Hi all,
I am using Tomcat 7.0.54 with java 1.7 and 1.8 on a Windows 8.1 System,
maintaining our webapp with around 1000 JSP pages and I am NOT a web developer.
I have inherited this application and all of the previous owners are no longer
available. So the last 2months I do a lot of reading and debugging the whole
bunch of java and jsp code and I think, that I have a basic understanding what
the software is doing and how it is implemented at least.
The last days I found a lot of configuration issues and I was able to get the
whole stuff running in a very downsized environment build on a standard tomcat
Installation.
I got rid of all special configuration inside the server.xml, so that I was
able to fix some things and do it, like it was described in the beautiful
tomcat documentation and available wiki's.
That's only for some explanations, before the stupid questions may follow:
I have to use basic authentication without an own login form. The behavior I
see, is that if the webapp is starting a realm instance is correctly created
and initialized in my webapp, but if the first request arrive, also the tomcat
itself instantiate one object of this class and took the credentials from the
automatically upcoming login form (here IExplorer 11).
My understanding from reading the documentation is, that, if I configure my own
realm in my context.xml (what I have done), that the webapp will use it. That
seems to be ok, but why also tomcat itself instantiate an object of my custom
realm and take the first request when I want to access my webapp. Therefore I
have no own control about my JSessions and so my session management leaks,
because I didn't got the info's from the logins, what the tomcat is doing now.
What is wrong in my configuration or in my understanding? I want be the only
one, that got the requests for the authentication for my webapp.
Here are my server.xml, it only contain one Realm line of our realm in the
'Host' section (I strip the comments and the header lines, which are unchanged):
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase" description="User database that can be
updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml"/>
</GlobalNamingResources>
<Service name="Catalina">
<Connector acceptCount="100"
connectionTimeout="200000" maxThreads="150" port="9150" protocol="HTTP/1.1"
redirectPort="8443"/>
<Connector port="8009" protocol="AJP/1.3"
redirectPort="8443"/>
<Engine defaultHost="localhost" name="Catalina">
[<Realm
className="org.apache.catalina.realm.UserDatabaseRealm"/>]
<Host appBase="webapps"
autoDeploy="true" name="localhost" unpackWARs="true" xmlNamespaceAware="false"
xmlValidation="false">
[<Realm
className="de.myproject.tomcat.realm.BITRealm" domainName="dom1" .../>]
</Host>
</Engine>
</Service>
The lines in brackets I have switched on and off in several attempts without
the wished result. Without a realm definition in server.xml and only in the
context.xml I have had equal results and one combination I have had one time,
was that I have to authenticate twice and the first time with the data of
tomcat-users.xml and the second time with my own one.
Is it possible that there is some more configured in some of the web.xml's or
other directories in WEB-INF, what cause this behavior? I have searched there
for some words like security, realm, userdatabase and so on, but have found
nothing.
Hopefully I have explained my problem as good as I know and somebody see my
point :)
Thanks in advance, best regards,
mit freundlichen Grüßen
Arno
_________________________________________________________
SQS hat bei den AIM Awards 2014 zum zweiten Mal die begehrte
Auszeichnung "International Company of the Year" erhalten.
<http://www.sqs.com/portal/news/de/pressemitteilungen-aim-awards-international-company-of-the-year.php>
Vorsitzender des Aufsichtsrats: David Bellin
Vorstand: Diederik Vos (CEO) ? Ralph Gillessen (COO) ? René Gawron (CFO)
SQS AG ? Stollwerckstraße 11 ? 51149 Köln
Sitz der Gesellschaft: Köln ? Amtsgericht Köln, HRB 12764
This e-mail may contain confidential and/or privileged information. If you are
not the intended recipient
(or have received this e-mail in error) please notify the sender immediately
and destroy this e-mail.
Any unauthorised copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
