Hey Chris, Yes I know that BASIC authentication doesn't use nonces, thus I don't think that this is the root cause. Just forget about the nonce timout. For full information: I played around with the timeout and used values of 1, 5, 20 minutes.
But as I discovered that also the 401 appears with BASIC authentication I would suggest to test with this. I reconfigured tomcat, because the configuration differs. That’s what I did to test both cases. I hope I could create a small test case tomorrow. Thank you for your answer, Andreas > -----Ursprüngliche Nachricht----- > Von: Christopher Schultz [mailto:ch...@christopherschultz.net] > Gesendet: Mittwoch, 26. November 2014 17:20 > An: Tomcat Users List > Betreff: [bulk]: Re: Is tomcat UserDatabaseRealm buggy? > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Andreas, > > On 11/26/14 5:42 AM, Kehlenbach, Andreas wrote: > > I think I found the following bug in tomcat 7/8 with the following > > setup: > > > > We use tomcat 7.0.42 (but I tried 7.0.55 and 8.0.15 without > > success) and deployed a web service with jersey 1.18.2. > > Additionally we set up HTTP authentication. In our case DIGEST > > authentication, but I tried BASIC authentication the observed behavior > > is the same. We have a web service with login and logout methods, as > > well as some other methods which could only be invoked if a login > > request was made previously. Authentication works fine, till some > > point in time. At this point the client receives a HTTP response 401 > > Unauthorized. I double checked that the client sends correct > > credentials and nonce values. On server side I enabled logging (see > > attached log file). The log shows two web service calls, the first one > > returns successfully the last one reports the > > 401 error. As one could see in line 12 and 13 FEIN: Calling > > authenticate() Nov 18, 2014 2:58:25 PM > > org.apache.catalina.realm.RealmBase authenticate Tomcat delegates the > > authentication request to RealmBase class logs some stuff and returns > > with FEIN: Successfully passed all security constraints > > > > But in case of my error just these three lines are logged: FEIN: > > Calling authenticate() Nov 18, 2014 2:58:25 PM > > org.apache.catalina.authenticator.AuthenticatorBase invoke FEIN: > > Failed authenticate() test > > > > My server.xml is as follows: <… <Engine name="Catalina" > > defaultHost="localhost"> <Realm > > className="org.apache.catalina.realm.LockOutRealm"> <Realm > > className="org.apache.catalina.realm.UserDatabaseRealm" > > resourceName="UserDatabase" digest="md5"/> </Realm> > > > > <Host name="localhost" appBase="webapps" unpackWARs="true" > > autoDeploy="true" deployOnStartup="true"> > > > > <Valve className="org.apache.catalina.valves.AccessLogValve" > > directory="logs" prefix="localhost_access_log." suffix=".txt" > > pattern="%h %l %u %t "%r" %s %b" /> > > > > </Host> </Engine> <… > > > > I also tried to remove the LockOutRealm, but without success. As far > > as I understand with this setup class > > org.apache.catalina.realm.CombinedRealm.java is invoked to handle > > authentication. If I further understand correctly, then method > > authenticate(String username, String clientDigest,__String nonce, > > String nc, String cnonce, String qop,__String realmName, String > > md5a2) is also invoked. This method iterates over all configured > > Realms. It seems to me that, in case of the 401 error, the list of > > realms (Line 51) is empty and thus authentication fails. > > > > The error only occurs after many calls to the webservice. I was unable > > to identify any pattern, but it seems related to the nonce timeout, > > somehow. Could one verify this bug? > > What is the nonce timeout? > > Note that HTTP BASIC authentication does not use nonces, so the nonce > timeout wouldn't be the cause under those circumstances. > > How did you switch testing from HTTP DIGEST to HTTP BASIC authentication? > The stored credentials are of course incompatible. If you created a small test > case, can you share it with us? > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJUdf2pAAoJEBzwKT+lPKRYYa0P/1lxVAmXeDshnYP47zSnyk > hj > wv5z86sX57H480VdYQLIIrTwj9KOa6Wifgd/YkC6fUihLNIa+kOe0Jhoq6+K/IIA > hh9ZHu/qVKUHOsuef5sYD15CWX/VDEkJUyy4G/qvSB1u0dM5vGUkWggZVvn > 5kwRG > 4V0CIg4M4bNAdki3M8ZYKp8fmD5qzYFnfmjJOKwvGiFk4nJjUZG0crVbQC69cy > eC > 5/7tnzswV6dPwyJdBj0b/yiMx0h58mt0BSKz/VNsukxa2WbP0P9csP7mA9gleF > UB > OQdupQ6KE5t8lQBHogHJ7QvjlOJT0Tesqn+NUbNuK8cAmntEg8HQc3b/Erqdly > 7G > GMIx9dhz381RyRlZbBbvwShVc9PK8H5klDfPlwWAQzXG55+iqSx0LS2yV4X+aA > ht > dxuE/Jc0gZRcb/s2KeUhNGR//Me1GPHStCl3nGxDMczdriEE0/Af+r6tvtXlwd0 > W > 5SdVO1r3oar5e+aPBQMBqdmw47MyGx+vCdjY4jeuuoBm3XY4V2VJLrpZm993 > PwTV > HgTqgREvgGzDgYkHy4Mm5Fus6YCw4GWWHjVJeff5DBezXigSBcbKtLWK4HoI1 > zLA > 5k7Gm0liagpPsxovlt+OzgQ/kHqSE7qgTHgAWF8CRthOv4U8y4PJuZjPdvVeX9iE > oTrAPaf7gZymwtORZm1J > =83X2 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org ________________________________________________________________________ PROSTEP AG, Dolivostraße 11, D-64293 Darmstadt HR: Amtsgericht Darmstadt, HRB 8383 Vorstand: Dr. Bernd Pätzold (Vorsitz), Reinhard Betz Aufsichtsrat: Dr. Heinz-Gerd Lehnhoff (Vorsitz) ________________________________________________________________________
