On 25/09/2013 07:32, Geoffrey Seanor wrote: > Hi, > > I'm running Tomcat 7.0.32 on jdk1.6.0_06 and am having problems with > client browser (IE8) SPNEGO authentication. > > I referred to this page when checking the browser configuration, which > runs on Windows XP. > http://www.oracle.com/technetwork/articles/idm/weblogic-sso-kerberos-161 > 9890.html > > > > With debug switched on in com.sun.security.auth.module.Krb5LoginModule I > see this: > > 25-Sep-2013 14:53:44 org.apache.catalina.authenticator.AuthenticatorBase > invoke > FINE: Security checking request GET /myapp/ > 25-Sep-2013 14:53:44 org.apache.catalina.realm.RealmBase > findSecurityConstraints > FINE: Checking constraint > 'SecurityConstraint[BasicAuthSimpleTestServlet, MY Application]' against > GET / --> true > 25-Sep-2013 14:53:44 org.apache.catalina.authenticator.AuthenticatorBase > invoke > FINE: Calling hasUserDataPermission() > 25-Sep-2013 14:53:44 org.apache.catalina.realm.RealmBase > hasUserDataPermission > FINE: User data constraint has no restrictions > 25-Sep-2013 14:53:44 org.apache.catalina.authenticator.AuthenticatorBase > invoke > FINE: Calling authenticate() > 25-Sep-2013 14:53:44 > org.apache.catalina.authenticator.SpnegoAuthenticator authenticate > FINE: No authorization header sent by client > 25-Sep-2013 14:53:44 org.apache.catalina.authenticator.AuthenticatorBase > invoke > FINE: Failed authenticate() test > > > Here is the sequence of HTTP exchanges giving the above: > > GET /myapp/ HTTP/1.1 > Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, > application/x-shockwave-flash, application/x-ms-application, a > pplication/x-ms-xbap, application/vnd.ms-xpsdocument, > application/xaml+xml, application/vnd.ms-excel, application/vnd.m > s-powerpoint, application/msword, */* > Accept-Language: en-gb > User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; > Trident/4.0; GTB7.5; .NET CLR 1.1.4322; .NET CLR 2.0.507 > 27; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1; .NET4.0C; > .NET4.0E) > Accept-Encoding: gzip, deflate > Host: sold6:8030 > Connection: Keep-Alive > > HTTP/1.1 401 Unauthorized > Server: Apache-Coyote/1.1 > Cache-Control: private > Expires: Thu, 01 Jan 1970 01:00:00 GMT > WWW-Authenticate: Negotiate > Content-Type: text/html;charset=utf-8 > Content-Length: 951 > Date: Wed, 25 Sep 2013 11:26:31 GMT > > <html><head><title>Apache Tomcat/7.0.32 > .... > > GET /myapp/ HTTP/1.1 > Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, > application/x-shockwave-flash, application/x-ms-application, a > pplication/x-ms-xbap, application/vnd.ms-xpsdocument, > application/xaml+xml, application/vnd.ms-excel, application/vnd.m > s-powerpoint, application/msword, */* > Accept-Language: en-gb > User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; > Trident/4.0; GTB7.5; .NET CLR 1.1.4322; .NET CLR 2.0.507 > 27; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1; .NET4.0C; > .NET4.0E) > Accept-Encoding: gzip, deflate > Host: sold6:8030 > Connection: Keep-Alive > Authorization: Negotiate YIJJiQ...[lots of data]... > > > HTTP/1.1 400 Bad Request > Server: Apache-Coyote/1.1 > Transfer-Encoding: chunked > Date: Wed, 25 Sep 2013 11:26:33 GMT > Connection: close > > > It looks like SpnegoAuthenticator is rejecting the request because the > "authorization" header is malformed or missing in the repeated GET, > although it does appear to provided by the client browser. The same > error also occurs with the Firefox v23.0.1 browser.
That isn't what is happening. The "No authorization header sent by client" is triggered by the first request. The second request is failing a lot earlier in the processing chain. Not sure why. > Any suggestions or guidance will be gratefully received. Try with a newer Tomcat version. You might be hitting a Tomcat bug that has since been fixed. Set the system property [1] org.apache.juli.logging. UserDataHelper.CONFIG to INFO_ALL and then check the logs. Enable debugging logging for the org.apache.coyote.http11 package. HTH, Mark [1] http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Logging > > Kind regards, > > Geoff > > Mitsubishi UFJ Securities International plc ("MUSI") is registered in > England, company number 1698498, registered office at Ropemaker Place, 25 > Ropemaker Street, London, EC2Y 9AJ, and is part of the Mitsubishi UFJ > Financial Group. MUSI is authorised by the Prudential Regulation Authority > and regulated by the Financial Conduct Authority ("FCA") and Prudential > Regulation Authority ("PRA") in the UK. This email and any attachments may be > confidential. If it was sent to you in error, you must not copy, duplicate, > distribute or take any action in reliance on it. Please contact the sender if > you believe you have received this email in error and delete it and any > attachments. Unless expressly indicated, information sent to you is not to be > construed as an offer or solicitation to buy or sell any security, > instrument, investment, financial product or an official confirmation of any > transaction. The information in or attached to this email may not be accurate > or complete. This email or info r mation is not to be viewed as a 'personal recommendation' within the meaning of the FCA rules. MUSI or any affiliated company may have an interest, position, or effect transactions, in any investment mentioned. Any opinions expressed are solely those of the author and are subject to change without notice. Neither MUSI nor any of its affiliates accept any liability whatsoever for any direct or consequential loss arising from any use of information or material contained in any electronic communication. > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
