"Thomas Hicks" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] >I have a web application which uses BASIC authentication. > > In Tomcat 5.0.28 (under Java 1.5 and Fedora Core 4) accessing > the protected webapp causes the browser to popup a login box > where username and password are entered. This works well, no > matter whether passwords are plain or SHA digested and no > matter whether I access the protected webapp using the HTTP > port or the HTTPS port. It also works with a wide variety of browsers. > > Moving to Tomcat 5.5.x, however, causes the BASIC authentication > not to work anymore. The login box pops up but no username/password > combination ever allows access. The login box just clears the entries > and one is "stuck" at the login box. Again, I have tried plain and SHA > digested passwords in the tomcat-users.xml file with no luck either way. > This behavior is the same across different web browsers. > > The web.xml file for the web application contains the following security > configuration portion, which enables password access in 5.0.x but > doesn't work in 5.5.x: > > <!-- --> > <!-- Container-Security Configuration --> > <!-- --> > <security-constraint> > <web-resource-collection> > <web-resource-name>Reports Browser</web-resource-name> > <url-pattern>/*</url-pattern> > </web-resource-collection> > > <auth-constraint> > <role-name>*</role-name> > </auth-constraint> > </security-constraint> >
In TC 5.0, the special role-name '*' was incorrectly (according to the spec) being treated as 'any authenticated user'. In TC 5.5 this was fixed to mean 'any role that is declared in a security-role'. You can set the attribute allRolesMode="authOnly" on the <Realm /> to have Tomcat revert to it's previous behavior. > <!-- Currently using only BASIC authentication. Use with HTTPS. --> > <login-config> > <auth-method>BASIC</auth-method> > <realm-name>Protected Area</realm-name> > </login-config> > > > I have searched online for answers and have reviewed the Servlet 2.4 > specification (i.e. for Tomcat 5.5.x) but have found nothing. Surely, > BASIC authentication is such a well....basic thing that there must be > some small change I need to make, between the Tomcat versions, to get > this to work again. Any help is greatly appreciated. > -tom > > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
