Unix (i.e. I have merely *copied* the entire tomcat folder from another installed location instead of installing it) 2. My application WAR file referenced by the following Context in Server.xml: Context path=/ieg-sc docBase=/var/tmp/DEV/install/common/lib/tc.ieg.war reloadable=true debug=99 privileged=true ResourceLink name=users type=org.apache.catalina.UserDatabase global=UserDatabase/ /Context 3. My app's web.xml has the following: security-constraint web-resource-collection web-resource-nameMy Application/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameieg-sc-user/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint !-- Define the Login Configuration for this Application -- login-config auth-methodBASIC/auth-method realm-nameMy Application/realm-name /login-config security-role role-nameieg-sc-user/role-name /security-role 4. I have defined the user/role in conf/tomcat-users.xml: ?xml version='1.0' encoding='utf-8'? tomcat-users role rolename=ieg-sc-user/ user username=userid password=passwd roles=ieg-sc-user/ /tomcat-users When I start tomcat, everything seems to run fine except that I do not get a login window! I have gone over the setup so many times now, I'm going madHave I missed something? Is it because I've copied the tomcat binaries instead of installing it? If so, why does authentication work correctly for the inbuilt Manager application..? Appreciate if you could help me.. Thanks and regards Sanjay Karanjkar NOTICE: If received in error, please destroy and notify sender. Sender does not waive confidentiality or privilege, and use is prohibited. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] NOTICE: If received in error, please destroy and notify sender. Sender does not waive confidentiality or privilege, and use is prohibited. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] NOTICE
Re: Problem with BASIC authentication
I don't run 4 so these are only suggestions. 1. Remove the user-data-constraint 2. Change your tomcat-user.xml to look like this tomcat-users user name=userid password=passwd roles=ieg-sc-user / /tomcat-users - Original Message - From: Karanjkar, Sanjay V (IT) [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Thursday, March 17, 2005 12:19 AM Subject: RE: Problem with BASIC authentication Hi, Anyone had a chance to look at this one yet? Thanks Sanjay -Original Message- From: Karanjkar, Sanjay V (IT) Sent: 15 March 2005 11:19 To: tomcat-user@jakarta.apache.org Subject: Problem with BASIC authentication Hi, I have the following setup: 1. A copied version of Tomcat 4.1.24 on Unix (i.e. I have merely *copied* the entire tomcat folder from another installed location instead of installing it) 2. My application WAR file referenced by the following Context in Server.xml: Context path=/ieg-sc docBase=/var/tmp/DEV/install/common/lib/tc.ieg.war reloadable=true debug=99 privileged=true ResourceLink name=users type=org.apache.catalina.UserDatabase global=UserDatabase/ /Context 3. My app's web.xml has the following: security-constraint web-resource-collection web-resource-nameMy Application/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameieg-sc-user/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint !-- Define the Login Configuration for this Application -- login-config auth-methodBASIC/auth-method realm-nameMy Application/realm-name /login-config security-role role-nameieg-sc-user/role-name /security-role 4. I have defined the user/role in conf/tomcat-users.xml: ?xml version='1.0' encoding='utf-8'? tomcat-users role rolename=ieg-sc-user/ user username=userid password=passwd roles=ieg-sc-user/ /tomcat-users When I start tomcat, everything seems to run fine except that I do not get a login window! I have gone over the setup so many times now, I'm going madHave I missed something? Is it because I've copied the tomcat binaries instead of installing it? If so, why does authentication work correctly for the inbuilt Manager application..? Appreciate if you could help me.. Thanks and regards Sanjay Karanjkar NOTICE: If received in error, please destroy and notify sender. Sender does not waive confidentiality or privilege, and use is prohibited. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] NOTICE: If received in error, please destroy and notify sender. Sender does not waive confidentiality or privilege, and use is prohibited. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with BASIC authentication
On Thu, 17 Mar 2005 16:35:43 +0530 Karanjkar, Sanjay V \(IT\) [EMAIL PROTECTED] wrote: Hi Lionel, Thanks for your response. I tried both suggestions but no luck.. Maybe it's something to do with the fact that I've not *installed* tomcat but only copied the binaries from an installed location (then how come the maanger app works? :-( The Manager, by default, is installed but not activated. In your installation, you have - $CATALINA_HOME/server/lib/servlets-manager.jar - $CATALINA_HOME/webapps/manager.xml You have to add: role rolename=manager/ user username=userid password=password roles=manager/ And you can access to the HTML manager (in the default installation) with : http://localhost:8080/manager/html/ Anyways, I also have a problem when shutting down tomcat. When I run shutdown.sh, I get the following error and there are process threads that I have to kill manually I have not altered the default server.xml (Ajp13 connector is not commented out) so can someone help me? Catalina.stop: java.net.ConnectException: Connection refused java.net.ConnectException: Connection refused at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:350) at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:137) at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:124) at java.net.Socket.init(Socket.java:268) at java.net.Socket.init(Socket.java:95) at org.apache.catalina.startup.Catalina.stop(Catalina.java:581) at org.apache.catalina.startup.Catalina.execute(Catalina.java:402) at org.apache.catalina.startup.Catalina.process(Catalina.java:180) at java.lang.reflect.Method.invoke(Native Method) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:203) gmake: *** [stop_tomcat] Error 1 I think you have to re-install properly your Tomcat... (and verify your port 8080 is free, otherwise change it). Thanks in advance Sanjay Karanjkar fc3sdi team -Original Message- From: Lionel Farbos [mailto:[EMAIL PROTECTED] Sent: 17 March 2005 09:58 To: Tomcat Users List Cc: Karanjkar, Sanjay V (IT) Subject: Re: Problem with BASIC authentication Hi, Compared to Manager's web.xml, it seems you don't have the section resource-env-ref with the link to your user DataBase. Perhaps, try to put the role names without a - (rather a _ or nothing) Cheers. On Thu, 17 Mar 2005 10:49:29 +0530 Karanjkar, Sanjay V \(IT\) [EMAIL PROTECTED] wrote: Hi, Anyone had a chance to look at this one yet? Thanks Sanjay -Original Message- From: Karanjkar, Sanjay V (IT) Sent: 15 March 2005 11:19 To: tomcat-user@jakarta.apache.org Subject: Problem with BASIC authentication Hi, I have the following setup: 1. A copied version of Tomcat 4.1.24 on Unix (i.e. I have merely *copied* the entire tomcat folder from another installed location instead of installing it) 2. My application WAR file referenced by the following Context in Server.xml: Context path=/ieg-sc docBase=/var/tmp/DEV/install/common/lib/tc.ieg.war reloadable=true debug=99 privileged=true ResourceLink name=users type=org.apache.catalina.UserDatabase global=UserDatabase/ /Context 3. My app's web.xml has the following: security-constraint web-resource-collection web-resource-nameMy Application/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameieg-sc-user/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint !-- Define the Login Configuration for this Application -- login-config auth-methodBASIC/auth-method realm-nameMy Application/realm-name /login-config security-role role-nameieg-sc-user/role-name /security-role 4. I have defined the user/role in conf/tomcat-users.xml: ?xml version='1.0' encoding='utf-8'? tomcat-users role rolename=ieg-sc-user/ user username=userid password=passwd roles=ieg-sc-user/ /tomcat-users When I start tomcat, everything seems to run fine except that I do not get a login window! I have gone over the setup so many times now, I'm going madHave I missed something? Is it because I've copied the tomcat binaries instead of installing it? If so, why does authentication work correctly for the inbuilt Manager application..? Appreciate if you could help me.. Thanks and regards Sanjay Karanjkar NOTICE: If received in error, please destroy and notify sender. Sender does not waive confidentiality or privilege, and use is prohibited
RE: Problem with BASIC authentication
Hi, Anyone had a chance to look at this one yet? Thanks Sanjay -Original Message- From: Karanjkar, Sanjay V (IT) Sent: 15 March 2005 11:19 To: tomcat-user@jakarta.apache.org Subject: Problem with BASIC authentication Hi, I have the following setup: 1. A copied version of Tomcat 4.1.24 on Unix (i.e. I have merely *copied* the entire tomcat folder from another installed location instead of installing it) 2. My application WAR file referenced by the following Context in Server.xml: Context path=/ieg-sc docBase=/var/tmp/DEV/install/common/lib/tc.ieg.war reloadable=true debug=99 privileged=true ResourceLink name=users type=org.apache.catalina.UserDatabase global=UserDatabase/ /Context 3. My app's web.xml has the following: security-constraint web-resource-collection web-resource-nameMy Application/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameieg-sc-user/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint !-- Define the Login Configuration for this Application -- login-config auth-methodBASIC/auth-method realm-nameMy Application/realm-name /login-config security-role role-nameieg-sc-user/role-name /security-role 4. I have defined the user/role in conf/tomcat-users.xml: ?xml version='1.0' encoding='utf-8'? tomcat-users role rolename=ieg-sc-user/ user username=userid password=passwd roles=ieg-sc-user/ /tomcat-users When I start tomcat, everything seems to run fine except that I do not get a login window! I have gone over the setup so many times now, I'm going madHave I missed something? Is it because I've copied the tomcat binaries instead of installing it? If so, why does authentication work correctly for the inbuilt Manager application..? Appreciate if you could help me.. Thanks and regards Sanjay Karanjkar NOTICE: If received in error, please destroy and notify sender. Sender does not waive confidentiality or privilege, and use is prohibited. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] NOTICE: If received in error, please destroy and notify sender. Sender does not waive confidentiality or privilege, and use is prohibited. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Problem with BASIC authentication
Hi, I have the following setup: 1. A copied version of Tomcat 4.1.24 on Unix (i.e. I have merely *copied* the entire tomcat folder from another installed location instead of installing it) 2. My application WAR file referenced by the following Context in Server.xml: Context path=/ieg-sc docBase=/var/tmp/DEV/install/common/lib/tc.ieg.war reloadable=true debug=99 privileged=true ResourceLink name=users type=org.apache.catalina.UserDatabase global=UserDatabase/ /Context 3. My app's web.xml has the following: security-constraint web-resource-collection web-resource-nameMy Application/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameieg-sc-user/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint !-- Define the Login Configuration for this Application -- login-config auth-methodBASIC/auth-method realm-nameMy Application/realm-name /login-config security-role role-nameieg-sc-user/role-name /security-role 4. I have defined the user/role in conf/tomcat-users.xml: ?xml version='1.0' encoding='utf-8'? tomcat-users role rolename=ieg-sc-user/ user username=userid password=passwd roles=ieg-sc-user/ /tomcat-users When I start tomcat, everything seems to run fine except that I do not get a login window! I have gone over the setup so many times now, I'm going madHave I missed something? Is it because I've copied the tomcat binaries instead of installing it? If so, why does authentication work correctly for the inbuilt Manager application..? Appreciate if you could help me.. Thanks and regards Sanjay Karanjkar NOTICE: If received in error, please destroy and notify sender. Sender does not waive confidentiality or privilege, and use is prohibited. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Basic Authentication Window
