2015-07-17 20:03 GMT+03:00 Arno Schäfer <arno.schae...@sqs.com>: > Hi all, > > I am using Tomcat 7.0.54 with java 1.7 and 1.8 on a Windows 8.1 System, > maintaining our webapp with around 1000 JSP pages and I am NOT a web > developer. > > I have inherited this application and all of the previous owners are no > longer available. So the last 2months I do a lot of reading and debugging the > whole bunch of java and jsp code and I think, that I have a basic > understanding what the software is doing and how it is implemented at least. > The last days I found a lot of configuration issues and I was able to get the > whole stuff running in a very downsized environment build on a standard > tomcat Installation. > I got rid of all special configuration inside the server.xml, so that I was > able to fix some things and do it, like it was described in the beautiful > tomcat documentation and available wiki's. > > That's only for some explanations, before the stupid questions may follow: > > I have to use basic authentication without an own login form. The behavior I > see, is that if the webapp is starting a realm instance is correctly created > and initialized in my webapp, but if the first request arrive, also the > tomcat itself instantiate one object of this class and took the credentials > from the automatically upcoming login form (here IExplorer 11). > > My understanding from reading the documentation is, that, if I configure my > own realm in my context.xml (what I have done), that the webapp will use it. > That seems to be ok, but why also tomcat itself instantiate an object of my > custom realm and take the first request when I want to access my webapp. > Therefore I have no own control about my JSessions and so my session > management leaks, because I didn't got the info's from the logins, what the > tomcat is doing now. > > What is wrong in my configuration or in my understanding? I want be the only > one, that got the requests for the authentication for my webapp. > > Here are my server.xml, it only contain one Realm line of our realm in the > 'Host' section (I strip the comments and the header lines, which are > unchanged): > [....]
Several comments: 1) Authentication is performed by an Auntenticator (a kind of Valve), not by a Realm. Realm is essentially just a user/password database interface used by an authenticator. There is one Realm per container (exposed as Container.getRealm()). If none is configured then default implementation returns the one from parent Container. Normally there is at most one authenticator. If there is no Authenticator valve in your context, but your webapp's web.xml declares that an authentication is needed, Tomcat creates an authenticator and inserts it into chain (pipeline) of valves in your context. If by some mistake there are several authenticators in a pipeline, all of them will be active, just like any other valves. http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Authentication http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html 2) What context.xml file have you edited? A usual mistake is to edit the global "conf/context.xml" file. That file provides defaults for all web applications deployed on Tomcat. You need to edit the file for your own web application. http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Defining_a_context Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
