-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Arno,
Welcome to Tomcat! First of all, thanks for providing all of the background. Second of all, thanks for doing all of this hard work. Third of all, I'm probably not going to be as much help as many other people here will be, but I'll give it a shot. Comments are inline. On 7/17/2015 10:03 AM, Arno Schäfer wrote: > Hi all, > > I am using Tomcat 7.0.54 with java 1.7 and 1.8 on a Windows 8.1 > System, maintaining our webapp with around 1000 JSP pages and I am > NOT a web developer. > > I have inherited this application and all of the previous owners > are no longer available. So the last 2months I do a lot of reading > and debugging the whole bunch of java and jsp code and I think, > that I have a basic understanding what the software is doing and > how it is implemented at least. The last days I found a lot of > configuration issues and I was able to get the whole stuff running > in a very downsized environment build on a standard tomcat > Installation. I got rid of all special configuration inside the > server.xml, so that I was able to fix some things and do it, like > it was described in the beautiful tomcat documentation and > available wiki's. > > That's only for some explanations, before the stupid questions may > follow: > > I have to use basic authentication without an own login form. The > behavior I see, is that if the webapp is starting a realm instance > is correctly created and initialized in my webapp, but if the first > request arrive, also the tomcat itself instantiate one object of > this class and took the credentials from the automatically upcoming > login form (here IExplorer 11). > > My understanding from reading the documentation is, that, if I > configure my own realm in my context.xml (what I have done), that > the webapp will use it. Yes, if you place the Realm definition in context.xml, then only that particular web application will use it. If you place the Realm definition in a <Host> element, then all applications for that host will use it. Finally, if you place the Realm definition inside the <Engine> element, all virtual hosts inside that Engine will use it. > That seems to be ok, but why also tomcat itself instantiate an > object of my custom realm and take the first request when I want > to access my webapp. Therefore I have no own control about my > JSessions and so my session management leaks, because I didn't got > the info's from the logins, what the tomcat is doing now. > > What is wrong in my configuration or in my understanding? I want be > the only one, that got the requests for the authentication for my > webapp. > > Here are my server.xml, it only contain one Realm line of our realm > in the 'Host' section (I strip the comments and the header lines, > which are unchanged): > I am going to assume that you have all of the Service and Valve elements that come with the stock server.xml in your file. > <GlobalNamingResources> <Resource name="UserDatabase" > auth="Container" type="org.apache.catalina.UserDatabase" > description="User database that can be updated and saved" > factory="org.apache.catalina.users.MemoryUserDatabaseFactory" > pathname="conf/tomcat-users.xml"/> </GlobalNamingResources> > > <Service name="Catalina"> <Connector acceptCount="100" > connectionTimeout="200000" maxThreads="150" port="9150" > protocol="HTTP/1.1" redirectPort="8443"/> <Connector port="8009" > protocol="AJP/1.3" redirectPort="8443"/> <Engine > defaultHost="localhost" name="Catalina"> [<Realm > className="org.apache.catalina.realm.UserDatabaseRealm"/>] > > <Host appBase="webapps" autoDeploy="true" name="localhost" > unpackWARs="true" xmlNamespaceAware="false" xmlValidation="false"> > [<Realm className="de.myproject.tomcat.realm.BITRealm" > domainName="dom1" .../>] </Host> </Engine> </Service> > > The lines in brackets I have switched on and off in several > attempts without the wished result. Without a realm definition in > server.xml and only in the context.xml I have had equal results > and one combination I have had one time, was that I have to > authenticate twice and the first time with the data of > tomcat-users.xml and the second time with my own one. It looks like one of the prior developers wrote a custom Realm. Was this application written to run on a prior version of Tomcat (Tomcat 6, for example)? If so, the custom Realm may not work with Tomcat 7. You would have to look at the javadoc for https://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/Realm.h tml And compare it to: https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/Realm.h tml In order for a custom Realm to work, you have to place the JAR file containing that implementation in %CATALINA_HOME%\lib. My first reaction is that this has not been done, but you said that you were able to authenticate at least once. > > Is it possible that there is some more configured in some of the > web.xml's or other directories in WEB-INF, what cause this > behavior? I have searched there for some words like security, > realm, userdatabase and so on, but have found nothing. > > Hopefully I have explained my problem as good as I know and > somebody see my point :) Here's an (admittedly outdated) link concerning Realms. In particular, take a look at the Cascading and Combined Realms sections. http://wiki.apache.org/tomcat/TomcatDataSourceRealms It almost looks like the custom Realm is not being used. My two guesses about that are (and they are guesses): 1. The custom Realm was written against a prior version of Tomcat and may no longer work 2. JAR file containing the custom Realm is not in %CATALINA_HOME%\lib > > Thanks in advance, best regards, mit freundlichen Grüßen Arno I hope this is of some use. . . . just my two cents /mde/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJVqUKQAAoJEEFGbsYNeTwt3mwH/1XsFPlKTB64O02OssSotI19 kQ2hgerkhY+jkYWjkzLT/A0NRtJepp2zYNY+9JistTelz/F/9PYW6KcKU7g6xOq1 hO9mDipEFsDhbprwGPox1Ag1iUsAQX2l6J0AohxP8tA4D/cFm/iYxzhHO09Y6K+z 8W522croQq37magnMztR2y/IOa3AJ8gpSakeWinAi1gRbo6OLUcvDJv+QcysQvHl 9Q4pRO+O1xNBa0w2UxRURErvIBaxym5r0cRY4I6Qk9ZAoYPQRnk7ghALknQ2wbvl LCsnodtimSIGpEdLSYq0XEyap8KAcxuaMkpb+ezqc5HLT8SKVfQ0DqUg2/MgnAc= =q6OZ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org