I have done more related to this challenge:
In my servlet, I've tried:
response.setStatus(response.SC_UNAUTHORIZED); // Ie
401
response.setHeader("WWW-AUTHENTICATE","BASIC
realm=\"UserDatabase\"");
//commenting out this one:
response.setHeader("WWW-AUTHENTICATE","BASIC");
dispatcher.forward(request,response);
That change makes "UserDatabase" appear on the basic auth. Dialog box.
I've also tried the above like this:
session.invalidate();
response.setStatus(response.SC_UNAUTHORIZED); // Ie
401
response.setHeader("WWW-AUTHENTICATE","BASIC
realm=\"UserDatabase\"");
// response.setHeader("WWW-AUTHENTICATE","BASIC");
dispatcher.forward(request,response);
That change means that I end up in a never ending loop where the
original login form opens, I login, authenticate, then after I attempt
to clear the basic authentication, I am sent back to the form
authentication, then basic, then form, and on, and on. This tells me
that my server.xml is overriding my application.xml.
Here is my tomcat_home/webapps/application.xml :
<Context path="/mrcjava/LNGDIST" docBase="/mrcjava"
debug="0" privileged="true">
// <resource-env-ref>
// <description>Link to the UserDatabase instance from
which
// we request lists of defined role
names.</description>
//
<resource-env-ref-name>UserDatabase</resource-env-ref-name>
//
<resource-env-ref-type>org.apache.catalina.UserDatabase</resource-env-re
f-type>
// </resource-env-ref>
<Realm
className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"
/>
<!-- Define a Security Constraint on this Application -->
<security-constraint>
<web-resource-collection>
<web-resource-name>mrcjava</web-resource-name>
<url-pattern>/LNGDIST/AdminOptions.jsp</url-pattern>
<url-pattern>/mrcjava/GetAttsAdmin</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>NTSADMIN</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>mrcjava</realm-name>
</login-config>
<security-role>
<description>The role that is required to log in to
the Manager Application</description>
<role-name>NTSADMIN</role-name>
</security-role>
<Logger className="org.apache.catalina.logger.FileLogger"
prefix="GetAdm_log." suffix=".txt"
timestamp="true"/>
</context>
____________________________________
Thanks for any help.
Robyne K. Vaughn
Programmer/Analyst
Lubbock ISD
1628 19th St
Lubbock, TX 79401
806-766-1119
-----Original Message-----
From: Robyne Vaughn
Sent: Tuesday, May 24, 2005 9:05 AM
To: tomcat-user@jakarta.apache.org
Subject: Authentication and Re-Authentication on Tomcat 4.1.24 for
Authorization
In my server.xml, I have a JNDI realm which works for authenticating
every user against Microsoft Active Directory.
The user requests a URL which I have set up as an alias in my web.xml
for a servlet which authenticates the user against the active directory
and then does a dispatcher.forward(request,response) to what is
essentially an opening page for the user. (A menu of links to specific
programs.)
I am trying to implement further authorization for certain programs for
administrators.
If a person tries to open (I'm only testing 1 page at the moment) the
protected page, before doing the dispatcher.forward(request,response), I
rewrite the http header to be basic authentication in an effort to trick
Tomcat into re-authenticating for this page.
response.setStatus(response.SC_UNAUTHORIZED); // Ie 401
response.setHeader("WWW-AUTHENTICATE","BASIC");
dispatcher.forward(request,response);
I have set up a context fragment similar to
tomcat_home/webapps/application.xml trying to set up the additional
authentication.
It wants to use the user database, and in fact, it does pop up the basic
login window after one has cleared the jndi authentication. However,
after 3 attempts to login, it neither gives me a "bad password" message,
nor a "successful" message, instead after the 3 attempts, it just allows
the already authenticated user access whether or not they have been
assigned the appropriate role in the tomcat-users.xml.
Any ideas why it doesn't seem to be actually using the tomcat-users.xml?
It's a miracle that it's this close to working. I'm feeling my way
through this, I'm not very experienced at Tomcat or Java or Jndi, I only
touch on them occasionally. So, please answer in full, rich answers.
Robyne Vaughn
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
