Tomcat 5.5: how doesone configure an authenticator valve?
I am trying to help someone with a Tomcat 5.5 implementation of waffle (waffle.codeplex.com). It has authenticator valve that works well with tc6. I declare a valve inside the web app: Context.xml ?xml version='1.0' encoding='utf-8'? Context Valve className=waffle.apache.NegotiateAuthenticator principalFormat=fqn roleFormat=both / Realm className=waffle.apache.WindowsRealm / /Context Web.xml security-constraint display-nameWaffle Security Constraint/display-name web-resource-collection web-resource-nameProtected Area/web-resource-name url-pattern/*/url-pattern http-methodDELETE/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nameEveryone/role-name /auth-constraint /security-constraint security-role role-nameEveryone/role-name /security-role I didn't modify anything in Tomcat's conf, but placed the JARs in the right place(s). The Valve starts, but any request to the protected area doesn't invoke it. I get a 401 Access Denied, but no headers added by the valve. Any suggestions? Is this supposed to work with tc5.5 at all? Thx dB. dB. @ dblock.orghttp://www.dblock.org/ Moscow|Geneva|Seattle|New York
Re: Tomcat 5.5: how doesone configure an authenticator valve?
2010/11/2 dB. dbl...@dblock.org: I am trying to help someone with a Tomcat 5.5 implementation of waffle (waffle.codeplex.com). It has authenticator valve that works well with tc6. I declare a valve inside the web app: Context.xml ?xml version='1.0' encoding='utf-8'? Context Valve className=waffle.apache.NegotiateAuthenticator principalFormat=fqn roleFormat=both / Realm className=waffle.apache.WindowsRealm / /Context Note, that META-INF/context.xml (case matters!) is copied to $CATALINA_BASE\conf\Catalina\localhost\yourapp.xml when the webappication starts for the first time. You can have a stale copy there. I would suggest you to enable more detailed logging. Something like adding the following line to conf/logging.properties: waffle.apache.NegotiateAuthenticator.level=FINE BTW, the waffle docs say waffle.apache.NegotiateAuthenticator, but in the source code it is waffle.tomcat.NegotiateAuthenticator, i.e. a different package http://waffle.codeplex.com/SourceControl/changeset/view/52761#1097376 Are there any interesting messages in the log filess already? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 5.5: how doesone configure an authenticator valve?
Thanks for your help. I should have done this (logging) in the first place, sorry. The filter is invoked properly. The new problem is that the headers aren't added (or sent to the client). The code looks like this: response.addHeader(WWW-Authenticate, Negotiate); response.addHeader(WWW-Authenticate, NTLM); response.setHeader(Connection, close); response.sendError(HttpServletResponse.SC_UNAUTHORIZED); response.flushBuffer(); This is executed for sure (put a logging statement in front of it) but has no effect, the response looks like a boilerplate 401. Where did my WWW-Authenticate headers and Connection: close go? (Maybe it helps, it does work in 6.x). Thx dB. PS: you're looking at some intermediate waffle check-in, the namespace was renamed at some point, it's waffle.apache. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Sent: Tuesday, November 02, 2010 8:39 AM To: Tomcat Users List Subject: Re: Tomcat 5.5: how doesone configure an authenticator valve? 2010/11/2 dB. dbl...@dblock.org: I am trying to help someone with a Tomcat 5.5 implementation of waffle (waffle.codeplex.com). It has authenticator valve that works well with tc6. I declare a valve inside the web app: Context.xml ?xml version='1.0' encoding='utf-8'? Context Valve className=waffle.apache.NegotiateAuthenticator principalFormat=fqn roleFormat=both / Realm className=waffle.apache.WindowsRealm / /Context Note, that META-INF/context.xml (case matters!) is copied to $CATALINA_BASE\conf\Catalina\localhost\yourapp.xml when the webappication starts for the first time. You can have a stale copy there. I would suggest you to enable more detailed logging. Something like adding the following line to conf/logging.properties: waffle.apache.NegotiateAuthenticator.level=FINE BTW, the waffle docs say waffle.apache.NegotiateAuthenticator, but in the source code it is waffle.tomcat.NegotiateAuthenticator, i.e. a different package http://waffle.codeplex.com/SourceControl/changeset/view/52761#1097376 Are there any interesting messages in the log filess already? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 5.5: how doesone configure an authenticator valve?
After some more code-reading I found the problem. Looking at the implementation of response.sendError in TC5, it's clear that it dumps whatever headers you added prior to the call. Changing this to setStatus fixed the problem. I assume this means that Tomcat doesn't get a chance to render it's custom 401 page, but I might be speculating. I'd appreciate if someone shed some light on which way the code below should be implemented (setStatus/sendError/something else?) in various versions of Tomcat. Thx dB. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: dB. [mailto:dbl...@dblock.org] Sent: Tuesday, November 02, 2010 4:55 PM To: Tomcat Users List Subject: RE: Tomcat 5.5: how doesone configure an authenticator valve? Thanks for your help. I should have done this (logging) in the first place, sorry. The filter is invoked properly. The new problem is that the headers aren't added (or sent to the client). The code looks like this: response.addHeader(WWW-Authenticate, Negotiate); response.addHeader(WWW-Authenticate, NTLM); response.setHeader(Connection, close); response.sendError(HttpServletResponse.SC_UNAUTHORIZED); response.flushBuffer(); This is executed for sure (put a logging statement in front of it) but has no effect, the response looks like a boilerplate 401. Where did my WWW-Authenticate headers and Connection: close go? (Maybe it helps, it does work in 6.x). Thx dB. PS: you're looking at some intermediate waffle check-in, the namespace was renamed at some point, it's waffle.apache. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Sent: Tuesday, November 02, 2010 8:39 AM To: Tomcat Users List Subject: Re: Tomcat 5.5: how doesone configure an authenticator valve? 2010/11/2 dB. dbl...@dblock.org: I am trying to help someone with a Tomcat 5.5 implementation of waffle (waffle.codeplex.com). It has authenticator valve that works well with tc6. I declare a valve inside the web app: Context.xml ?xml version='1.0' encoding='utf-8'? Context Valve className=waffle.apache.NegotiateAuthenticator principalFormat=fqn roleFormat=both / Realm className=waffle.apache.WindowsRealm / /Context Note, that META-INF/context.xml (case matters!) is copied to $CATALINA_BASE\conf\Catalina\localhost\yourapp.xml when the webappication starts for the first time. You can have a stale copy there. I would suggest you to enable more detailed logging. Something like adding the following line to conf/logging.properties: waffle.apache.NegotiateAuthenticator.level=FINE BTW, the waffle docs say waffle.apache.NegotiateAuthenticator, but in the source code it is waffle.tomcat.NegotiateAuthenticator, i.e. a different package http://waffle.codeplex.com/SourceControl/changeset/view/52761#1097376 Are there any interesting messages in the log filess already? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 5.5: how doesone configure an authenticator valve?
2010/11/3 dB. dbl...@dblock.org: After some more code-reading I found the problem. Looking at the implementation of response.sendError in TC5, it's clear that it dumps whatever headers you added prior to the call. Changing this to setStatus fixed the problem. I assume this means that Tomcat doesn't get a chance to render it's custom 401 page, but I might be speculating. IIRC, this behaviour was tracked as bug 42409. It was fixed by the following commit: http://svn.apache.org/viewvc?view=revisionrevision=721921 The fix was not backported to 5.5. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