If you are using basic authentication, that is out of your control - the browser will resend the authentication with every request. I does not care at all about your session. I think your simplest solution is to switch to form-based authentication. Larry On Thu, 27 Jan 2005 19:58:16 -0800 (PST), Gia Thornton [EMAIL PROTECTED] wrote: Hi, I am using Tomcat Container managed security: Basic Authentication by adding the following to web.xml. security-constraint web-resource-collection web-resource-nameThe Entire Web Application/web-resource-name url-pattern/XMLServlet/url-pattern /web-resource-collection auth-constraint role-nametomcat/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameUserDatabase/realm-name /login-config security-role description An example role defined in conf/tomcat-users.xml /description role-nametomcat/role-name /security-role - I have used a form in my jsp: form name=update method=POST action=/abc/XMLServlet input type=button name=save_change value=Save onclick=saveChange(event) input type=button name=cancel_change value=Cancel onclick=cancelChange(event) input type=button name=edit value=Edit onclick=checkLogin(event) /form If I click on Edit button, the javascript checkLogin will submit the form. If the user has not logged in, an authentication window will pop up. After the first-time authentication, the page is directed to the same page containing the above form. I intentionally set setMaxInactiveInterval to be like 10 seconds in XMLServlet. When the session expires, I click the Edit button again, now the page directly go to XMLServlet without the authentication window poped up. Does anyone know what causes this? How can I get the authentication window pop up when the session expires? Thank you for your help. Gia - Do you Yahoo!? Yahoo! Search presents - Jib Jab's 'Second Term' - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Basic Authentication Window
Hi Larry, Thank you for your reply! Yes, I have tried the form authentication. It does redirect to the login page when session expires. Gia Larry Meadors [EMAIL PROTECTED] wrote: If you are using basic authentication, that is out of your control - the browser will resend the authentication with every request. I does not care at all about your session. I think your simplest solution is to switch to form-based authentication. Larry On Thu, 27 Jan 2005 19:58:16 -0800 (PST), Gia Thornton wrote: Hi, I am using Tomcat Container managed security: Basic Authentication by adding the following to web.xml. The Entire Web Application /XMLServlet tomcat BASIC UserDatabase An example role defined in conf/tomcat-users.xml tomcat - I have used a form in my jsp: [input] [input] [input] If I click on Edit button, the javascript checkLogin will submit the form. If the user has not logged in, an authentication window will pop up. After the first-time authentication, the page is directed to the same page containing the above form. I intentionally set setMaxInactiveInterval to be like 10 seconds in XMLServlet. When the session expires, I click the Edit button again, now the page directly go to XMLServlet without the authentication window poped up. Does anyone know what causes this? How can I get the authentication window pop up when the session expires? Thank you for your help. Gia - Do you Yahoo!? Yahoo! Search presents - Jib Jab's 'Second Term' - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Basic Authentication Window
Hi, I am using Tomcat Container managed security: Basic Authentication by adding the following to web.xml. security-constraint web-resource-collection web-resource-nameThe Entire Web Application/web-resource-name url-pattern/XMLServlet/url-pattern /web-resource-collection auth-constraint role-nametomcat/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameUserDatabase/realm-name /login-config security-role description An example role defined in conf/tomcat-users.xml /description role-nametomcat/role-name /security-role - I have used a form in my jsp: form name=update method=POST action=/abc/XMLServlet input type=button name=save_change value=Save onclick=saveChange(event) input type=button name=cancel_change value=Cancel onclick=cancelChange(event) input type=button name=edit value=Edit onclick=checkLogin(event) /form If I click on Edit button, the javascript checkLogin will submit the form. If the user has not logged in, an authentication window will pop up. After the first-time authentication, the page is directed to the same page containing the above form. I intentionally set setMaxInactiveInterval to be like 10 seconds in XMLServlet. When the session expires, I click the Edit button again, now the page directly go to XMLServlet without the authentication window poped up. Does anyone know what causes this? How can I get the authentication window pop up when the session expires? Thank you for your help. Gia - Do you Yahoo!? Yahoo! Search presents - Jib Jab's 'Second Term'
Re: BASIC Authentication
Ashish Kulkarni ha scritto: Hi May be try putting the following in web.xml file just before taglib ( i am not sure but works with 2.2) error-page error-code403/error-code location/pages/error/noaccess.jsp/location /error-page error-page error-code401/error-code location/pages/error/noaccess.jsp/location /error-page Ashish Thanks for the answer, but this method doesnt work. Infact if a resourse is under authentication (like manager) and i setup a 401 page error, the system does not ask for user and password but presents immediately the error page. I think i have to use something other than basic auth, at least to create my own login page :D Tx all Giorgio Ponza --- Omar Adobati [EMAIL PROTECTED] wrote: Oh, I'm sorry... you are using the basic auth mode... there was a missunderstanding... sorry again... On Mon, 24 Jan 2005 14:29:44 +0100, Giorgio Ponza [EMAIL PROTECTED] wrote: Omar Adobati ha scritto: I never try it, but maybe u can write your own code into the login page that redirect you on a different page if the login taske will not completed as needed... I can't try this :D There is no login page, only a box appearing over the browser asking user and password. Thanks anyway Giorgio - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Adobati Omar [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- --- Giorgio Ponza Web Developer Opla.com Ltd Tel. +39 011 7506233 Fax. +39 011 746179 http://www.opla.it --- Ci sono persone che hanno soldi e persone che sono ricche (Coco Chanel) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
BASIC Authentication
Hi all I have a small problem trying to configure BASIC auth. Everything works good, but i'd like to know if i can change the default page when the user is not authenticated. I try to eplain better: if i write wrong 3 times the password, or i click on cancel button, a default Tomcat page appears saying type Status report message description This request requires HTTP authentication (). Is possible to change this default page? Tx everybody Giorgio - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: BASIC Authentication
I never try it, but maybe u can write your own code into the login page that redirect you on a different page if the login taske will not completed as needed... On Mon, 24 Jan 2005 14:21:19 +0100, Giorgio Ponza [EMAIL PROTECTED] wrote: Hi all I have a small problem trying to configure BASIC auth. Everything works good, but i'd like to know if i can change the default page when the user is not authenticated. I try to eplain better: if i write wrong 3 times the password, or i click on cancel button, a default Tomcat page appears saying type Status report message description This request requires HTTP authentication (). Is possible to change this default page? Tx everybody Giorgio - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Adobati Omar [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: BASIC Authentication
Omar Adobati ha scritto: I never try it, but maybe u can write your own code into the login page that redirect you on a different page if the login taske will not completed as needed... I can't try this :D There is no login page, only a box appearing over the browser asking user and password. Thanks anyway Giorgio - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: BASIC Authentication
Oh, I'm sorry... you are using the basic auth mode... there was a missunderstanding... sorry again... On Mon, 24 Jan 2005 14:29:44 +0100, Giorgio Ponza [EMAIL PROTECTED] wrote: Omar Adobati ha scritto: I never try it, but maybe u can write your own code into the login page that redirect you on a different page if the login taske will not completed as needed... I can't try this :D There is no login page, only a box appearing over the browser asking user and password. Thanks anyway Giorgio - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Adobati Omar [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: BASIC Authentication
Hi May be try putting the following in web.xml file just before taglib ( i am not sure but works with 2.2) error-page error-code403/error-code location/pages/error/noaccess.jsp/location /error-page error-page error-code401/error-code location/pages/error/noaccess.jsp/location /error-page Ashish --- Omar Adobati [EMAIL PROTECTED] wrote: Oh, I'm sorry... you are using the basic auth mode... there was a missunderstanding... sorry again... On Mon, 24 Jan 2005 14:29:44 +0100, Giorgio Ponza [EMAIL PROTECTED] wrote: Omar Adobati ha scritto: I never try it, but maybe u can write your own code into the login page that redirect you on a different page if the login taske will not completed as needed... I can't try this :D There is no login page, only a box appearing over the browser asking user and password. Thanks anyway Giorgio - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Adobati Omar [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: problem with Basic authentication -- no window to login
Hi i am using windows XP with service pack 1, and had tried addind ResourceLink.. to my context.xml, but still did not work, i am going to pass this problem and use form based authentication which is working fine Ashish --- Parsons Technical Services [EMAIL PROTECTED] wrote: IE on Linux, interesting. Add the resource link to your context.xml file to give the system access to the user database/file. ResourceLink name=users global=UserDatabase type=org.apache.catalina.UserDatabase/ Doug - Original Message - From: Aris Javier [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Friday, January 21, 2005 12:20 AM Subject: RE: problem with Basic authentication -- no window to login assuming you're using linux.. I encountered this problem in mozilla 1.6... downloaded 1.7 version and login window appeared! =) -Original Message- From: Ashish Kulkarni [mailto:[EMAIL PROTECTED] Sent: Friday, January 21, 2005 11:21 AM To: Tomcat Users List Subject: RE: problem with Basic authentication -- no window to login I have tried internet explorer and mozilla Ashish --- Aris Javier [EMAIL PROTECTED] wrote: what browser ar you using? -Original Message- From: Ashish Kulkarni [mailto:[EMAIL PROTECTED] Sent: Friday, January 21, 2005 6:24 AM To: tomcat-user@jakarta.apache.org Subject: problem with Basic authentication -- no window to login Hi i was able to make my application work with form authentication, then i changed the login-config to make it basic authentication like below, but i am not getting any login window, it just gives me no access 403 error why login-config auth-methodBASIC/auth-method realm-nameBasic Authentication Area/realm-name /login-config Ashish __ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] = A$HI$H __ Do you Yahoo!? Yahoo! Mail - now with 250MB free storage. Learn more. http://info.mail.yahoo.com/mail_250 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? The all-new My Yahoo! - Get yours free! http://my.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
problem with Basic authentication -- no window to login
Hi i was able to make my application work with form authentication, then i changed the login-config to make it basic authentication like below, but i am not getting any login window, it just gives me no access 403 error why login-config auth-methodBASIC/auth-method realm-nameBasic Authentication Area/realm-name /login-config Ashish __ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: problem with Basic authentication -- no window to login
what browser ar you using? -Original Message- From: Ashish Kulkarni [mailto:[EMAIL PROTECTED] Sent: Friday, January 21, 2005 6:24 AM To: tomcat-user@jakarta.apache.org Subject: problem with Basic authentication -- no window to login Hi i was able to make my application work with form authentication, then i changed the login-config to make it basic authentication like below, but i am not getting any login window, it just gives me no access 403 error why login-config auth-methodBASIC/auth-method realm-nameBasic Authentication Area/realm-name /login-config Ashish __ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: problem with Basic authentication -- no window to login
