Hello, I think I found the following bug in tomcat 7/8 with the following setup:
We use tomcat 7.0.42 (but I tried 7.0.55 and 8.0.15 without success) and deployed a web service with jersey 1.18.2. Additionally we set up HTTP authentication. In our case DIGEST authentication, but I tried BASIC authentication the observed behavior is the same. We have a web service with login and logout methods, as well as some other methods which could only be invoked if a login request was made previously. Authentication works fine, till some point in time. At this point the client receives a HTTP response 401 Unauthorized. I double checked that the client sends correct credentials and nonce values. On server side I enabled logging (see attached log file). The log shows two web service calls, the first one returns successfully the last one reports the 401 error. As one could see in line 12 and 13 FEIN: Calling authenticate() Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase authenticate Tomcat delegates the authentication request to RealmBase class logs some stuff and returns with FEIN: Successfully passed all security constraints But in case of my error just these three lines are logged: FEIN: Calling authenticate() Nov 18, 2014 2:58:25 PM org.apache.catalina.authenticator.AuthenticatorBase invoke FEIN: Failed authenticate() test My server.xml is as follows: <… <Engine name="Catalina" defaultHost="localhost"> <Realm className="org.apache.catalina.realm.LockOutRealm"> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase" digest="md5"/> </Realm> <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true" deployOnStartup="true"> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="%h %l %u %t "%r" %s %b" /> </Host> </Engine> <… I also tried to remove the LockOutRealm, but without success. As far as I understand with this setup class org.apache.catalina.realm.CombinedRealm.java is invoked to handle authentication. If I further understand correctly, then method authenticate(String username, String clientDigest, String nonce, String nc, String cnonce, String qop, String realmName, String md5a2) is also invoked. This method iterates over all configured Realms. It seems to me that, in case of the 401 error, the list of realms (Line 51) is empty and thus authentication fails. The error only occurs after many calls to the webservice. I was unable to identify any pattern, but it seems related to the nonce timeout, somehow. Could one verify this bug? Best Regards, Andreas ___________________________________________________________________ Andreas Kehlenbach Software Engineer, SWD PROSTEP AG Dolivostrasse 11, D-64293 Darmstadt Tel.: +49 6151 9287 332 Fax: +49 6151 9287 326 Email: andreas.kehlenb...@prostep.com _____________________________________________________________________ ________________________________________________________________________ PROSTEP AG, Dolivostraße 11, D-64293 Darmstadt HR: Amtsgericht Darmstadt, HRB 8383 Vorstand: Dr. Bernd Pätzold (Vorsitz), Reinhard Betz Aufsichtsrat: Dr. Heinz-Gerd Lehnhoff (Vorsitz) ________________________________________________________________________
Nov 18, 2014 2:58:25 PM org.apache.catalina.authenticator.AuthenticatorBase invoke FEIN: Security checking request POST /OpenPDMSmarTeamOUCAConnectorServer/rest/is-session-alive Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase findSecurityConstraints FEIN: Checking constraint 'SecurityConstraint[OpenPDM OUCA REST WebServices]' against POST /rest/is-session-alive --> true Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase findSecurityConstraints FEIN: Checking constraint 'SecurityConstraint[OpenPDM CAD Controller REST WebServices]' against POST /rest/is-session-alive --> false Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase findSecurityConstraints FEIN: Checking constraint 'SecurityConstraint[OpenPDM OUCA REST WebServices]' against POST /rest/is-session-alive --> true Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase findSecurityConstraints FEIN: Checking constraint 'SecurityConstraint[OpenPDM CAD Controller REST WebServices]' against POST /rest/is-session-alive --> false Nov 18, 2014 2:58:25 PM org.apache.catalina.authenticator.AuthenticatorBase invoke FEIN: Calling hasUserDataPermission() Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase hasUserDataPermission FEIN: User data constraint has no restrictions Nov 18, 2014 2:58:25 PM org.apache.catalina.authenticator.AuthenticatorBase invoke FEIN: Calling authenticate() Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase authenticate FEIN: Digest : d747e0dabf284059948a2ad40c0abc72 Username:openpdmadmin ClientSigest:d747e0dabf284059948a2ad40c0abc72 nonce:1416319056468:b83d03daeeeb6aac9233fc67b072b75d nc:0000002f cnonce:92633461 qop:auth realm:OpenPDMmd5a2:46ee17ed4949e254dc7072fc6da7fab7 Server digest:d747e0dabf284059948a2ad40c0abc72 Nov 18, 2014 2:58:25 PM org.apache.catalina.authenticator.AuthenticatorBase register FEIN: Authenticated 'openpdmadmin' with type 'DIGEST' Nov 18, 2014 2:58:25 PM org.apache.catalina.authenticator.AuthenticatorBase invoke FEIN: Calling accessControl() Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase hasResourcePermission FEIN: Checking roles GenericPrincipal[openpdmadmin(openpdmadmin,)] Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase hasResourcePermission FEIN: Role found: openpdmadmin Nov 18, 2014 2:58:25 PM org.apache.catalina.authenticator.AuthenticatorBase invoke FEIN: Successfully passed all security constraints Nov 18, 2014 2:58:25 PM org.apache.catalina.authenticator.AuthenticatorBase invoke FEIN: Security checking request POST /OpenPDMSmarTeamOUCAConnectorServer/rest/transaction/abort Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase findSecurityConstraints FEIN: Checking constraint 'SecurityConstraint[OpenPDM OUCA REST WebServices]' against POST /rest/transaction/abort --> true Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase findSecurityConstraints FEIN: Checking constraint 'SecurityConstraint[OpenPDM CAD Controller REST WebServices]' against POST /rest/transaction/abort --> false Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase findSecurityConstraints FEIN: Checking constraint 'SecurityConstraint[OpenPDM OUCA REST WebServices]' against POST /rest/transaction/abort --> true Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase findSecurityConstraints FEIN: Checking constraint 'SecurityConstraint[OpenPDM CAD Controller REST WebServices]' against POST /rest/transaction/abort --> false Nov 18, 2014 2:58:25 PM org.apache.catalina.authenticator.AuthenticatorBase invoke FEIN: Calling hasUserDataPermission() Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase hasUserDataPermission FEIN: User data constraint has no restrictions Nov 18, 2014 2:58:25 PM org.apache.catalina.authenticator.AuthenticatorBase invoke FEIN: Calling authenticate() Nov 18, 2014 2:58:25 PM org.apache.catalina.authenticator.AuthenticatorBase invoke FEIN: Failed authenticate() test
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org