Hi Ed, You have a couple of problems. First, you left out the user data constraint transport guarantee tag that forces Tomcat to use HTTPS. A security constraint has to have 3 things: 1- the web resource collection describing what to protect, 2- the authorization constraint describing who gets access, and 3- the user data constraint telling how to protect it at the transport level. Since you mentioned that you set up port 8443 I presume you want to use secure HTTP, so the transport guarantee has to be set to CONFIDENTIAL. Use NONE for no encryption or INTEGRAL to prevent changes in data but not necessarily to prevent observation of the data during transport.
One note: Port 8443 isn't the default HTTPS port. It is the default in Tomcat so that you can do development without interfering with the production port. If you don't change this to 443 you'll have to put the port number (8443) in your web address to access this webapp. One other thing that might cause a problem in your web.xml file: you had your login config out of order. It comes before security role. Some parsers are picky about that. The order from the servlet 2.3 specification is: <!ELEMENT web-app (icon?, display-name?, description?, distributable?, context-param*, filter*, filter-mapping*, listener*, servlet*, servlet-mapping*, session-config?, mimemapping*, welcome-file-list?, error-page*, taglib*, resourceenv- ref*, resource-ref*, security-constraint*, login-config?, security-role*, env-entry*, ejb-ref*, ejb-local-ref*)> A corrected web.xml file is below. Hope this helps. Rick > <web-app> > > <security-constraint> > > <web-resource-collection> > > <web-resource-name> > > Secure Area > > </web-resource-name> > > <url-pattern>/secure/*</url-pattern> > > </web-resource-collection> > > <auth-constraint> > > <role-name>manager</role-name> > > <role-name>tomcat</role-name> > > </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> > </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>User Basic Authentication</realm-name> </login-config> > <security-role> > > <role-name>manager</role-name> > > </security-role> > > > </web-app> ----- Original Message ----- From: "ed banfa" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, September 26, 2002 3:23 PM Subject: Help Urgently needed, Security problem > Hi , > > How is everyone doing, hope ok. > > I have this problem with trying to use Basic authentication with my web app. I have Tomcat 4.1.10 up and running on win 2000 machine using j2sdk1.4. > > Tomcat is listening on port 8443 for SSL connnections. I would like the browser to display a login box to the user when the user attempts to access a protected resource. When I try to check/test the app, It allows me into the restricted area with out having to log in. I expect to be promted to enter a user name and a password but hey nothing like thats happens. What am I doing wrong????. > > > > Please if u can help me out I will appreciate it > > Below is what my web.xml looks like. The manager role is the same role name I specified in tomcat-users.xml > > <web-app> > > <security-constraint> > > <web-resource-collection> > > <web-resource-name> > > Secure Area > > </web-resource-name> > > <url-pattern>/secure/*</url-pattern> > > </web-resource-collection> > > <auth-constraint> > > <role-name>manager</role-name> > > <role-name>tomcat</role-name> > > </auth-constraint> > > </security-constraint> > > <security-role> > > <role-name>manager</role-name> > > </security-role> > > <login-config> > > <auth-method>BASIC</auth-method> > > <realm-name>User Basic Authentication</realm-name> > > </login-config> > > </web-app> > > > > Thanks in advance > > Edward > > > > > > > > --------------------------------- > Do you Yahoo!? > New DSL Internet Access from SBC & Yahoo! -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