I have tried internet explorer and mozilla Ashish --- Aris Javier [EMAIL PROTECTED] wrote: what browser ar you using? -Original Message- From: Ashish Kulkarni [mailto:[EMAIL PROTECTED] Sent: Friday, January 21, 2005 6:24 AM To: tomcat-user@jakarta.apache.org Subject: problem with Basic authentication -- no window to login Hi i was able to make my application work with form authentication, then i changed the login-config to make it basic authentication like below, but i am not getting any login window, it just gives me no access 403 error why login-config auth-methodBASIC/auth-method realm-nameBasic Authentication Area/realm-name /login-config Ashish __ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] = A$HI$H __ Do you Yahoo!? Yahoo! Mail - now with 250MB free storage. Learn more. http://info.mail.yahoo.com/mail_250 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: problem with Basic authentication -- no window to login
assuming you're using linux.. I encountered this problem in mozilla 1.6... downloaded 1.7 version and login window appeared! =) -Original Message- From: Ashish Kulkarni [mailto:[EMAIL PROTECTED] Sent: Friday, January 21, 2005 11:21 AM To: Tomcat Users List Subject: RE: problem with Basic authentication -- no window to login I have tried internet explorer and mozilla Ashish --- Aris Javier [EMAIL PROTECTED] wrote: what browser ar you using? -Original Message- From: Ashish Kulkarni [mailto:[EMAIL PROTECTED] Sent: Friday, January 21, 2005 6:24 AM To: tomcat-user@jakarta.apache.org Subject: problem with Basic authentication -- no window to login Hi i was able to make my application work with form authentication, then i changed the login-config to make it basic authentication like below, but i am not getting any login window, it just gives me no access 403 error why login-config auth-methodBASIC/auth-method realm-nameBasic Authentication Area/realm-name /login-config Ashish __ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] = A$HI$H __ Do you Yahoo!? Yahoo! Mail - now with 250MB free storage. Learn more. http://info.mail.yahoo.com/mail_250 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: problem with Basic authentication -- no window to login
IE on Linux, interesting. Add the resource link to your context.xml file to give the system access to the user database/file. ResourceLink name=users global=UserDatabase type=org.apache.catalina.UserDatabase/ Doug - Original Message - From: Aris Javier [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Friday, January 21, 2005 12:20 AM Subject: RE: problem with Basic authentication -- no window to login assuming you're using linux.. I encountered this problem in mozilla 1.6... downloaded 1.7 version and login window appeared! =) -Original Message- From: Ashish Kulkarni [mailto:[EMAIL PROTECTED] Sent: Friday, January 21, 2005 11:21 AM To: Tomcat Users List Subject: RE: problem with Basic authentication -- no window to login I have tried internet explorer and mozilla Ashish --- Aris Javier [EMAIL PROTECTED] wrote: what browser ar you using? -Original Message- From: Ashish Kulkarni [mailto:[EMAIL PROTECTED] Sent: Friday, January 21, 2005 6:24 AM To: tomcat-user@jakarta.apache.org Subject: problem with Basic authentication -- no window to login Hi i was able to make my application work with form authentication, then i changed the login-config to make it basic authentication like below, but i am not getting any login window, it just gives me no access 403 error why login-config auth-methodBASIC/auth-method realm-nameBasic Authentication Area/realm-name /login-config Ashish __ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] = A$HI$H __ Do you Yahoo!? Yahoo! Mail - now with 250MB free storage. Learn more. http://info.mail.yahoo.com/mail_250 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Basic authentication
I would like to use container-based declarative authentication without the need to modify any files in $CATALINA_HOME/conf directory. To simplify my question a bit: is it somehow possible to make tomcat read tomcat-users.xml from the war file, and not from $CATALINA_HOME/conf? Michal. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Basic authentication
Hello, The answer to your question is that you cannot serve the User database (now tomcat-users.xml) from inside a .war file as it cannot be read from in there but you can change its location to be below your webapps directory. This can be achieved by changing the path to it which is currently in Server.xml. You need not use a flat file format though to serve your username/password combinations just because you are using Basic Authentication. The two are separate issues: issue one is: What type of authentication do I want? Form, Basic, Digest, Client-Cert. This is a Sun servlet secification issue/list version 2.2 of which can be found here: http://java.sun.com/products/servlet/2.2/ Issue two is: Where am I going to store my database of users? Database (JDBC Realm), LDAP directory (JNDI Realm), Flat File (Memory Realm), etc. This is a Tomcat container specific issue/list which can be found here: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html Hope this all helps, Andoni. - Original Message - From: Michal Kwiatek [EMAIL PROTECTED] Newsgroups: gmane.comp.jakarta.tomcat.user Sent: Thursday, November 11, 2004 4:25 PM Subject: Basic authentication I would like to use container-based declarative authentication without the need to modify any files in $CATALINA_HOME/conf directory. To simplify my question a bit: is it somehow possible to make tomcat read tomcat-users.xml from the war file, and not from $CATALINA_HOME/conf? Michal. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Manager App and basic authentication
Hi, (Sorry, I posted this message under the wrong thread before) I am using Apache - modjk -Tomcat 5 configuration. The tomcat manager app uses BASIC authentication. When I point my browser to /myurl/manager the browser pops up a dialog box for the username and password. Upon entering the correct information it logs me into the manager app. I am trying to now use JMeter to log in to the manager app: URL: my.machine.com port: 80 path:/manager username u1 password p1 When I try to execute the above in JMeter it fails. How do I log into the manager app using JMeter? Thanks. Mufaddal Khumri Software Developer Waves In Motion Phone: 602 956 7080 x 26 Email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Manager App and basic authentication
I think you should post this to the [EMAIL PROTECTED] mailing list. to get it to work with JMeter, you'll need to add auth manager to your test plan. add an entry in the auth manager url - leave blank username - yourUser password - yourPassword The documentation for it is here. http://jakarta.apache.org/jmeter/usermanual/component_reference.html#HTTP_Authorization_Manager peter On Tue, 9 Nov 2004 17:09:19 -0700, Mufaddal Khumri [EMAIL PROTECTED] wrote: Hi, (Sorry, I posted this message under the wrong thread before) I am using Apache - modjk -Tomcat 5 configuration. The tomcat manager app uses BASIC authentication. When I point my browser to /myurl/manager the browser pops up a dialog box for the username and password. Upon entering the correct information it logs me into the manager app. I am trying to now use JMeter to log in to the manager app: URL: my.machine.com port: 80 path:/manager username u1 password p1 When I try to execute the above in JMeter it fails. How do I log into the manager app using JMeter? Thanks. Mufaddal Khumri Software Developer Waves In Motion Phone: 602 956 7080 x 26 Email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
BASIC authentication without Popup Verification window
Hi! I can't figure out why my BASIC authorization isn't working for my app. The pages show up as 401 Not Authorized, but no popup authorization window pops up! Further, the admin and manager apps are working using my JDBCRealm (:Enter Password window does pop up). Help appreciated. server.xml: --- !-- Realm className=org.apache.catalina.realm.UserDatabaseRealm debug=0 resourceName=UserDatabase/ Realm className=org.apache.catalina.realm.MemoryRealm / -- Realm resourceName=PortalDatabase className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=com.mysql.jdbc.Driver connectionURL=jdbc:mysql://127.0.0.1:3306/myDB connectionName=myUser connectionPassword=myPassword userTable=users userNameCol=user_name userCredCol=user_pass userRoleTable=user_roles roleNameCol=role_name / web.xml: security-constraint web-resource-collection web-resource-nameMaintenance/web-resource-name url-pattern/maint/*/url-pattern url-pattern/maintenance.do/url-pattern /web-resource-collection auth-constraint role-namemanager/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-namePortal/realm-name /login-config security-role descriptionmanager/description role-namemanager/role-name /security-role - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: BASIC authentication without Popup Verification window
Nevermind. I had a 401 page defined in web.xml, so it was being sent there instead of the browser. My mistake. - Original Message - From: e-Denton Subscriber [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Saturday, October 23, 2004 4:06 PM Subject: BASIC authentication without Popup Verification window Hi! I can't figure out why my BASIC authorization isn't working for my app. The pages show up as 401 Not Authorized, but no popup authorization window pops up! Further, the admin and manager apps are working using my JDBCRealm (:Enter Password window does pop up). Help appreciated. server.xml: --- !-- Realm className=org.apache.catalina.realm.UserDatabaseRealm debug=0 resourceName=UserDatabase/ Realm className=org.apache.catalina.realm.MemoryRealm / -- Realm resourceName=PortalDatabase className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=com.mysql.jdbc.Driver connectionURL=jdbc:mysql://127.0.0.1:3306/myDB connectionName=myUser connectionPassword=myPassword userTable=users userNameCol=user_name userCredCol=user_pass userRoleTable=user_roles roleNameCol=role_name / web.xml: security-constraint web-resource-collection web-resource-nameMaintenance/web-resource-name url-pattern/maint/*/url-pattern url-pattern/maintenance.do/url-pattern /web-resource-collection auth-constraint role-namemanager/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-namePortal/realm-name /login-config security-role descriptionmanager/description role-namemanager/role-name /security-role - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: type in twice for basic authentication???
Hi, Does 4.1.30 behave better? Or 5.0.27? (5.0.28 has http://issues.apache.org/bugzilla/show_bug.cgi?id=31372 which might affect this use-case) Yoav Shapira Millennium Research Informatics -Original Message- From: Stephen Charles Huey [mailto:[EMAIL PROTECTED] Sent: Monday, October 04, 2004 1:59 AM To: Tomcat Users List Subject: RE: type in twice for basic authentication??? Tomcat 4.1.27 -- please help! - Original message - From: Mark Thomas [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Date: Sat, 2 Oct 2004 10:03:49 +0100 Subject: RE: type in twice for basic authentication??? What version of tomcat? -Original Message- From: Stephen Charles Huey [mailto:[EMAIL PROTECTED] Sent: Friday, October 01, 2004 11:38 PM To: Tomcat Users List Subject: Re: type in twice for basic authentication??? Yeah, I need some major help on this to figure out what's going on! We have a Windows version and a Linux version of the database. I just changed my DSN over to the Linux one, and now it pops up 4 times!!! No, wait...sometimes it still logs you in just after 2 times, and sometimes it takes as many as 6! Also, sometimes when browsing the site, it makes you log in again in places where it didn't used to. You see, we have a main database that drives our web app, but we've been using a MySQL db to authenticate, and we'd like to get rid of that so we can just deal with one database. However, our main database is behaving strangely. Now, when clicking over to some of the other JSPs in the site, it will pop up and ask for the username and password in places it didn't used to do that (and no, it shouldn't be changing contexts or anything like that). - Original message - From: Stephen Charles Huey [EMAIL PROTECTED] To: Tomcat User [EMAIL PROTECTED] Date: Fri, 01 Oct 2004 17:10:32 -0500 Subject: type in twice for basic authentication??? When my web app pops up a basic authentication box, I type in the username and password, and then it bounces back with blank text boxes asking for it again. Every time when I type them in a second time it then lets me in! What's going on? Here's what I have in my server.xml: Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=sun.jdbc.odbc.JdbcOdbcDriver connectionURL=jdbc:odbc:dbname userTable=users userNameCol=userid userCredCol=password userRoleTable=roles roleNameCol=role / - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
basic authentication
Anybody have a clue as to why my basic authentication box would keep coming back at me 2-6 times before letting me in, even though I'm typing the correct username and password every single time? This is Tomcat 4.1.27 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: type in twice for basic authentication???
