Is tomcat UserDatabaseRealm buggy?

Wed, 26 Nov 2014 02:44:49 -0800 

Hello,

I think I found the following bug in tomcat 7/8 with the following setup:

We use tomcat 7.0.42 (but I tried 7.0.55 and 8.0.15 without success) and 
deployed a web service with jersey 1.18.2. Additionally we set up HTTP 
authentication. In our case DIGEST authentication, but I tried BASIC 
authentication the observed behavior is the same.
We have a web service with login and logout methods, as well as some other 
methods which could only be invoked if a login request was made previously. 
Authentication works fine, till some point in time.
At this point the client receives a HTTP response 401 Unauthorized. I double 
checked that the client sends correct credentials and nonce values. On server 
side I enabled logging (see attached log file).

The log shows two web service calls, the first one returns successfully the 
last one reports the 401 error. As one could see in line 12 and 13
FEIN:  Calling authenticate()
Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase authenticate
Tomcat delegates the authentication request to RealmBase class logs some stuff 
and returns with
FEIN:  Successfully passed all security constraints

But in case of my error just these three lines are logged:
FEIN:  Calling authenticate()
Nov 18, 2014 2:58:25 PM org.apache.catalina.authenticator.AuthenticatorBase 
invoke
FEIN:  Failed authenticate() test

My server.xml is as follows:
<…
    <Engine name="Catalina" defaultHost="localhost">
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase" digest="md5"/>
      </Realm>

      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true" deployOnStartup="true">

        <Valve className="org.apache.catalina.valves.AccessLogValve" 
directory="logs"
               prefix="localhost_access_log." suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />

      </Host>
    </Engine>
<…

I also tried to remove the LockOutRealm, but without success.
As far as I understand with this setup class 
org.apache.catalina.realm.CombinedRealm.java is invoked to handle 
authentication. If I further understand correctly, then method 
authenticate(String username, String clientDigest, String nonce, String nc, 
String cnonce, String qop, String realmName, String md5a2) is also invoked. 
This method iterates over all configured Realms. It seems to me that, in case 
of the 401 error, the list of realms (Line 51) is empty and thus authentication 
fails.

The error only occurs after many calls to the webservice. I was unable to 
identify any pattern, but it seems related to the nonce timeout, somehow.
Could one verify this bug?

Best Regards,
Andreas

___________________________________________________________________
Andreas Kehlenbach
Software Engineer, SWD

PROSTEP AG
Dolivostrasse 11, D-64293 Darmstadt

Tel.: +49 6151 9287 332
Fax: +49 6151 9287 326

Email: andreas.kehlenb...@prostep.com
_____________________________________________________________________


________________________________________________________________________
PROSTEP AG, Dolivostraße 11, D-64293 Darmstadt
HR: Amtsgericht Darmstadt, HRB 8383
Vorstand: Dr. Bernd Pätzold (Vorsitz), Reinhard Betz
Aufsichtsrat: Dr. Heinz-Gerd Lehnhoff (Vorsitz)
________________________________________________________________________

Nov 18, 2014 2:58:25 PM org.apache.catalina.authenticator.AuthenticatorBase 
invoke
FEIN: Security checking request POST 
/OpenPDMSmarTeamOUCAConnectorServer/rest/is-session-alive
Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FEIN:   Checking constraint 'SecurityConstraint[OpenPDM OUCA REST WebServices]' 
against POST /rest/is-session-alive --> true
Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FEIN:   Checking constraint 'SecurityConstraint[OpenPDM CAD Controller REST 
WebServices]' against POST /rest/is-session-alive --> false
Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FEIN:   Checking constraint 'SecurityConstraint[OpenPDM OUCA REST WebServices]' 
against POST /rest/is-session-alive --> true
Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FEIN:   Checking constraint 'SecurityConstraint[OpenPDM CAD Controller REST 
WebServices]' against POST /rest/is-session-alive --> false
Nov 18, 2014 2:58:25 PM org.apache.catalina.authenticator.AuthenticatorBase 
invoke
FEIN:  Calling hasUserDataPermission()
Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase 
hasUserDataPermission
FEIN:   User data constraint has no restrictions
Nov 18, 2014 2:58:25 PM org.apache.catalina.authenticator.AuthenticatorBase 
invoke
FEIN:  Calling authenticate()
Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase authenticate
FEIN: Digest : d747e0dabf284059948a2ad40c0abc72 Username:openpdmadmin 
ClientSigest:d747e0dabf284059948a2ad40c0abc72 
nonce:1416319056468:b83d03daeeeb6aac9233fc67b072b75d nc:0000002f 
cnonce:92633461 qop:auth realm:OpenPDMmd5a2:46ee17ed4949e254dc7072fc6da7fab7 
Server digest:d747e0dabf284059948a2ad40c0abc72
Nov 18, 2014 2:58:25 PM org.apache.catalina.authenticator.AuthenticatorBase 
register
FEIN: Authenticated 'openpdmadmin' with type 'DIGEST'
Nov 18, 2014 2:58:25 PM org.apache.catalina.authenticator.AuthenticatorBase 
invoke
FEIN:  Calling accessControl()
Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase 
hasResourcePermission
FEIN:   Checking roles GenericPrincipal[openpdmadmin(openpdmadmin,)]
Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase 
hasResourcePermission
FEIN: Role found:  openpdmadmin
Nov 18, 2014 2:58:25 PM org.apache.catalina.authenticator.AuthenticatorBase 
invoke
FEIN:  Successfully passed all security constraints
Nov 18, 2014 2:58:25 PM org.apache.catalina.authenticator.AuthenticatorBase 
invoke
FEIN: Security checking request POST 
/OpenPDMSmarTeamOUCAConnectorServer/rest/transaction/abort
Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FEIN:   Checking constraint 'SecurityConstraint[OpenPDM OUCA REST WebServices]' 
against POST /rest/transaction/abort --> true
Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FEIN:   Checking constraint 'SecurityConstraint[OpenPDM CAD Controller REST 
WebServices]' against POST /rest/transaction/abort --> false
Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FEIN:   Checking constraint 'SecurityConstraint[OpenPDM OUCA REST WebServices]' 
against POST /rest/transaction/abort --> true
Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FEIN:   Checking constraint 'SecurityConstraint[OpenPDM CAD Controller REST 
WebServices]' against POST /rest/transaction/abort --> false
Nov 18, 2014 2:58:25 PM org.apache.catalina.authenticator.AuthenticatorBase 
invoke
FEIN:  Calling hasUserDataPermission()
Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase 
hasUserDataPermission
FEIN:   User data constraint has no restrictions
Nov 18, 2014 2:58:25 PM org.apache.catalina.authenticator.AuthenticatorBase 
invoke
FEIN:  Calling authenticate()
Nov 18, 2014 2:58:25 PM org.apache.catalina.authenticator.AuthenticatorBase 
invoke
FEIN:  Failed authenticate() test

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to