Dear all,
no, this is not a one2one-conversation, we succeeded, however, there
appears to be a bug in Tomcat. Before we're submitting this one, I'd
like to have your oppinions - maybe we're missing something here.
As you may have read, the basics:
- Tomcat 5.5.17
- Debian Sarge
- Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_07-b03)
Our context-definition-file in $catalina_home/conf/Catalina/localhost
SingleSignOn.xml:
<Context path="/SingleSignOn"
docBase="SingleSignOn"
debug="4"
reloadable="true"
crossContext="true">
<Resource name="jdbc/SSODS"
auth="Container"
type="javax.sql.DataSource"
driverClassName="com.mysql.jdbc.Driver"
url="jdbc:mysql://dekold4712/apacheSSO"
username="username"
password="password"
maxActive="100"
maxIdle="30"
maxWait="10000"/>
</Context>
Fact: If we map a Servlet to either "/" or "/*",
FormBasedAuthentication is bypassed.
If we map a Servlet to it's name, FormBasedAuthentication is called.
=======================================
web.xml #1 (FormBasedAuthentication is bypassed):
URL called is http://myhost:8080/SingleSignOn
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>domuser</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Dom4Bereich</realm-name>
<form-login-config>
<form-login-page>/jsp/loginForm.html</form-login-page>
<form-error-page>/jsp/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>DOM-Users</description>
<role-name>domuser</role-name>
</security-role>
<servlet>
<servlet-name>SingleSignOn</servlet-name>
<servlet-class>com.cr.web.sso.SingleSignOn</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>SingleSignOn</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
</web-app>
=======================================
web.xml #2 (FormBasedAuthentication is bypassed):
URL called is http://myhost:8080/SingleSignOn
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>domuser</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Dom4Bereich</realm-name>
<form-login-config>
<form-login-page>/jsp/loginForm.html</form-login-page>
<form-error-page>/jsp/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>DOM-Users</description>
<role-name>domuser</role-name>
</security-role>
<servlet>
<servlet-name>SingleSignOn</servlet-name>
<servlet-class>com.cr.web.sso.SingleSignOn</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>SingleSignOn</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
</web-app>
=======================================
web.xml #3 (FormBasedAuthentication is bypassed):
URL called is http://myhost:8080/SingleSignOn
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>domuser</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Dom4Bereich</realm-name>
<form-login-config>
<form-login-page>/jsp/loginForm.html</form-login-page>
<form-error-page>/jsp/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>DOM-Users</description>
<role-name>domuser</role-name>
</security-role>
<servlet>
<servlet-name>SingleSignOn</servlet-name>
<servlet-class>com.cr.web.sso.SingleSignOn</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>SingleSignOn</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
</web-app>
=======================================
web.xml #4 (FormBasedAuthentication working):
URL called is http://myhost:8080/SingleSignOn/SingleSignOn
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>domuser</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Dom4Bereich</realm-name>
<form-login-config>
<form-login-page>/jsp/loginForm.html</form-login-page>
<form-error-page>/jsp/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>DOM-Users</description>
<role-name>domuser</role-name>
</security-role>
<servlet>
<servlet-name>SingleSignOn</servlet-name>
<servlet-class>com.cr.web.sso.SingleSignOn</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>SingleSignOn</servlet-name>
<url-pattern>/SingleSignOn</url-pattern>
</servlet-mapping>
</web-app>
========================================
To my understanding (please do correct me if I'm wrong) I'm stating
with a "/*" in the element <web-ressource><url-pattern>..., that all
content including and below the mentioned pattern is seen as a
webressource. As this web-ressource is inside an element
<security-constraint>, this means that all mentioned content is
protected and needs the specified role (in our case: domuser).
My understanding is further, that when I specify
<servlet-mapping><url> as "/*", that any request belonging to the
mentioned context (in our case: SingleSignOn) is handled by the
specified servlet, ie.e http://myhost/SingleSignOn/Foo as well as
http://myhost/SingleSignOn/Bar.
Please do correct me if my understanding is wrong here or if we do
miss some points, otherwise we considers this a bug, which we do
believe seems to be quite severe.
Thanks for your attention and comments!
Greg
--
what's puzzlin' you, is the nature of my game
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