You should definitely try 4.1.30 (or 5.0.27). There were a bunch of fixes between 4.1.29 and 4.1.30 to the JDBC realm. There is a good chance that the behaviour you see is related to bug 11929. Mark -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Monday, October 04, 2004 2:12 PM To: Tomcat Users List Subject: RE: type in twice for basic authentication??? Hi, Does 4.1.30 behave better? Or 5.0.27? (5.0.28 has http://issues.apache.org/bugzilla/show_bug.cgi?id=31372 which might affect this use-case) Yoav Shapira Millennium Research Informatics -Original Message- From: Stephen Charles Huey [mailto:[EMAIL PROTECTED] Sent: Monday, October 04, 2004 1:59 AM To: Tomcat Users List Subject: RE: type in twice for basic authentication??? Tomcat 4.1.27 -- please help! - Original message - From: Mark Thomas [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Date: Sat, 2 Oct 2004 10:03:49 +0100 Subject: RE: type in twice for basic authentication??? What version of tomcat? -Original Message- From: Stephen Charles Huey [mailto:[EMAIL PROTECTED] Sent: Friday, October 01, 2004 11:38 PM To: Tomcat Users List Subject: Re: type in twice for basic authentication??? Yeah, I need some major help on this to figure out what's going on! We have a Windows version and a Linux version of the database. I just changed my DSN over to the Linux one, and now it pops up 4 times!!! No, wait...sometimes it still logs you in just after 2 times, and sometimes it takes as many as 6! Also, sometimes when browsing the site, it makes you log in again in places where it didn't used to. You see, we have a main database that drives our web app, but we've been using a MySQL db to authenticate, and we'd like to get rid of that so we can just deal with one database. However, our main database is behaving strangely. Now, when clicking over to some of the other JSPs in the site, it will pop up and ask for the username and password in places it didn't used to do that (and no, it shouldn't be changing contexts or anything like that). - Original message - From: Stephen Charles Huey [EMAIL PROTECTED] To: Tomcat User [EMAIL PROTECTED] Date: Fri, 01 Oct 2004 17:10:32 -0500 Subject: type in twice for basic authentication??? When my web app pops up a basic authentication box, I type in the username and password, and then it bounces back with blank text boxes asking for it again. Every time when I type them in a second time it then lets me in! What's going on? Here's what I have in my server.xml: Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=sun.jdbc.odbc.JdbcOdbcDriver connectionURL=jdbc:odbc:dbname userTable=users userNameCol=userid userCredCol=password userRoleTable=roles roleNameCol=role / - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: type in twice for basic authentication???
Tomcat 4.1.27 -- please help! - Original message - From: Mark Thomas [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Date: Sat, 2 Oct 2004 10:03:49 +0100 Subject: RE: type in twice for basic authentication??? What version of tomcat? -Original Message- From: Stephen Charles Huey [mailto:[EMAIL PROTECTED] Sent: Friday, October 01, 2004 11:38 PM To: Tomcat Users List Subject: Re: type in twice for basic authentication??? Yeah, I need some major help on this to figure out what's going on! We have a Windows version and a Linux version of the database. I just changed my DSN over to the Linux one, and now it pops up 4 times!!! No, wait...sometimes it still logs you in just after 2 times, and sometimes it takes as many as 6! Also, sometimes when browsing the site, it makes you log in again in places where it didn't used to. You see, we have a main database that drives our web app, but we've been using a MySQL db to authenticate, and we'd like to get rid of that so we can just deal with one database. However, our main database is behaving strangely. Now, when clicking over to some of the other JSPs in the site, it will pop up and ask for the username and password in places it didn't used to do that (and no, it shouldn't be changing contexts or anything like that). - Original message - From: Stephen Charles Huey [EMAIL PROTECTED] To: Tomcat User [EMAIL PROTECTED] Date: Fri, 01 Oct 2004 17:10:32 -0500 Subject: type in twice for basic authentication??? When my web app pops up a basic authentication box, I type in the username and password, and then it bounces back with blank text boxes asking for it again. Every time when I type them in a second time it then lets me in! What's going on? Here's what I have in my server.xml: Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=sun.jdbc.odbc.JdbcOdbcDriver connectionURL=jdbc:odbc:dbname userTable=users userNameCol=userid userCredCol=password userRoleTable=roles roleNameCol=role / - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: type in twice for basic authentication???
What version of tomcat? -Original Message- From: Stephen Charles Huey [mailto:[EMAIL PROTECTED] Sent: Friday, October 01, 2004 11:38 PM To: Tomcat Users List Subject: Re: type in twice for basic authentication??? Yeah, I need some major help on this to figure out what's going on! We have a Windows version and a Linux version of the database. I just changed my DSN over to the Linux one, and now it pops up 4 times!!! No, wait...sometimes it still logs you in just after 2 times, and sometimes it takes as many as 6! Also, sometimes when browsing the site, it makes you log in again in places where it didn't used to. You see, we have a main database that drives our web app, but we've been using a MySQL db to authenticate, and we'd like to get rid of that so we can just deal with one database. However, our main database is behaving strangely. Now, when clicking over to some of the other JSPs in the site, it will pop up and ask for the username and password in places it didn't used to do that (and no, it shouldn't be changing contexts or anything like that). - Original message - From: Stephen Charles Huey [EMAIL PROTECTED] To: Tomcat User [EMAIL PROTECTED] Date: Fri, 01 Oct 2004 17:10:32 -0500 Subject: type in twice for basic authentication??? When my web app pops up a basic authentication box, I type in the username and password, and then it bounces back with blank text boxes asking for it again. Every time when I type them in a second time it then lets me in! What's going on? Here's what I have in my server.xml: Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=sun.jdbc.odbc.JdbcOdbcDriver connectionURL=jdbc:odbc:dbname userTable=users userNameCol=userid userCredCol=password userRoleTable=roles roleNameCol=role / - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: RE: type in twice for basic authentication???
Due to increasing levels of spam, this email address no longer receives email. To contact us, please go to http://takanomi.com/contact.php. [If you publish an ezine or newsletter to which we are subscribed, or own an affiliate program or service of which we are a member, please visit the above URL and request our updated email address.] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
type in twice for basic authentication???
When my web app pops up a basic authentication box, I type in the username and password, and then it bounces back with blank text boxes asking for it again. Every time when I type them in a second time it then lets me in! What's going on? Here's what I have in my server.xml: Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=sun.jdbc.odbc.JdbcOdbcDriver connectionURL=jdbc:odbc:dbname userTable=users userNameCol=userid userCredCol=password userRoleTable=roles roleNameCol=role / - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: type in twice for basic authentication???
Yeah, I need some major help on this to figure out what's going on! We have a Windows version and a Linux version of the database. I just changed my DSN over to the Linux one, and now it pops up 4 times!!! No, wait...sometimes it still logs you in just after 2 times, and sometimes it takes as many as 6! Also, sometimes when browsing the site, it makes you log in again in places where it didn't used to. You see, we have a main database that drives our web app, but we've been using a MySQL db to authenticate, and we'd like to get rid of that so we can just deal with one database. However, our main database is behaving strangely. Now, when clicking over to some of the other JSPs in the site, it will pop up and ask for the username and password in places it didn't used to do that (and no, it shouldn't be changing contexts or anything like that). - Original message - From: Stephen Charles Huey [EMAIL PROTECTED] To: Tomcat User [EMAIL PROTECTED] Date: Fri, 01 Oct 2004 17:10:32 -0500 Subject: type in twice for basic authentication??? When my web app pops up a basic authentication box, I type in the username and password, and then it bounces back with blank text boxes asking for it again. Every time when I type them in a second time it then lets me in! What's going on? Here's what I have in my server.xml: Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=sun.jdbc.odbc.JdbcOdbcDriver connectionURL=jdbc:odbc:dbname userTable=users userNameCol=userid userCredCol=password userRoleTable=roles roleNameCol=role / - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
basic authentication and custom 401 error page
Hi, We are running our applications on Tomcat 4 and 5. On both versions we are having problems with the basic authentication. The problem is that I haven't found a way to overwrite the default 401 error page with a custom page. If I add an error-page element in web.xml for error 401 error-page error-code401/error-code location/err401.html/location /error-page then the username/password window is completely ignored and the err401.html page displayed. I searched the archives and different forums but there are a lot of people asking for help with similar problems without any responses. I found two reported bugs related to that issue: 12194 and 22617 for tomcat 3 and 4 I didn't find any bugs for tomcat 5 but it still not working for me. Any suggestions will be appreciated. Thanks, Ross This communication is intended solely for the addressee and is confidential and not for third party unauthorized distribution.
Re: basic authentication and custom 401 error page
Hi Ross, Simply adding an error page will not do. You need to have a servlet that will set the status of the response-page as 403 (HttpServletResponse.SC_UNAUTHORIZED) Look at the code-implementation of Security-Filter. It's good. http://sf.net/projects/securityfilter HTH Happy Hacking, Gaurav Vaish http://www.mastergaurav.org - On Fri, 24 Sep 2004 09:33:13 -0500, Angelov, Rossen [EMAIL PROTECTED] wrote: Hi, We are running our applications on Tomcat 4 and 5. On both versions we are having problems with the basic authentication. The problem is that I haven't found a way to overwrite the default 401 error page with a custom page. If I add an error-page element in web.xml for error 401 error-page error-code401/error-code location/err401.html/location /error-page then the username/password window is completely ignored and the err401.html page displayed. I searched the archives and different forums but there are a lot of people asking for help with similar problems without any responses. I found two reported bugs related to that issue: 12194 and 22617 for tomcat 3 and 4 I didn't find any bugs for tomcat 5 but it still not working for me. Any suggestions will be appreciated. Thanks, Ross This communication is intended solely for the addressee and is confidential and not for third party unauthorized distribution. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE : Customizing BASIC authentication
For example, Spec 2.3 specifies The getRemoteUser method returns the user name the client used for authentication. If no user has been authenticated, the getRemoteUser method returns null. getRemoteUser(): ... Whether the user name is sent with each subsequent request depends on the browser and type of authentication. -Message d'origine- De : Robert Bateman [mailto:[EMAIL PROTECTED] Envoyé : lundi 16 août 2004 20:42 À : Tomcat Users List Objet : Re: Customizing BASIC authentication Someone please correct me if I'm wrong here... Also be aware that non-protected pages will not provide you with a value to request.getRemoteUser(). I had assumed I could get the remote user from any page once the user logged in, but it doesn't work as I expected. I believe there *was* a bug report over on the TC bugzilla system and the response I remember was that the system was working as designed. Bob On Saturday 14 August 2004 12:13 am, Jacob Kjome wrote: You can use request.getRemoteUser() to obtain the username. The password is not really accessible except by examining the http headers. Jake At 11:21 PM 8/13/2004 -0400, you wrote: Hi all, I've been spending the last few hours reading about realms, valves, authenticators and the like, and I'm totally confused. I'm hoping if I describe my situation, someone can help me cut through the fog. I'm working on a simple web app that will feed custom RSS XML to clients that must use basic authentication. In my application, I need to do more than just look up users somewhere. Instead, the login/password values returned via basic authentication headers will be used in some fairly complex ways to both authenticate and then construct the custom response. What is the simplest way to customize basic authentication in Tomcat 4? It seems that realms are not the way to go, since they just handle authentication and have nothing to do with the request/response. Valves/authenticators seem like overkill. Form based authentication is not an option. Can I have Tomcat manage basic authentication headers but pass the login/password values to my code? And can I then have access to that information in the servlet that creates the response? Many thanks, Fred - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Customizing BASIC authentication
