Thank you again for your suggestion. I was able to fix the problem afterwards, after adding extra tomcat realm authenticator logging.
The below section of the web.xml file, which was meant to give shorthand names to roles has been the cause of the problem. I removed this section and references to shorthand names, replacing them with the full AD Role (e.g. CN=ISSWA-MyApplicationName-Admin,OU=ISSWA-AppRoles,OU=WebApps,OU=Corporate Information Services,OU=cp,OU=Services,DC=myapplicationdomain,DC=com) and testing passed. This case can be set to closed. <security-role-ref> <role-name>CN=ISSWA-MyApplicationName-Admin,OU=ISSWA-AppRoles,OU=WebApps,OU=Corporate Information Services,OU=cp,OU=Services,DC=myapplicationdomain,DC=com</role-name> <role-link>admin</role-link> </security-role-ref> <security-role-ref> <role-name>CN=ISSWA-MyApplicationName-Readonly,OU=ISSWA-AppRoles,OU=WebApps,OU=Corporate Information Services,OU=cp,OU=Services,DC=myapplicationdomain,DC=com</role-name> <role-link>readonly</role-link> </security-role-ref> <security-role-ref> <role-name>CN=ISSWA-MyApplicationName-User,OU=ISSWA-AppRoles,OU=WebApps,OU=Corporate Information Services,OU=cp,OU=Services,DC=myapplicationdomain,DC=com</role-name> <role-link>user</role-link> </security-role-ref> -----Original Message----- From: Christopher Schultz <ch...@christopherschultz.net> Sent: 14 September 2021 4:02 PM To: users@tomcat.apache.org Subject: Re: FW: 403 Errors for REST Web Services after upgrade from 8.5.30 to 8.5.58 CAUTION: This e-mail originated outside the University of Southampton. Mike, On 9/13/21 10:56, Mike Webb wrote: > I manage a web application that uses REST Web Services. After upgrading from > 8.5.30 to 8.5.58, the web services return 403 messages. > > Commenting out the <role-name> and <user-auth-constraing> sections below > allows the web services to run again, but it does remove the security > constraints. How can I get it working securely again? > > > <auth-constraint> > <role-name>admin</role-name> > <role-name>readonly</role-name> > <role-name>user</role-name> > > <role-name>CN=ISSWA-MyWebsiteName-Admin,OU=ISSWA-AppRoles,OU=WebApps,OU=Corporate > Information Services,OU=cp,OU=Services,DC=mywebsitename,DC=com</role-name> > > <role-name>CN=ISSWA-MyWebsiteName-Readonly,OU=ISSWA-AppRoles,OU=WebApps,OU=Corporate > Information Services,OU=cp,OU=Services,DC=mywebsitename,DC=com</role-name> > > <role-name>CN=ISSWA-MyWebsiteName-User,OU=ISSWA-AppRoles,OU=WebApps,OU > =Corporate Information > Services,OU=cp,OU=Services,DC=mywebsitename,DC=com</role-name> > </auth-constraint> > <user-data-constraint> > > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> > > The server that does not works has > ========================================== > Tomcat Version: Apache Tomcat/8.5.58 > JVM Version: 11.0.12+7-LTS > JVM Vendor: Red Hat, Inc. > OS Name: Linux > OS Version: 3.10.0-1160.36.2.el7.x86_64 OS Architecture: amd64 > > > The server that not work has > ==================================== > Tomcat version: Apache Tomcat/8.5.30 > JVM Version: 11.0.11+9-LTS > JVM Vendor: Red Hat, Inc. > OS Name: Linux > OS Version: 3.10.0-1160.31.1.el7.x86_64 > OS Architecture: amd64 Are you able to segregate that non-working machine to run some tests against it? Can you increase the logging for the authenticator / realm to see what is happening? -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
