-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Andreas,
On 11/26/14 5:42 AM, Kehlenbach, Andreas wrote: > I think I found the following bug in tomcat 7/8 with the following > setup: > > We use tomcat 7.0.42 (but I tried 7.0.55 and 8.0.15 without > success) and deployed a web service with jersey 1.18.2. > Additionally we set up HTTP authentication. In our case DIGEST > authentication, but I tried BASIC authentication the observed > behavior is the same. We have a web service with login and logout > methods, as well as some other methods which could only be invoked > if a login request was made previously. Authentication works fine, > till some point in time. At this point the client receives a HTTP > response 401 Unauthorized. I double checked that the client sends > correct credentials and nonce values. On server side I enabled > logging (see attached log file). The log shows two web service > calls, the first one returns successfully the last one reports the > 401 error. As one could see in line 12 and 13 FEIN: Calling > authenticate() Nov 18, 2014 2:58:25 PM > org.apache.catalina.realm.RealmBase authenticate Tomcat delegates > the authentication request to RealmBase class logs some stuff and > returns with FEIN: Successfully passed all security constraints > > But in case of my error just these three lines are logged: FEIN: > Calling authenticate() Nov 18, 2014 2:58:25 PM > org.apache.catalina.authenticator.AuthenticatorBase invoke FEIN: > Failed authenticate() test > > My server.xml is as follows: <… <Engine name="Catalina" > defaultHost="localhost"> <Realm > className="org.apache.catalina.realm.LockOutRealm"> <Realm > className="org.apache.catalina.realm.UserDatabaseRealm" > resourceName="UserDatabase" digest="md5"/> </Realm> > > <Host name="localhost" appBase="webapps" unpackWARs="true" > autoDeploy="true" deployOnStartup="true"> > > <Valve className="org.apache.catalina.valves.AccessLogValve" > directory="logs" prefix="localhost_access_log." suffix=".txt" > pattern="%h %l %u %t "%r" %s %b" /> > > </Host> </Engine> <… > > I also tried to remove the LockOutRealm, but without success. As > far as I understand with this setup class > org.apache.catalina.realm.CombinedRealm.java is invoked to handle > authentication. If I further understand correctly, then method > authenticate(String username, String clientDigest,__String nonce, > String nc, String cnonce, String qop,__String realmName, String > md5a2) is also invoked. This method iterates over all configured > Realms. It seems to me that, in case of the 401 error, the list of > realms (Line 51) is empty and thus authentication fails. > > The error only occurs after many calls to the webservice. I was > unable to identify any pattern, but it seems related to the nonce > timeout, somehow. Could one verify this bug? What is the nonce timeout? Note that HTTP BASIC authentication does not use nonces, so the nonce timeout wouldn't be the cause under those circumstances. How did you switch testing from HTTP DIGEST to HTTP BASIC authentication? The stored credentials are of course incompatible. If you created a small test case, can you share it with us? - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUdf2pAAoJEBzwKT+lPKRYYa0P/1lxVAmXeDshnYP47zSnykhj wv5z86sX57H480VdYQLIIrTwj9KOa6Wifgd/YkC6fUihLNIa+kOe0Jhoq6+K/IIA hh9ZHu/qVKUHOsuef5sYD15CWX/VDEkJUyy4G/qvSB1u0dM5vGUkWggZVvn5kwRG 4V0CIg4M4bNAdki3M8ZYKp8fmD5qzYFnfmjJOKwvGiFk4nJjUZG0crVbQC69cyeC 5/7tnzswV6dPwyJdBj0b/yiMx0h58mt0BSKz/VNsukxa2WbP0P9csP7mA9gleFUB OQdupQ6KE5t8lQBHogHJ7QvjlOJT0Tesqn+NUbNuK8cAmntEg8HQc3b/Erqdly7G GMIx9dhz381RyRlZbBbvwShVc9PK8H5klDfPlwWAQzXG55+iqSx0LS2yV4X+aAht dxuE/Jc0gZRcb/s2KeUhNGR//Me1GPHStCl3nGxDMczdriEE0/Af+r6tvtXlwd0W 5SdVO1r3oar5e+aPBQMBqdmw47MyGx+vCdjY4jeuuoBm3XY4V2VJLrpZm993PwTV HgTqgREvgGzDgYkHy4Mm5Fus6YCw4GWWHjVJeff5DBezXigSBcbKtLWK4HoI1zLA 5k7Gm0liagpPsxovlt+OzgQ/kHqSE7qgTHgAWF8CRthOv4U8y4PJuZjPdvVeX9iE oTrAPaf7gZymwtORZm1J =83X2 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
