I have a stable, working, Struts-based web application running under
Tomcat 5.0.28 that uses HTTP BASIC authentication and a JAASRealm (with
a home grown LoginModule and user and role principals) over SSL. The
authentication / security has been working with no issues for several
releases.
I am now trying to upgrade Tomcat from 5.0.28 to 5.5.12. I've rebuilt
the web application using JDK 1.5.0_05. I've followed the usual
procedure for installing and configuring Tomcat, including modifying
server.xml to remove the deprecated references to Logger. My web
application appears to start with no problems according to the various
log files. I then browse to it. I receive the SSL certificate as usual
and the browser requests that I login in (via its pop-up box) - again as
usual. I do so. According to my web application logs, the correct
LoginModule is activated and I login successfully and the appropriate
roles are assigned to the user. However, rather than taking me to the
home page of the web application I am redirected to the 403 (permission
denied) error page - which displays with the correct images and style
sheet.
I've search the FAQ, bug lists, mailing lists and the web, but have been
unable to find any directly relevant help. Any thoughts? In particular
has this area of Tomcat changed? My understanding is that the servlet
and JSP specs are the same for Tomcat 5.0 and 5.5, so I should expect
the same behaviour.
Relevant snippets from "server.xml" and "web.xml" are below.
Thanks,
David
---- Snippet of server.xml ----
<!-- Define the top level container in our container hierarchy -->
<Engine name="Catalina" defaultHost="localhost" debug="1">
<Host name="localhost" debug="1" appBase="webapps"
unpackWARs="false" autoDeploy="false"
xmlValidation="false" xmlNamespaceAware="false">
<!-- Our auth mechanism -->
<Realm className="org.apache.catalina.realm.JAASRealm"
appName="SSGSP"
userClassNames="com.avaya.common.auth.UserPrincipal"
roleClassNames="com.avaya.common.auth.RolePrincipal"
debug="1"/>
<Context className="org.apache.catalina.core.StandardContext"
allowLinking="false"
cachingAllowed="true"
charsetMapperClass="org.apache.catalina.util.CharsetMapper"
cookies="true"
crossContext="false"
debug="99"
displayName="Product X Web Application"
docBase="../../../Webapps/Collector"
mapperClass="org.apache.catalina.core.StandardContextMapper"
path="/ssg"
privileged="false"
reloadable="false"
swallowOutput="true"
useNaming="true"
wrapperClass="org.apache.catalina.core.StandardWrapper">
<!-- Turn off session caching in the manager -->
<Manager className="org.apache.catalina.session.StandardManager"
pathname=""/>
...
</Engine>
---- End snippet from server.xml ----
---- Snippet from web.xml ----
<error-page>
<error-code>403</error-code>
<location>/WEB-INF/webpages/error/403.jsp</location>
</error-page>
<security-constraint>
<web-resource-collection>
<web-resource-name>home</web-resource-name>
<url-pattern>/login/*</url-pattern>
<url-pattern>/admin/summary.do</url-pattern>
<url-pattern>/webpages/error.jsp</url-pattern>
<url-pattern>/webpages/index.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>adminRole</role-name>
<role-name>deviceAdminRole</role-name>
<role-name>customerAdminRole</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>admin</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<url-pattern>/feature/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>adminRole</role-name>
<role-name>customerAdminRole</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>SSGSP</realm-name>
</login-config>
<security-role>
<description>The admin pages</description>
<role-name>adminRole</role-name>
</security-role>
<security-role>
<description>The device admin pages</description>
<role-name>deviceAdminRole</role-name>
</security-role>
<security-role>
<description>Customer role</description>
<role-name>customerAdminRole</role-name>
</security-role>
---- End snippet from web.xml ----