Hi, Thanks to you both, but my question is not so much about how to get the user name in the request. Instead, it's this: I need to use basic authentication (i.e. the browser pops up the login), but then I need to run custom code to actually check the login and password with an internal system, instead of the usual options available out of the box (memory realms, jdbc realms, etc.) I thought at first I would need a custom realm, but several messages on this list gave me the impression that a realm can't really affect the request/response. I need to not only do custom authentication, but the response will also be completely customized to the user who logs in. I'm still learning here, but realms seem to be too limited, valves seem to be too complex for the job. Is there a simple middle ground? Thanks again, Fred At 02:41 PM 8/16/2004 -0400, you wrote: Someone please correct me if I'm wrong here... Also be aware that non-protected pages will not provide you with a value to request.getRemoteUser(). I had assumed I could get the remote user from any page once the user logged in, but it doesn't work as I expected. I believe there *was* a bug report over on the TC bugzilla system and the response I remember was that the system was working as designed. Bob On Saturday 14 August 2004 12:13 am, Jacob Kjome wrote: You can use request.getRemoteUser() to obtain the username. The password is not really accessible except by examining the http headers. Jake At 11:21 PM 8/13/2004 -0400, you wrote: Hi all, I've been spending the last few hours reading about realms, valves, authenticators and the like, and I'm totally confused. I'm hoping if I describe my situation, someone can help me cut through the fog. I'm working on a simple web app that will feed custom RSS XML to clients that must use basic authentication. In my application, I need to do more than just look up users somewhere. Instead, the login/password values returned via basic authentication headers will be used in some fairly complex ways to both authenticate and then construct the custom response. What is the simplest way to customize basic authentication in Tomcat 4? It seems that realms are not the way to go, since they just handle authentication and have nothing to do with the request/response. Valves/authenticators seem like overkill. Form based authentication is not an option. Can I have Tomcat manage basic authentication headers but pass the login/password values to my code? And can I then have access to that information in the servlet that creates the response? Many thanks, Fred - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Customizing BASIC authentication
Someone please correct me if I'm wrong here... Also be aware that non-protected pages will not provide you with a value to request.getRemoteUser(). I had assumed I could get the remote user from any page once the user logged in, but it doesn't work as I expected. I believe there *was* a bug report over on the TC bugzilla system and the response I remember was that the system was working as designed. Bob On Saturday 14 August 2004 12:13 am, Jacob Kjome wrote: You can use request.getRemoteUser() to obtain the username. The password is not really accessible except by examining the http headers. Jake At 11:21 PM 8/13/2004 -0400, you wrote: Hi all, I've been spending the last few hours reading about realms, valves, authenticators and the like, and I'm totally confused. I'm hoping if I describe my situation, someone can help me cut through the fog. I'm working on a simple web app that will feed custom RSS XML to clients that must use basic authentication. In my application, I need to do more than just look up users somewhere. Instead, the login/password values returned via basic authentication headers will be used in some fairly complex ways to both authenticate and then construct the custom response. What is the simplest way to customize basic authentication in Tomcat 4? It seems that realms are not the way to go, since they just handle authentication and have nothing to do with the request/response. Valves/authenticators seem like overkill. Form based authentication is not an option. Can I have Tomcat manage basic authentication headers but pass the login/password values to my code? And can I then have access to that information in the servlet that creates the response? Many thanks, Fred - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Customizing BASIC authentication
Hi all, I've been spending the last few hours reading about realms, valves, authenticators and the like, and I'm totally confused. I'm hoping if I describe my situation, someone can help me cut through the fog. I'm working on a simple web app that will feed custom RSS XML to clients that must use basic authentication. In my application, I need to do more than just look up users somewhere. Instead, the login/password values returned via basic authentication headers will be used in some fairly complex ways to both authenticate and then construct the custom response. What is the simplest way to customize basic authentication in Tomcat 4? It seems that realms are not the way to go, since they just handle authentication and have nothing to do with the request/response. Valves/authenticators seem like overkill. Form based authentication is not an option. Can I have Tomcat manage basic authentication headers but pass the login/password values to my code? And can I then have access to that information in the servlet that creates the response? Many thanks, Fred - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Customizing BASIC authentication
You can use request.getRemoteUser() to obtain the username. The password is not really accessible except by examining the http headers. Jake At 11:21 PM 8/13/2004 -0400, you wrote: Hi all, I've been spending the last few hours reading about realms, valves, authenticators and the like, and I'm totally confused. I'm hoping if I describe my situation, someone can help me cut through the fog. I'm working on a simple web app that will feed custom RSS XML to clients that must use basic authentication. In my application, I need to do more than just look up users somewhere. Instead, the login/password values returned via basic authentication headers will be used in some fairly complex ways to both authenticate and then construct the custom response. What is the simplest way to customize basic authentication in Tomcat 4? It seems that realms are not the way to go, since they just handle authentication and have nothing to do with the request/response. Valves/authenticators seem like overkill. Form based authentication is not an option. Can I have Tomcat manage basic authentication headers but pass the login/password values to my code? And can I then have access to that information in the servlet that creates the response? Many thanks, Fred - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: BASIC authentication not working, PLEASE HELP !
Salut Michele, Thanks for the tip. I didn't know about this option. However, I found what the problem was. If you look at my web.xml file, you'll see I fogot the 's' in security-conStraint. The most incredible thing is that Tomcat 5 didn't complain at all !!! And guess how I figured out ? I though there was a bug in the container so I downloaded Tomcat 4. And immediately this version complained about the mispelling... I'm quite surprised (and disappointed) because I did change the level of traces in the server.xml and no valuable information came out :-(. I hope this post will avoid other newbies to be stuck like I was. Merci, Laurent Message du 23/07/04 à 21h36 De : Michele Ouellet [EMAIL PROTECTED] A : Laurent Le Moux [EMAIL PROTECTED] Copie à : Objet : Re: BASIC authentication not working, PLEASE HELP ! Salut Laurent, Did you start tomcat with the -security flag on the command line? Michele Ouellet Stelvio Inc. - Original Message - From: Laurent Le Moux [EMAIL PROTECTED] Newsgroups: comp.lang.java.security Sent: Thursday, July 22, 2004 10:27 AM Subject: BASIC authentication not working, PLEASE HELP ! Hye ! I struggle for two days now with Tomcat 5 BASIC authentication. I read many posts about the problem but most of the people seem to have a login window appearing. I don't :-( jsp security examples, manager and admin work fine but my application just acts as if no authentication was required... I really don't see what's wrong with my config files. Can anybody help me, please ?!! Hereafter are the xml files : -- tomcat-users.xml : ?xml version='1.0' encoding='utf-8'? tomcat-users role rolename=tomcat/ role rolename=role1/ role rolename=standard/ role rolename=manager/ user username=llemoux password=llemoux roles=standard,manager/ user username=tomcat password=tomcat roles=tomcat/ user username=both password=tomcat roles=tomcat,role1/ user username=role1 password=tomcat roles=role1/ /tomcat-users -- web.xml : ?xml version=1.0 encoding=ISO-8859-1? web-app version=2.4 security-contraint web-resource-collection url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namestandard/role-name /auth-constraint /security-contraint login-config auth-methodBASIC/auth-method /login-config security-role role-namestandard/role-name /security-role /web-app -- server.xml : Server port=8005 shutdown=SHUTDOWN GlobalNamingResources !-- Used by Manager webapp -- Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved /Resource ResourceParams name=UserDatabase parameter namefactory/name valueorg.apache.catalina.users.MemoryUserDatabaseFactory/value /parameter parameter namepathname/name valueconf/tomcat-users.xml/value /parameter /ResourceParams /GlobalNamingResources Service name=Catalina Connector port=8080 / !-- This is here for compatibility only, not required -- Connector port=8009 protocol=AJP/1.3 / Engine name=Catalina defaultHost=localhost Logger className=org.apache.catalina.logger.FileLogger/ Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase / Host name=localhost appBase=webapps/ DefaultContext Resource name=jdbc/JSDB auth=Container type=javax.sql.DataSource/ ResourceParams name=jdbc/JSDB parameter namefactory/name valueorg.apache.commons.dbcp.BasicDataSourceFactory/value /parameter parameter namemaxActive/name value3/value /parameter parameter namemaxIdle/name value1/value /parameter parameter nameusername/name valuejSDB/value /parameter parameter namepassword/name valuejSDB/value /parameter parameter namedriverClassName/name valueorg.hsqldb.jdbcDriver/value /parameter parameter nameurl/name valuejdbc:hsqldb:hsql://localhost/value /parameter /ResourceParams /DefaultContext /Engine /Service /Server -- Faites un voeu et puis Voila ! www.voila.fr - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
BASIC authentication not working, PLEASE HELP !
Hello, I found the following interesting answer from Craig R. McClanahan to Sim IJskes concerning the use of BASIC authentication : I was able to get basic authentication working by editing the file $TOMCAT_HOME/webapps/examples/WEB-INF/web.xml and changing the auth-method element from FORM to BASIC. Then, accessing the following URL: http://localhost:8080/examples/jsp/security/protected correctly caused the basic authentication dialog to come up, and it correctly rejected all username/password combinations other than the one defined in the conf/tomcat-users.xml file (tomcat/tomcat). If you can find a scenario like this that doesn't work correctly, could you please report it? I did exactly the same test but I have a scenario like this that doesn't work correctly ;-) ! I struggle for two days now with Tomcat 5 BASIC authentication. I read many posts about the problem but most of the people seem to have a login window appearing. I don't :-( jsp security examples (quoted above), manager and admin authentication work fine but my application just acts as if no authentication was required... I really don't see what's wrong with my config files. The server.xml is a copy of the server-minimal.xml one where I added a database ressource. The web.xml is based on $TOMCAT_HOME/server/webapps/manager/WEB-INF/web.xml (i.e. a working example). Can anybody help me, please ?!! Hereafter are the xml files : -- tomcat-users.xml : ?xml version='1.0' encoding='utf-8'? tomcat-users role rolename=tomcat/ role rolename=role1/ role rolename=standard/ role rolename=manager/ user username=llemoux password=llemoux roles=standard,manager/ user username=tomcat password=tomcat roles=tomcat/ user username=both password=tomcat roles=tomcat,role1/ user username=role1 password=tomcat roles=role1/ /tomcat-users -- web.xml : ?xml version=1.0 encoding=ISO-8859-1? web-app version=2.4 security-contraint web-resource-collection url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namestandard/role-name /auth-constraint /security-contraint login-config auth-methodBASIC/auth-method /login-config security-role role-namestandard/role-name /security-role /web-app -- server.xml : Server port=8005 shutdown=SHUTDOWN GlobalNamingResources !-- Used by Manager webapp -- Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved /Resource ResourceParams name=UserDatabase parameter namefactory/name valueorg.apache.catalina.users.MemoryUserDatabaseFactory/value /parameter parameter namepathname/name valueconf/tomcat-users.xml/value /parameter /ResourceParams /GlobalNamingResources Service name=Catalina Connector port=8080 / !-- This is here for compatibility only, not required -- Connector port=8009 protocol=AJP/1.3 / Engine name=Catalina defaultHost=localhost Logger className=org.apache.catalina.logger.FileLogger/ Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase / Host name=localhost appBase=webapps/ DefaultContext Resource name=jdbc/JSDB auth=Container type=javax.sql.DataSource/ ResourceParams name=jdbc/JSDB parameter namefactory/name valueorg.apache.commons.dbcp.BasicDataSourceFactory/value /parameter parameter namemaxActive/name value3/value /parameter parameter namemaxIdle/name value1/value /parameter parameter nameusername/name valuejSDB/value /parameter parameter namepassword/name valuejSDB/value /parameter parameter namedriverClassName/name valueorg.hsqldb.jdbcDriver/value /parameter parameter nameurl/name valuejdbc:hsqldb:hsql://localhost/value /parameter /ResourceParams /DefaultContext /Engine /Service /Server -- Faites un voeu et puis Voila ! www.voila.fr - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
basic authentication or not?
