-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Neil,
On 3/19/12 12:58 PM, Neil Munro wrote: > Sorry about that mismatch, I totally missed that and have corrected > it now. Stuck with version 2.3. Good (sort of). Spec version 2.3 is quite old. Every currently-supported version of Tomcat supports at least 2.4 (TC 5.5.x). You should really consider updating your webapp. > My welcome page is now index.jsp, which has a href to suites.jsp, > a file that I wish to protect and require a user login to access. Do you mean it contains a /link/ to suites.jsp? > I have also discovered why I was unable to access the files stored > in WEB-INF, I needed to write a quick few lines in my build.xml to > copy the login and fail_login into the web app. That would certainly help. > So that's solved now, however it's still just looping around What -- login -> login_fail -> login ? > however I have been informed by our sysadmin that while the > passwords are stored encrypted, we do not (yet) enforce ssl and > ultimately the passwords are transmitted in plain text, so I am not > sure how that will affect my config file. It probably won't change anything, unless you want to change to bind-mode authentication instead of comparison-mode. In bind-mode authentication, you will probably end up leaking everyone's credentials whereas in comparison mode, you'll only leak one user's credentials. > So my web.xml now looks like this: <security-constraint> > <web-resource-collection> <web-resource-name>Public > Area</web-resource-name> <!-- Define the context-relative URL(s) to > be protected --> <url-pattern>/*</url-pattern> > </web-resource-collection> <auth-constraint> <!-- Anyone with one > of the listed roles may access this area --> <role-name>my company > users</role-name> </auth-constraint> </security-constraint> > > <security-constraint> <web-resource-collection> > <web-resource-name>Protected Area</web-resource-name> <!-- Define > the context-relative URL(s) to be protected --> > <url-pattern>/suites.jsp</url-pattern> </web-resource-collection> > <auth-constraint> <!-- Anyone with one of the listed roles may > access this area --> <role-name>my company users</role-name> > </auth-constraint> </security-constraint> Note that /* is a superset of /suites.jsp, so both <security-constraints> essentially mean the same thing. Requesting /index.jsp will require you to login (which is what I thought you wanted: all pages require authentication). > <!-- uses form-based authentication --> <login-config> > <auth-method>FORM</auth-method> <form-login-config> > <form-login-page>/WEB-INF/login/login.jsp</form-login-page> > <form-error-page>/WEB-INF/login/fail_login.jsp</form-error-page> > </form-login-config> </login-config> Fine. > I can access the login and fail_login files correctly as you have > described. But again I can't gain access to suites.jsp yet, I > suspected digest passwords are what I am missing, but until my sys > admin gets back to me on the hash type I have no idea. Though I > have read it's always MD5 because HTTP authentication cannot > support anything else. You are reading too many things without understanding them. HTTP "digest" authentication (which has nothing to do with "form authentication" only supports MD5. Forgot you read that. > I also included the "uniqueMember:=" correction, just in case it > stings me too. I wouldn't do that unless nothing else is working at all. > So this is my server.xml file at the moment, with the digest > attribute included: <Realm > className="org.apache.catalina.realm.JNDIRealm" > connectionName="uid=connectuser,ou=my company > users,dc=mycompany,dc=com" connectionPassword="parliament" > connectionURL="ldap://my.ldap.server.com"; > alternateURL="ldap://my.ldap.server.com"; digest="MD5" Obviously, you need to make sure that MD5 is correct. There are many other digest algorithms supported by both LDAP servers and Java. You could try the most common: MD5 and SHA-1. > userBase="ou=my company users,dc=mycompany,dc=com" > userSearch="(cn={0})" userPattern="uid={0},ou=my company > users,dc=mycompany,dc=com" userPassword="{1}" <!-- if {0} is > username is {1} not the password? --> *sigh* This is getting tiring: you really need to read the documentation and understand WTF you are doing. From the docs, when in comparison mode: "This mode is configured by setting the userPassword attribute to the name of a directory attribute in the user's entry that contains the password." Setting userPassword="{0}" is simply never going to work. You must set it to "userPassword" or whatever the name of the LDAP attribute is where the user's password is stored. Give me an LDIF record from your LDAP server and I can tell you what it is. I can probably also guess at the digest algorithm. > roleBase="ou=my company users,dc=mycompany,dc=com" > roleSubtree="true" roleName="cn" roleSearch="(uniqueMember:={0})" > <!-- Included the ":" as warned about the potential issue --> Again, this is probably a last-record kind of thing, and might only be necessary from the command-line. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9nkOcACgkQ9CaO5/Lv0PCarwCfe6+Z7gnQL00K9apYOgzQdCcP Gu8AoIE2JnNoA9JmTdnZximeWqss2EoN =sWlZ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
