6 Replies Latest reply on Jan 18, 2004 7:52 AM by jimboss

    BASIC authentication does not work with jboss-3.2.1_tomcat-4

    mlipp Aug 20, 2003 7:52 AM

       

      "MLipp" wrote:
      Hi,

      I have an application that works perfectly well using BASIC authentication with JBoss-3.2.1(Jetty). With JBoss 4.0 using tomcat as default (and because there are requests to support tomcat, anyway), I tried deploying in jboss-3.2.1_tomcat-4.1.24.

      In this environment, BASIC authentication fails. When I try FORM based authentication (as a test - can't switch to this as a solution) things work again.

      So obviously BASIC authentication with jboss-3.2.1_tomcat-4.1.24 is broken. Is there any workaround? Do I need some extra configuration to use BASIC authentication with JBoss/Tomcat?

      - Michael


      • 3116 Views
      • Tags:
        • 1. Re: BASIC authentication does not work with jboss-3.2.1_tomc
          cgsandy
          cgsandy Aug 20, 2003 4:06 PM (in response to mlipp)

           

          "cgsandy" wrote:
          I'm seeing the same thing. A webapp will run with BASIC authentication on JBoss-3.2.1, but fails with JBoss-3.2.1_tomcat-4.1.24. Any ideas?


            • Actions
          • 2. Re: BASIC authentication does not work with jboss-3.2.1_tomc
            mlipp Aug 21, 2003 2:24 AM (in response to mlipp)

             

            "MLipp" wrote:
            I think I have resolved the issue. You can find a detailed explanation here http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22617.

            Basically, what breaks things is supporting the unauthenticated identity. Obviously tomcat tries to authenticate request that have no "Authentication" header (instead of having the browser prompt for credentials first) and thus you are always identified as the unauthenticated identity.

            As a workaround, I have defined my application-policy in login-config.xml twice: once with unauthenticatedIdentity (used as realm by EJBs) and once without unauthenticatedIdentity, used in jboss-web.xml and thus for tomcat.

            - Michael


              • Actions
            • 3. Re: BASIC authentication does not work with jboss-3.2.1_tomc
              cgsandy
              cgsandy Aug 21, 2003 11:23 AM (in response to mlipp)

               

              "cgsandy" wrote:
              Thanks! I'll give it a try.


                • Actions
              • 4. Re: BASIC authentication does not work with jboss-3.2.1_tomc
                sysuser1
                sysuser1 Oct 30, 2003 4:15 PM (in response to mlipp)

                 

                "kssubramanian81" wrote:
                Hi
                Could anyone of you let me know how to get basic authentication to work with JBoss 3.2.1/Tomcat 4.1.24?

                A set of files that needs to be edited/configured would be sufficient!

                Thanks in advance.
                Sankar


                  • Actions
                • 5. Re: BASIC authentication does not work with jboss-3.2.1_tomc
                  sysuser1
                  sysuser1 Oct 30, 2003 6:55 PM (in response to mlipp)

                   

                  "kssubramanian81" wrote:
                  Ok, I got it to work at last..
                  1. create a jboss-web.xml under WEB-INF directory of war file

                  2. Provide security-domain for the webapp in this file
                  <jboss-web>
                  <security-domain>java:/your/security/domain</security-domain>
                  <!--
                  other elements as needed
                  -->
                  </jboss-web>

                  This security domain needs to be defined in conf/login-config.xml file

                  3. edit web.xml of the war file to provide security-constraint, login-config and security-role elements as appropriate. Here is a sample snippet..

                  <security-constraint>
                  <web-resource-collection>
                  <web-resource-name>resource-name</web-resource-name>
                  <url-pattern>/*</url-pattern>
                  <http-method>GET</http-method>
                  <http-method>PUT</http-method>
                  <http-method>POST</http-method>
                  <http-method>HEAD</http-method>
                  <http-method>TRACE</http-method>
                  <http-method>DELETE</http-method>
                  <http-method>CONNECT</http-method>
                  </web-resource-collection>
                  <auth-constraint>
                  <role-name>ARoleName</role-name>
                  </auth-constraint>
                  </security-constraint>

                  <login-config>
                  <auth-method>BASIC</auth-method>
                  <realm-name>A Descriptive name for the realm</realm-name>
                  </login-config>

                  <security-role>
                  <role-name>ARoleName</role-name>
                  </security-role>

                  4. create a users.properties and roles.properties and place it under WEB-INF/classes directory of the war file

                  users.properties
                  ---------------------
                  ausername=auserpassword

                  roles.properties
                  --------------------
                  ausername=ARoleName

                  And this worked.

                  I just have one question here - should the web-resource-name elements value match the name of the war file exactly?
                  --
                  Sankar


                    • Actions
                  • 6. Re: BASIC authentication does not work with jboss-3.2.1_tomc
                    jimboss
                    jimboss Jan 18, 2004 7:52 AM (in response to mlipp)

                     

                    "jimboss" wrote:
                    Yeah looks like in <web-resource-name>XXX</web-resource-name> XXX must be the name of you war minus the .war.

                    Without that I just keep getting told that my username/password is incorrect.


                      • Actions