In a nutshell, I'm wondering if it's better NOT to use basic authentication. We have over 10,000 regular users, and I think it would be good for us to move to a more standard login page instead of that authentication box that pops up. My question is, would we have to change a lot to do this? At the moment, I'm not even sure we're using basic authentication, and below I will outline my attempt to determine if we're even using it... When you type the URL to our website, it pops up an authentication box before it shows you anything else and you must get past that to get into the web app. As far as I understand (the original developer is no longer with us), we are using basic authentication with Tomcat 4. However, I was perusing this document to figure out where our basic authentication is configured and it doesn't look like we have all this stuff: http://www.jguru.com/faq/view.jsp?EID=1131436 Notable exceptions are any security-constraint or login-config nodes in our web.xml, and since the example on the jguru page put BASIC in the login-config node, I'm really not sure that we're using basic authentication (although that's still my gut feeling). In our server.xml, I see that both of the following are uncommented, but I'm guessing that only the second one is being used since I don't think we have anything (no JNDI) set up for the first one: Realm className=org.apache.catalina.realm.UserDatabaseRealm debug=0 resourceName=UserDatabase / Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=org.gjt.mm.mysql.Driver connectionURL=jdbc:mysql://127.0.0.1/mainDB connectionName=user connectionPassword=pass userTable=users userNameCol=Username userCredCol=Password userRoleTable=roles roleNameCol=Role / Aside the big database used by our web application, we have a small MySQL database whose sole purpose is to authenticate users. Would it be just as simple to continue using that for authentication if we moved away from this popup box authentication? Is there any good reason to have this authentication database outside of our main database? Or is this somehow protecting our web app more--making you authenticate before you ever communicate with anything in our site (e.g. a LoginServlet or something like that). I know this is long...I appreciate any feedback, though! Thanks, Stephen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: basic authentication or not?
(Please, create new messages when mailing the list. Responding to unrelated messages causes confusion for those of us who use thread-aware mailers.) : In a nutshell, I'm wondering if it's better NOT to use basic : authentication. My understanding is that FORM vs BASIC is just that the former lets you create a custom login page that maintains your app's look and feel. (read: that's all *I* have used it for ;) : At the moment, I'm not even sure we're using : basic authentication, and below I will outline my attempt to determine : if we're even using it... You mention that there are no security-constraint or login-config elements in the web.xml. You're checking the app-specific web.xml in WEB-INF, and not the general one in the Tomcat install dir? (Sorry to ask; I have to check.) Yet, there's a Real def in server.xml? Perhaps auth is being done elsewhere (say, the web server), hence the Realm isn't being used, and is leftover from an earlier configuration. Unlikely, but worth investigating. : Aside the big database used by our web application, we have a small : MySQL database whose sole purpose is to authenticate users. Would it be : just as simple to continue using that for authentication if we moved : away from this popup box authentication? If you move to FORM auth and use JDBCRealm, yes, you should be able to continue using this database. Provided, of course, the passwords are hashed in the way JDBCRealm expects. : Is there any good reason to : have this authentication database outside of our main database? One reason is load: separate auth traffic from app traffic. This also lets you share that single auth DB among several apps, and each app can have its own database for its data. -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: basic authentication or not?
as long as you authenticate your users in https, to prevent the passwords from travel across the internet unencrypted, you can use any method. Filip - Original Message - From: QM [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, June 17, 2004 4:04 PM Subject: Re: basic authentication or not? (Please, create new messages when mailing the list. Responding to unrelated messages causes confusion for those of us who use thread-aware mailers.) : In a nutshell, I'm wondering if it's better NOT to use basic : authentication. My understanding is that FORM vs BASIC is just that the former lets you create a custom login page that maintains your app's look and feel. (read: that's all *I* have used it for ;) : At the moment, I'm not even sure we're using : basic authentication, and below I will outline my attempt to determine : if we're even using it... You mention that there are no security-constraint or login-config elements in the web.xml. You're checking the app-specific web.xml in WEB-INF, and not the general one in the Tomcat install dir? (Sorry to ask; I have to check.) Yet, there's a Real def in server.xml? Perhaps auth is being done elsewhere (say, the web server), hence the Realm isn't being used, and is leftover from an earlier configuration. Unlikely, but worth investigating. : Aside the big database used by our web application, we have a small : MySQL database whose sole purpose is to authenticate users. Would it be : just as simple to continue using that for authentication if we moved : away from this popup box authentication? If you move to FORM auth and use JDBCRealm, yes, you should be able to continue using this database. Provided, of course, the passwords are hashed in the way JDBCRealm expects. : Is there any good reason to : have this authentication database outside of our main database? One reason is load: separate auth traffic from app traffic. This also lets you share that single auth DB among several apps, and each app can have its own database for its data. -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: basic authentication or not?
Duh. I was looking in the general Tomcat web.xml--yes, in my app-specific one, we're using BASIC authentication. Ok, so Tomcat knows to use the additional MySQL database for authentication. Right now, if you go to www.ourDomain.com it'll make you authenticate and then it will forward you to the default web application at www.ourDomain.com/DefaultApp/Welcome.jsp, and we have several web apps and you can cross from one to the other without authenticating, so you could go up and modify the URL to www.ourDomain.com/OtherApp/index.jsp and you'd be there instantly. So my question is, if we changed to form-based authentication so we could present our look and feel from the start, would it work for authenticating all the web apps if the login page was under a particular web app's folder? In other words, where would and could we stick a Login.jsp that would be presented to the user when you type www.ourDomain.com? Thanks so much, Stephen - Original message - From: QM [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Date: Thu, 17 Jun 2004 16:04:21 -0500 Subject: Re: basic authentication or not? (Please, create new messages when mailing the list. Responding to unrelated messages causes confusion for those of us who use thread-aware mailers.) : In a nutshell, I'm wondering if it's better NOT to use basic : authentication. My understanding is that FORM vs BASIC is just that the former lets you create a custom login page that maintains your app's look and feel. (read: that's all *I* have used it for ;) : At the moment, I'm not even sure we're using : basic authentication, and below I will outline my attempt to determine : if we're even using it... You mention that there are no security-constraint or login-config elements in the web.xml. You're checking the app-specific web.xml in WEB-INF, and not the general one in the Tomcat install dir? (Sorry to ask; I have to check.) Yet, there's a Real def in server.xml? Perhaps auth is being done elsewhere (say, the web server), hence the Realm isn't being used, and is leftover from an earlier configuration. Unlikely, but worth investigating. : Aside the big database used by our web application, we have a small : MySQL database whose sole purpose is to authenticate users. Would it be : just as simple to continue using that for authentication if we moved : away from this popup box authentication? If you move to FORM auth and use JDBCRealm, yes, you should be able to continue using this database. Provided, of course, the passwords are hashed in the way JDBCRealm expects. : Is there any good reason to : have this authentication database outside of our main database? One reason is load: separate auth traffic from app traffic. This also lets you share that single auth DB among several apps, and each app can have its own database for its data. -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
HTTP BASIC Authentication
Hi Our CMS is using it's own security control system. We can login users using forms. Now I want to use BASIC Authentication. So (upon clicking a special link) a login form should appear (browser build-in) and I need to get the username and password inside my servlet. How can I do this? Any hints are welcome. Thanks, Steffen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: HTTP BASIC Authentication
SH Solutions wrote: Hi Can use Acegi spring security. or much simple use the HTTP protocol with the servlet - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
- How to retrieve Username and Password in a Basic Authentication in Tomcat?
Hello, I am using the Basic Authentication in Tomcat and I would like to know if there is a way of retrieving the username and the password that have been typed. Thanks Elisabeth - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Basic Authentication
Hi all, I need to capture the WinNT account name of users to a jsp page. We have Active Directory at our company. We can have a basic login form (that standard pop up login form from Window). Could anyone tell me where to start and how to set it up? I have looked at the HowTo for Tomcat Realm on Apache website but not quite get it. Thanks very much for any help. Bao-Ha Dam Bui [EMAIL PROTECTED] St. Jude Medical, Inc 651.765.1018 * This communication may contain information that is proprietary, privileged, confidential or legally exempt from disclosure. If you are not a named addressee, you are notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so may be unlawful. If you have received this communication in error, please notify the sender via return e-mail and delete it from your computer. Thank you. St. Jude Medical, Inc. *
RE: Basic Authentication
Maybe through navigator object in user´s browser, you must check if there´s not permission constraint for that. -- De: Bui, Bao-Ha D[SMTP:[EMAIL PROTECTED] Responder:Tomcat Users List Enviada: sexta-feira, 5 de dezembro de 2003 13:45 Para: 'Tomcat Users List' Assunto: Basic Authentication Hi all, I need to capture the WinNT account name of users to a jsp page. We have Active Directory at our company. We can have a basic login form (that standard pop up login form from Window). Could anyone tell me where to start and how to set it up? I have looked at the HowTo for Tomcat Realm on Apache website but not quite get it. Thanks very much for any help. Bao-Ha Dam Bui [EMAIL PROTECTED] St. Jude Medical, Inc 651.765.1018 * This communication may contain information that is proprietary, privileged, confidential or legally exempt from disclosure. If you are not a named addressee, you are notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so may be unlawful. If you have received this communication in error, please notify the sender via return e-mail and delete it from your computer. Thank you. St. Jude Medical, Inc. *
Re: Basic Authentication
You might want to read the comments on the following URL - it shows how to configure authentication with a Windows domain, but apparently, it's out of date: http://www.raibledesigns.com/page/rd? anchor=easy_windows_authentication_with_tomcat Matt On Dec 5, 2003, at 9:45 AM, Bui, Bao-Ha D wrote: Hi all, I need to capture the WinNT account name of users to a jsp page. We have Active Directory at our company. We can have a basic login form (that standard pop up login form from Window). Could anyone tell me where to start and how to set it up? I have looked at the HowTo for Tomcat Realm on Apache website but not quite get it. Thanks very much for any help. Bao-Ha Dam Bui [EMAIL PROTECTED] St. Jude Medical, Inc 651.765.1018 * This communication may contain information that is proprietary, privileged, confidential or legally exempt from disclosure. If you are not a named addressee, you are notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so may be unlawful. If you have received this communication in error, please notify the sender via return e-mail and delete it from your computer. Thank you. St. Jude Medical, Inc. * smime.p7s Description: S/MIME cryptographic signature
Re: Basic Authentication
http://jakarta.apache.org/tomcat/faq/windows.html#ntlm -Tim Bui, Bao-Ha D wrote: Hi all, I need to capture the WinNT account name of users to a jsp page. We have Active Directory at our company. We can have a basic login form (that standard pop up login form from Window). Could anyone tell me where to start and how to set it up? I have looked at the HowTo for Tomcat Realm on Apache website but not quite get it. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Basic Authentication
Here is the exact code to do it my friend.
