After several hours of debugging this problem, I figured out 'what' is
happening. But I'm really not sure 'why'. Again my installations
worked for several years prior to an upgrade to v2.11.0.M4. After
upgrading, no login id/pw would be accepted. However, if I logged in
using another webapp on the same Tomcat vhost with SingleSignOn, JSPWiki
was happy and accepted my credentials and worked fine.
What I figured out is that now JSPWiki has decided that my installation
is NOT container authenticated. I removed the comments from web.xml as
instructed, and I still have the /Login.jsp and /Delete.jsp constraints
listed which the doc said you use to determine if container
authentication is in use. Tomcat is definitely enforcing the
constraints. I added /Wiki.jsp to a constraint, and Tomcat began
blocking it as I would expect. So my web.inf is ok. I added a logger
statement to Login.jsp to log the value of
mgr.isContainerAuthenticated() and it is FALSE. This means that the
custom login code is run instead, which is obviously going to fail.
Has anyone else experienced this? Better question, has anyone got
container authentication working successfully on this release?
Has something else been added to the check (along with /Delete.jsp and
/Login.jsp constraints) in the determination of which type of
authentication is in use? Something is not working right.
Suggestions?
Thx.
Jerry
On 6/23/2019 11:58 PM, Jerry Malcolm wrote:
I just upgraded several of my sites to JSPWiki v2.11.0-M4. I'm not
sure what the previous version was. But it was probably 3 or 4 years
old. I am using container-managed authorization. The same security
realm on the vHost in Tomcat (v9.0) is shared across several webapps
using SingleSignOn. Everything was working prior to the JSPWiki
migration. After migration, I can't log in directly using the JSPWiki
login form to the wiki's on any of the sites. It just keeps coming
back with the same login form. However, if I log in to another webapp
on the same virtual host, login works fine, and then I can get to the
wiki.
I migrated the security stuff in web-xml from the old version to the
new version and diff'd the files to make sure I didn't miss anything.
I did a SQL trace when I logged in using the JSPWiki login form, and
it appears that the query for the user record is not even being sent
to mysql.
I've coded container-managed authorization many times. I'm not aware
of a situation where it would reject the login from this webapp's
login form, but still accept a pre-existing login (using SingleSignOn)
from another webapp on the same host.
This problem is consistent across all the vHosts I migrated the new
Wiki version. Am I missing something obvious?
Thx
Jerry
