6 Replies Latest reply on Jan 18, 2004 7:52 AM by jimboss

    BASIC authentication does not work with jboss-3.2.1_tomcat-4

    Michael Lipp Newbie

       

      "MLipp" wrote:
      Hi,

      I have an application that works perfectly well using BASIC authentication with JBoss-3.2.1(Jetty). With JBoss 4.0 using tomcat as default (and because there are requests to support tomcat, anyway), I tried deploying in jboss-3.2.1_tomcat-4.1.24.

      In this environment, BASIC authentication fails. When I try FORM based authentication (as a test - can't switch to this as a solution) things work again.

      So obviously BASIC authentication with jboss-3.2.1_tomcat-4.1.24 is broken. Is there any workaround? Do I need some extra configuration to use BASIC authentication with JBoss/Tomcat?

      - Michael


        • 1. Re: BASIC authentication does not work with jboss-3.2.1_tomc
          Clinton Sandy Newbie

           

          "cgsandy" wrote:
          I'm seeing the same thing. A webapp will run with BASIC authentication on JBoss-3.2.1, but fails with JBoss-3.2.1_tomcat-4.1.24. Any ideas?


          • 2. Re: BASIC authentication does not work with jboss-3.2.1_tomc
            Michael Lipp Newbie

             

            "MLipp" wrote:
            I think I have resolved the issue. You can find a detailed explanation here http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22617.

            Basically, what breaks things is supporting the unauthenticated identity. Obviously tomcat tries to authenticate request that have no "Authentication" header (instead of having the browser prompt for credentials first) and thus you are always identified as the unauthenticated identity.

            As a workaround, I have defined my application-policy in login-config.xml twice: once with unauthenticatedIdentity (used as realm by EJBs) and once without unauthenticatedIdentity, used in jboss-web.xml and thus for tomcat.

            - Michael


            • 3. Re: BASIC authentication does not work with jboss-3.2.1_tomc
              Clinton Sandy Newbie

               

              "cgsandy" wrote:
              Thanks! I'll give it a try.


              • 4. Re: BASIC authentication does not work with jboss-3.2.1_tomc
                sys user Master

                 

                "kssubramanian81" wrote:
                Hi
                Could anyone of you let me know how to get basic authentication to work with JBoss 3.2.1/Tomcat 4.1.24?

                A set of files that needs to be edited/configured would be sufficient!

                Thanks in advance.
                Sankar


                • 5. Re: BASIC authentication does not work with jboss-3.2.1_tomc
                  sys user Master

                   

                  "kssubramanian81" wrote:
                  Ok, I got it to work at last..
                  1. create a jboss-web.xml under WEB-INF directory of war file

                  2. Provide security-domain for the webapp in this file
                  <jboss-web>
                  <security-domain>java:/your/security/domain</security-domain>
                  <!--
                  other elements as needed
                  -->
                  </jboss-web>

                  This security domain needs to be defined in conf/login-config.xml file

                  3. edit web.xml of the war file to provide security-constraint, login-config and security-role elements as appropriate. Here is a sample snippet..

                  <security-constraint>
                  <web-resource-collection>
                  <web-resource-name>resource-name</web-resource-name>
                  <url-pattern>/*</url-pattern>
                  <http-method>GET</http-method>
                  <http-method>PUT</http-method>
                  <http-method>POST</http-method>
                  <http-method>HEAD</http-method>
                  <http-method>TRACE</http-method>
                  <http-method>DELETE</http-method>
                  <http-method>CONNECT</http-method>
                  </web-resource-collection>
                  <auth-constraint>
                  <role-name>ARoleName</role-name>
                  </auth-constraint>
                  </security-constraint>

                  <login-config>
                  <auth-method>BASIC</auth-method>
                  <realm-name>A Descriptive name for the realm</realm-name>
                  </login-config>

                  <security-role>
                  <role-name>ARoleName</role-name>
                  </security-role>

                  4. create a users.properties and roles.properties and place it under WEB-INF/classes directory of the war file

                  users.properties
                  ---------------------
                  ausername=auserpassword

                  roles.properties
                  --------------------
                  ausername=ARoleName

                  And this worked.

                  I just have one question here - should the web-resource-name elements value match the name of the war file exactly?
                  --
                  Sankar


                  • 6. Re: BASIC authentication does not work with jboss-3.2.1_tomc
                    jimboss Newbie

                     

                    "jimboss" wrote:
                    Yeah looks like in <web-resource-name>XXX</web-resource-name> XXX must be the name of you war minus the .war.

                    Without that I just keep getting told that my username/password is incorrect.