Redirect or whatever you want, after the System.out.println
-Jesse
=
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
import java.util.*;
public class AuthenticationServlet extends HttpServlet {
// Step 2: Challenge message
final private static byte[] CHALLENGE_MESSAGE =
{(byte)'N', (byte)'T', (byte)'L', (byte)'M', (byte)'S', (byte)'S', (byte)'P', 0,
2, 0, 0, 0, 0, 0, 0, 0,
40, 0, 0, 0, 1, (byte)130, 0, 0,
0, 2, 2, 2, 0, 0, 0, 0, // nonce
0, 0, 0, 0, 0, 0, 0, 0};
private String user;
/**
* Obtain the network ID from the HTTP request
*/
public void doPost(HttpServletRequest req, HttpServletResponse res) throws
IOException, ServletException {
try {
String auth = req.getHeader(Authorization);
if (auth == null)
{
res.setContentLength(0);
res.setStatus(res.SC_UNAUTHORIZED);
res.setHeader(WWW-Authenticate, NTLM);
res.flushBuffer();
return;
}
if (!auth.startsWith(NTLM )) {
return;
}
byte[] msg = new sun.misc.BASE64Decoder().decodeBuffer(auth.substring(5));
// Step 1: Negotiation message received
if (msg[8] == 1)
{
// Send challenge message (Step 2)
res.setContentLength(2);
res.setStatus(res.SC_UNAUTHORIZED);
res.setHeader(WWW-Authenticate, NTLM + new
sun.misc.BASE64Encoder().encodeBuffer(CHALLENGE_MESSAGE));
res.flushBuffer();
return;
}
// Step 3: Authentication message received
if (msg[8] == 3)
{
int off = 30;
int length, offset;
length = (msg[off+1]8) + msg[off];
offset = (msg[off+3]8) + msg[off+2];
String domain = new String(msg, offset, length);
length = (msg[off+9]8) + msg[off+8];
offset = (msg[off+11]8) + msg[off+10];
user = new String(msg, offset, length);
length = (msg[off+17]8) + msg[off+16];
offset = (msg[off+19]8) + msg[off+18];
String ws = new String(msg, offset, length);
System.out.println(Username: + removeBlanks(user) + Domain: +
removeBlanks(domain) + Workstation: + removeBlanks(ws));
}
}
catch (Throwable ex){
ex.printStackTrace();
}
}
/**
* Removes non-printable characters from a string
*/
private String removeBlanks(String s) {
StringBuffer sb = new StringBuffer();
for (int i = 0; i s.length(); i++) {
char c = s.charAt(i);
if (c ' ')
sb.append(c);
}
return sb.toString();
}
}
-Original Message-
From: Tim Funk [mailto:[EMAIL PROTECTED]
Sent: Friday, December 05, 2003 11:58 AM
To: Tomcat Users List
Subject: Re: Basic Authentication
http://jakarta.apache.org/tomcat/faq/windows.html#ntlm
-Tim
Bui, Bao-Ha D wrote:
Hi all,
I need to capture the WinNT account name of users to a jsp page.
We have Active Directory at our company. We can have a basic login form
(that standard pop up login form from Window).
Could anyone tell me where to start and how to set it up? I have looked at
the HowTo for Tomcat Realm on Apache website but not quite get it.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Basic Authentication
Hello, I have a third party application named Intraspect5.6. It uses Tomcat 4.1 as servlet engine. It uses Basic Authentication. I want to use the same Basic Authentication used by Intraspect for my custom application that I have deployed in the same Tomcat instance. From my webapp, can I go to the table where intraspect stores the userid and passwords and decode the password Or is their a better way. I also donot understand how Basic Authentication is implemented. Any help please. Thnaks -sumit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Basic Authentication
Can somebody suggest how to implement Basic Authentication in Tomcat4.1 or use an existing Basic Authentication being used by other application. Thanks -sumit -Original Message- From: Kumar, Sumit Sent: Thursday, November 20, 2003 11:44 AM To: 'Tomcat Users List' Subject: Basic Authentication Hello, I have a third party application named Intraspect5.6. It uses Tomcat 4.1 as servlet engine. It uses Basic Authentication. I want to use the same Basic Authentication used by Intraspect for my custom application that I have deployed in the same Tomcat instance. From my webapp, can I go to the table where intraspect stores the userid and passwords and decode the password Or is their a better way. I also donot understand how Basic Authentication is implemented. Any help please. Thnaks -sumit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE : Basic Authentication
It s not use in the class java.net.Authenticator ? See it -Original Message- From: Kumar, Sumit [mailto:[EMAIL PROTECTED] Sent: Thursday, November 20, 2003 7:01 PM To: 'Tomcat Users List' Subject: RE: Basic Authentication Can somebody suggest how to implement Basic Authentication in Tomcat4.1 or use an existing Basic Authentication being used by other application. Thanks -sumit -Original Message- From: Kumar, Sumit Sent: Thursday, November 20, 2003 11:44 AM To: 'Tomcat Users List' Subject: Basic Authentication Hello, I have a third party application named Intraspect5.6. It uses Tomcat 4.1 as servlet engine. It uses Basic Authentication. I want to use the same Basic Authentication used by Intraspect for my custom application that I have deployed in the same Tomcat instance. From my webapp, can I go to the table where intraspect stores the userid and passwords and decode the password Or is their a better way. I also donot understand how Basic Authentication is implemented. Any help please. Thnaks -sumit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Mutual and Basic Authentication switched on for the same web application
Mutual Authentication is where a user needs to have a Client Side certificate to login to a webapplication which is using a Server Side Certificate The Present is more Real than the Past or the Future Put together From: Tim Funk [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: Re: Mutual and Basic Authentication switched on for the same web application Date: Wed, 24 Sep 2003 17:52:07 -0400 What is mutual authentication? In web.xml you can define security contraints on servlets or URLS. Each constraint can have its own login requirements. (FORM vs BASIC ...) -Tim Rudolf Castelino wrote: Hi all Is there a way to switch on Mutual and Basic Authentication switched on for the same web application, such that certain URLs need Basic Authentication and Certain URLs use Mutual Authentication for the same web application. Regards Rudolf - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] _ Get personal loans. It's hassle-free. http://server1.msn.co.in/msnleads/citibankpersonalloan/citibankploanjuly03.asp?type=txt It's approved instantly. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Mutual and Basic Authentication switched on for the same web application
In that case, security constraints in web.xml should be fine. (Google for more detail) -Tim Rudolf Castelino wrote: Mutual Authentication is where a user needs to have a Client Side certificate to login to a webapplication which is using a Server Side Certificate The Present is more Real than the Past or the Future Put together From: Tim Funk [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: Re: Mutual and Basic Authentication switched on for the same web application Date: Wed, 24 Sep 2003 17:52:07 -0400 What is mutual authentication? In web.xml you can define security contraints on servlets or URLS. Each constraint can have its own login requirements. (FORM vs BASIC ...) -Tim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Mutual and Basic Authentication switched on for the same web application
Hi all Is there a way to switch on Mutual and Basic Authentication switched on for the same web application, such that certain URLs need Basic Authentication and Certain URLs use Mutual Authentication for the same web application. Regards Rudolf _ Talk to Karthikeyan. Watch his stunning feats. http://server1.msn.co.in/sp03/tataracing/index.asp Download images. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Mutual and Basic Authentication switched on for the same web application
What is mutual authentication? In web.xml you can define security contraints on servlets or URLS. Each constraint can have its own login requirements. (FORM vs BASIC ...) -Tim Rudolf Castelino wrote: Hi all Is there a way to switch on Mutual and Basic Authentication switched on for the same web application, such that certain URLs need Basic Authentication and Certain URLs use Mutual Authentication for the same web application. Regards Rudolf - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Can JSP track users in a basic authentication protected realm ?
Your best bet when dealing with authentication and users not logging off is to also include a session expiry for your page. This handles the case where a user leaves without logging off. -Hakan -Original Message- From: Jon Wingfield [mailto:[EMAIL PROTECTED] Sent: Monday, September 22, 2003 6:25 AM To: Tomcat Users List Subject: Re: Can JSP track users in a basic authentication protected realm ? You could possibly track the referer header of the request. If the referer is a site outside your protection domain then re-authenticate. This could be done in a filter: Check the header, log out the user, redirect to the requested page to trigger re-authentication. This technique assumes the referer header has been set by the browser. As it's not a mandatory header you may not always get it: http://www.w3.org/Protocols/rfc2616/rfc2616.txt Specifically section 14.36 Referer HTH, Jon David wrote: Actually I do not know how to do it. I know those internet banking sites does it. They have this option of Log out for their users. When users click on that log out option, they will in effect log out of the protected realm. Should they decide to return to the same site again ( using the same instance of the IE) they will prompted for the password and ID again. Currently, with basic authentication ( implemented using HTTP SERVER) the server does not recognise if the user has moved onto another site outside the protected realm. If he decides to surf an area outside the protected realm, and decides to return to the protected realm, he will not be prompted for a password. This problem arise when the computer being used to access my protected realm is a public computer. If that is the case, users who enter my protected realm and forgot to terminate that instance of the IE is going to allow subsequent users of that machine to access my site. My question is how can I implement such a way as mentioned above ? The log out button kind of effect. Many thanks. Regards David -Original Message- From: George Sexton [mailto:[EMAIL PROTECTED] Sent: Sunday, September 21, 2003 12:47 AM To: 'Tomcat Users List' Subject: RE: Can JSP track users in a basic authentication protected realm ? Can you explain how Tomcat will be able to tell whether the user has navigated away and returned, versus just taken some period of time before getting the next page? -Original Message- From: David [mailto:[EMAIL PROTECTED] Sent: Saturday, September 20, 2003 9:56 AM To: Tomcat User Subject: Can JSP track users in a basic authentication protected realm ? Hi guys, Does anyone know how I can implement the above mentioned? Once they exit the protected realm (i.e. the protected folder in my htdocs), when they re-enter the site again they will be asked for a password. I have a simple basic authentication system but it doesn't track the user when it leaves the protected realm. What I wanted to do was to get the server to re-authenticate the user everytime he leaves my realm and tries to re-enter again. Some people suggested CGI, some suggest PHP.. I would like to know if JSP can do the job. If yes, what level of competence do I know JSP ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can JSP track users in a basic authentication protected realm ?
You could possibly track the referer header of the request. If the referer is a site outside your protection domain then re-authenticate. This could be done in a filter: Check the header, log out the user, redirect to the requested page to trigger re-authentication. This technique assumes the referer header has been set by the browser. As it's not a mandatory header you may not always get it: http://www.w3.org/Protocols/rfc2616/rfc2616.txt Specifically section 14.36 Referer HTH, Jon David wrote: Actually I do not know how to do it. I know those internet banking sites does it. They have this option of Log out for their users. When users click on that log out option, they will in effect log out of the protected realm. Should they decide to return to the same site again ( using the same instance of the IE) they will prompted for the password and ID again. Currently, with basic authentication ( implemented using HTTP SERVER) the server does not recognise if the user has moved onto another site outside the protected realm. If he decides to surf an area outside the protected realm, and decides to return to the protected realm, he will not be prompted for a password. This problem arise when the computer being used to access my protected realm is a public computer. If that is the case, users who enter my protected realm and forgot to terminate that instance of the IE is going to allow subsequent users of that machine to access my site. My question is how can I implement such a way as mentioned above ? The log out button kind of effect. Many thanks. Regards David -Original Message- From: George Sexton [mailto:[EMAIL PROTECTED] Sent: Sunday, September 21, 2003 12:47 AM To: 'Tomcat Users List' Subject: RE: Can JSP track users in a basic authentication protected realm ? Can you explain how Tomcat will be able to tell whether the user has navigated away and returned, versus just taken some period of time before getting the next page? -Original Message- From: David [mailto:[EMAIL PROTECTED] Sent: Saturday, September 20, 2003 9:56 AM To: Tomcat User Subject: Can JSP track users in a basic authentication protected realm ? Hi guys, Does anyone know how I can implement the above mentioned? Once they exit the protected realm (i.e. the protected folder in my htdocs), when they re-enter the site again they will be asked for a password. I have a simple basic authentication system but it doesn't track the user when it leaves the protected realm. What I wanted to do was to get the server to re-authenticate the user everytime he leaves my realm and tries to re-enter again. Some people suggested CGI, some suggest PHP.. I would like to know if JSP can do the job. If yes, what level of competence do I know JSP ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Can JSP track users in a basic authentication protected realm ?
