At 06:05 PM 7/13/2007, you wrote:
"Thomas Hicks" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
>I have a web application which uses BASIC authentication.
>
> In Tomcat 5.0.28 (under Java 1.5 and Fedora Core 4) accessing
> the protected webapp causes the browser to popup a login box
> where username and password are entered. This works well, no
> matter whether passwords are plain or SHA digested and no
> matter whether I access the protected webapp using the HTTP
> port or the HTTPS port. It also works with a wide variety of browsers.
>
> Moving to Tomcat 5.5.x, however, causes the BASIC authentication
> not to work anymore. The login box pops up but no username/password
> combination ever allows access. The login box just clears the entries
> and one is "stuck" at the login box. Again, I have tried plain and SHA
> digested passwords in the tomcat-users.xml file with no luck either way.
> This behavior is the same across different web browsers.
>
> The web.xml file for the web application contains the following security
> configuration portion, which enables password access in 5.0.x but
> doesn't work in 5.5.x:
>
> <!-- -->
> <!-- Container-Security Configuration -->
> <!-- -->
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Reports Browser</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
>
> <auth-constraint>
> <role-name>*</role-name>
> </auth-constraint>
> </security-constraint>
>
In TC 5.0, the special role-name '*' was incorrectly (according to the spec)
being treated as 'any authenticated user'. In TC 5.5 this was fixed to mean
'any role that is declared in a security-role'. You can set the attribute
allRolesMode="authOnly" on the <Realm /> to have Tomcat revert to it's
previous behavior.
Thank-you very much!
I didn't actually try reverting the behavior -- I took the other
solution implied
by your crucial information; I just declared a security role in my web.xml
file, added that role to the tomcat-users.xml file and BASIC auth
works again. Thanks again for your timely response.
regards,
-tom
> <!-- Currently using only BASIC authentication. Use with HTTPS. -->
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>Protected Area</realm-name>
> </login-config>
>
>
> I have searched online for answers and have reviewed the Servlet 2.4
> specification (i.e. for Tomcat 5.5.x) but have found nothing. Surely,
> BASIC authentication is such a well....basic thing that there must be
> some small change I need to make, between the Tomcat versions, to get
> this to work again. Any help is greatly appreciated.
> -tom
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
