I was equally surprised to see this behavior, but my hat is off to the people who read this specification, and implemented it - the RFCs are a can of worms.
The RFC for this (#2617 - "HTTP Authentication: Basic and Digest Access Authentication" - http://www.ietf.org/rfc/rfc2617.txt) says that "The realm directive (case-insensitive) is required for all authentication schemes that issue a challenge. The realm value (case-sensitive), in combination with the canonical root URL (the absoluteURI for the server whose abs_path is empty; see section 5.1.2 of [2]) of the server being accessed, defines the protection space." The reference to [2] there is to RFC #2616 - "Hypertext Transfer Protocol -- HTTP/1.1" (http://www.ietf.org/rfc/rfc2616.txt), and section 5.1.2 of that says nothing about abs_path, which is defined in RFC #2396 - "Uniform Resource Identifiers (URI): Generic Syntax" (http://www.ietf.org/rfc/rfc2396.txt), and says that abs_path is essentially any path starting with a "/" character. Bottom line: Server name + Realm name = protection space. The protocol HTTP knows nothing of contexts, so when we define a realm in tomcat, and do not specify a name that includes the context, this should be expected. It would be nice if there were a way in tomcat to say "include the context in the authentication realm name". Larry On Wed, 26 Jan 2005 15:31:46 -0700, Brandon Goodin <[EMAIL PROTECTED]> wrote: > Here is what solved this. My web.xml in the admin and in the customer > app were defined as follows: > > <login-config> > <auth-method>BASIC</auth-method> > <realm-name>Order Inquiry</realm-name> > </login-config> > > Apparently in tomcat you cannot have two contexts with a web.xml that > shares the the same login-config/realm-name. The behavior is VERY > bizarre. It would seem that the right way to deal with this would be > to identify the realms based on context. So, if i use the same realm > name in my web.xml it is totally irrelevant, because the realm is > scoped in the context. > > Is this a bug? > > Brandon > > On Wed, 26 Jan 2005 11:51:54 -0700, Brandon Goodin > <[EMAIL PROTECTED]> wrote: > > I have some strange behavior showing up with Tomcat 5.0.30. > > > > I have a host configured with two contexts. The contexts are deployed > > as wars. But, they have configuration information in the server.xml. > > Each context has it's own realm defined within the context tag. The > > contexts are named "/admin" and "/customer". The "/customer" context > > is configured to use a DatasourceRealm for authentication. The > > "/admin" is configured to use a custom realm called > > ReverseProxyRealm5. Both contexts share a jndi datasource resource > > defined in the DefaultContext tag. > > > > The odd behavior that i am experiencing happens during an auto reload > > of the context after both of the war files have been changed. Once the > > contexts have reloaded and the new war files have been autoDeployed I > > lose the use of my ReverseProxyRealm5 on the admin context. But, not > > only do i lose it, it also switches to using the DatasourceRealm as > > defined in the customer context. > > > > After i stop and start tomcat everything is fine again. I have tested > > this out running Tomcat from the command line and within eclipse with > > the same resulting behavior. > > > > I deleted the /conf/Catalina directory and the /work/Catalina > > directory for good measure. But, all the behavior continues. > > > > Attached is my server.xml host file without the sensitive info. > > > > <Host name="oi" debug="0" autoDeploy="true" > > appBase="D:\myappbase\projects\oi\dist\war"> > > > > <Logger className="org.apache.catalina.logger.FileLogger" > > directory="logs" prefix="orderinquiry_log." suffix=".txt" > > timestamp="true" /> > > > > <DefaultContext> > > <Resource name="jdbc/oi" auth="Container" > > type="javax.sql.DataSource" /> > > > > <ResourceParams name="jdbc/oi"> > > <parameter> > > <name>factory</name> > > <value> > > org.apache.commons.dbcp.BasicDataSourceFactory > > </value> > > </parameter> > > <parameter> > > <name>driverClassName</name> > > <value>com.ibm.as400.access.AS400JDBCDriver</value> > > </parameter> > > <parameter> > > <name>url</name> > > <value> > > jdbc:as400://some.url.here.org;naming=system;date > > format=iso > > </value> > > </parameter> > > <parameter> > > <name>username</name> > > <value>dudesusername</value> > > </parameter> > > <parameter> > > <name>password</name> > > <value>dudespassword</value> > > </parameter> > > <parameter> > > <name>maxActive</name> > > <value>20</value> > > </parameter> > > <parameter> > > <name>maxIdle</name> > > <value>10</value> > > </parameter> > > <parameter> > > <name>maxWait</name> > > <value>-1</value> > > </parameter> > > <parameter> > > <name>validationQuery</name> > > <value>SELECT 0 FROM qsqptabl</value> > > </parameter> > > </ResourceParams> > > </DefaultContext> > > > > <Context path="/customer" debug="0" > > reloadable="true" crossContext="false"> > > > > <Realm className="org.apache.catalina.realm.DataSourceRealm" > > debug="0" dataSourceName="jdbc/orderinquiry" > > localDataSource="true" userTable="UTABLE" > > userNameCol="UNAMECOL" userCredCol="PAZZWORD" > > userRoleTable="UTABLERL" roleNameCol="UROLE" /> > > > > </Context> > > > > <Context path="/admin" debug="0" > > reloadable="true" crossContext="false"> > > > > <Realm > > className="com.plumcreek.commons.security.ReverseProxyRealm5" /> > > > > </Context> > > > > </Host> > > > > Thanks, > > Brandon > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