Hi guys, Does anyone know how I can implement the above mentioned? Once they exit the protected realm (i.e. the protected folder in my htdocs), when they re-enter the site again they will be asked for a password. I have a simple basic authentication system but it doesn't track the user when it leaves the protected realm. What I wanted to do was to get the server to re-authenticate the user everytime he leaves my realm and tries to re-enter again. Some people suggested CGI, some suggest PHP.. I would like to know if JSP can do the job. If yes, what level of competence do I know JSP ?
RE: Can JSP track users in a basic authentication protected realm ?
Can you explain how Tomcat will be able to tell whether the user has navigated away and returned, versus just taken some period of time before getting the next page? -Original Message- From: David [mailto:[EMAIL PROTECTED] Sent: Saturday, September 20, 2003 9:56 AM To: Tomcat User Subject: Can JSP track users in a basic authentication protected realm ? Hi guys, Does anyone know how I can implement the above mentioned? Once they exit the protected realm (i.e. the protected folder in my htdocs), when they re-enter the site again they will be asked for a password. I have a simple basic authentication system but it doesn't track the user when it leaves the protected realm. What I wanted to do was to get the server to re-authenticate the user everytime he leaves my realm and tries to re-enter again. Some people suggested CGI, some suggest PHP.. I would like to know if JSP can do the job. If yes, what level of competence do I know JSP ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Can JSP track users in a basic authentication protected realm ?
Actually I do not know how to do it. I know those internet banking sites does it. They have this option of Log out for their users. When users click on that log out option, they will in effect log out of the protected realm. Should they decide to return to the same site again ( using the same instance of the IE) they will prompted for the password and ID again. Currently, with basic authentication ( implemented using HTTP SERVER) the server does not recognise if the user has moved onto another site outside the protected realm. If he decides to surf an area outside the protected realm, and decides to return to the protected realm, he will not be prompted for a password. This problem arise when the computer being used to access my protected realm is a public computer. If that is the case, users who enter my protected realm and forgot to terminate that instance of the IE is going to allow subsequent users of that machine to access my site. My question is how can I implement such a way as mentioned above ? The log out button kind of effect. Many thanks. Regards David -Original Message- From: George Sexton [mailto:[EMAIL PROTECTED] Sent: Sunday, September 21, 2003 12:47 AM To: 'Tomcat Users List' Subject: RE: Can JSP track users in a basic authentication protected realm ? Can you explain how Tomcat will be able to tell whether the user has navigated away and returned, versus just taken some period of time before getting the next page? -Original Message- From: David [mailto:[EMAIL PROTECTED] Sent: Saturday, September 20, 2003 9:56 AM To: Tomcat User Subject: Can JSP track users in a basic authentication protected realm ? Hi guys, Does anyone know how I can implement the above mentioned? Once they exit the protected realm (i.e. the protected folder in my htdocs), when they re-enter the site again they will be asked for a password. I have a simple basic authentication system but it doesn't track the user when it leaves the protected realm. What I wanted to do was to get the server to re-authenticate the user everytime he leaves my realm and tries to re-enter again. Some people suggested CGI, some suggest PHP.. I would like to know if JSP can do the job. If yes, what level of competence do I know JSP ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Basic authentication works - form authentication does not work
I'm having a problem that I was unable to find any info on in the documentation or the mailing list archives. I've set up Basic Authentication with Tomcat 4.1.27 and an Oracle LDAP server. I've got this working just fine but what I really want is Form-Based Authentication which has thus far eluded me. When I switch the authentication method through the applications web.xml file, I manage to get the correct login screen (so I know that the new xml file is being deployed.) When I enter the same name and password that worked with basic authentication, however, I get the error page that I specified. It should also be noted that in the working basic case, the catalina.out file shows all sorts of activity (connecting to LDAP server, plus the attempt to authenticate the user, etc.) When I switch to form, I only see the initial (successful) connection to the LDAP server. It appears that Tomcat is not even attempting to verify the information anymore. This makes me think this is either a Tomcat bug or I've configured Tomcat incorrectly (as opposed to there being a problem with my LDAP setup.) Any thoughts? TIA - sean - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JAASRealm with Basic Authentication
Quoting from the recent 'Tomcat: The Definitive Guide' book: At the time of this writing, this realm (i.e. JAAS) implementation does not seem to work Possibly it still doesn't. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JAASRealm with Basic Authentication
I am trying to run my JAASRealm implementation, and I have it working successfully on my own apps using Form-based authentication, but when I try to use it for tomcat's manager tool (configured in webapps/manager.xml) or any other app using basic authentication, I have problems. First of all tomcat throws a NullPointerException which originates from: Caused by: java.lang.NullPointerException at org.apache.catalina.realm.JAASCallbackHandler.handle(JAASCallbackHandler.java:156) at javax.security.auth.login.LoginContext$5.run(LoginContext.java:812) At this point, the browser has just got the authentication request and it shows me the basic authentication dialog. Then when I submit, with the wrong password, I get the retry? dialog, but with the correct password, tomcat gives me a 403: access denied. I can see in tomcat's source that JAASCallbackHandler is not handling a null password, but I don't understand why it is being passed a null password. I think there must be an exception in auth.login.LoginContext.run() which is being swallowed, resulting in null user pw parameters being passed. Any help appreciated! Adam - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Basic Authentication not work for directory
Hi, all - I've configured Tomcat 4.1.18 on RH Linux 8 server. Then I need some authentication for certain directories under webapps. So I configured server.xml, web.xml and tomcat-users.xml creating a role and its username with password. It works only for individual file with an extension name. But never work for a directory. As you see following code, it pops up basic authentication window for all *.doc files, but does not work for files under /document directory. Anyone had the same experience? = web.xml === security-constraint display-nameSecurity Check/display-name web-resource-collection web-resource-nameBasic Authentication/web-resource-name url-pattern*.doc/url-pattern url-pattern/document/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodHEAD/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nametom/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameDoc Authentication/realm-name /login-config security-role role-nametom/role-name /security-role == tomcat-users.xml = tomcat-users role rolename=tom / role rolename=role1 / user name=tomcat password=tomcat roles=tom / user name=role1 password=tomcat roles=role1 / user name=both password=tomcat roles=tom,role1 / /tomcat-users - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Basic Authentication not work for directory
try /document/* as the url-pattern or /document/*.doc if you want the .doc files under /document to be protected ... -Original Message- From: Daniel Zhang [mailto:[EMAIL PROTECTED] Sent: 22. juli 2003 14:48 To: Tomcat Users List Subject: Basic Authentication not work for directory Hi, all - I've configured Tomcat 4.1.18 on RH Linux 8 server. Then I need some authentication for certain directories under webapps. So I configured server.xml, web.xml and tomcat-users.xml creating a role and its username with password. It works only for individual file with an extension name. But never work for a directory. As you see following code, it pops up basic authentication window for all *.doc files, but does not work for files under /document directory. Anyone had the same experience? = web.xml === security-constraint display-nameSecurity Check/display-name web-resource-collection web-resource-nameBasic Authentication/web-resource-name url-pattern*.doc/url-pattern url-pattern/document/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodHEAD/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nametom/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameDoc Authentication/realm-name /login-config security-role role-nametom/role-name /security-role == tomcat-users.xml = tomcat-users role rolename=tom / role rolename=role1 / user name=tomcat password=tomcat roles=tom / user name=role1 password=tomcat roles=role1 / user name=both password=tomcat roles=tom,role1 / /tomcat-users - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Basic Authentication not work for directory
As you see in my web.xml file, I've already put /document/* as a url-pattern(url-pattern/document/*/url-pattern), the question is under /document directory, there are some other types of file like *.pdf, *.txt which need to be protected. I also have these types of file in other directory which need to be public. So if I put *.doc, it will block all doc files. BTW, /document/*.doc never work. You still can get doc file under document without authentication window pop-up. The only way to block doc file is to put *.doc between url-pattern and /url-pattern. It is not right as what many tomcat documents state, is it? -Daniel Abid Ali Teepo wrote: try /document/* as the url-pattern or /document/*.doc if you want the .doc files under /document to be protected ... -Original Message- From: Daniel Zhang [mailto:[EMAIL PROTECTED] Sent: 22. juli 2003 14:48 To: Tomcat Users List Subject: Basic Authentication not work for directory Hi, all - I've configured Tomcat 4.1.18 on RH Linux 8 server. Then I need some authentication for certain directories under webapps. So I configured server.xml, web.xml and tomcat-users.xml creating a role and its username with password. It works only for individual file with an extension name. But never work for a directory. As you see following code, it pops up basic authentication window for all *.doc files, but does not work for files under /document directory. Anyone had the same experience? = web.xml === security-constraint display-nameSecurity Check/display-name web-resource-collection web-resource-nameBasic Authentication/web-resource-name url-pattern*.doc/url-pattern url-pattern/document/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodHEAD/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nametom/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameDoc Authentication/realm-name /login-config security-role role-nametom/role-name /security-role == tomcat-users.xml = tomcat-users role rolename=tom / role rolename=role1 / user name=tomcat password=tomcat roles=tom / user name=role1 password=tomcat roles=role1 / user name=both password=tomcat roles=tom,role1 / /tomcat-users - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Basic Authentication and eternal 403
Using tomcat 4.1.24, it appears that if using Basic authentication and a user enters a valid username but an invalid password, access to the restricted page is forbidden from then on (403 error code is returned all the time). User is never given a second chance at typing the username and password. Could someone explain what one is supposed to do in such a situation to get a second chance? (is it the browser or tomcat?) __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat and Apache Basic Authentication
I have a box where Apache's basic authentication is working fine, via directives in httpd.conf or an .htaccess file in the selected directory. However, when the selected directory is located under the webapp context directory, Apache serves it up without any prompting for any username and password, no 401 response header, nada. It's as if the URL to any webapp bypasses Apache's authentication modules and sends the request straight to the connector. I'm using Webapp (I know, I know). Is there a special setting to make Webapp obey Apache's authentication system? Any suggestions or pointers are appreciated. -- Eugene Lee http://www.coxar.pwp.blueyonder.co.uk/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
reposting: error page for basic authentication
Is it possible to define an error page for the basic authentication? and if yes, how/where? i have tried to define error-page for code 401, but realized that i am using constraint on everything , thus i am guessing that error page may be falling under the constraint as well. (not sure about that though..) Thus, how can i modify HTTP Status 401 - Unauthorized to be what i want it to be? all i basically want is to have a little more attractive message saying sorry, your not allowed in there, or something like that.. I've tried to look for the solution on the web, but didn't have any luck. Any help is greatly appreciated. Vladimer Shioshvili QRC Division of Macro International Inc. 7315 Wisconsin Avenue, Suite 400W Bethesda, MD 20814 Phone: (301) 657 3077 ext. 155 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
