Richard, On 4/17/16 12:51 PM, rich...@xentu.com wrote: > On 2016-04-17 14:29, Konstantin Kolinko wrote: >> 2016-04-17 15:26 GMT+03:00 <rich...@xentu.com>: >>> I posted this same query at stackoverflow a couple of days back, but >>> with no >>> response, although I've simplified the issue very slightly since then. >>> >>> http://stackoverflow.com/questions/36653744/tomcat-7-wrong-realm-being-used >>> >>> >>> I have a realm defined in server.xml: >>> >>> <Engine name="Catalina" defaultHost="localhost"> >>> <Host name="localhost" appBase="webapps" unpackWARs="true" >>> autoDeploy="true" deployIgnore="^welcome.*"> >>> <Realm className="org.apache.catalina.realm.LockOutRealm" >>> failureCount="3" lockOutTime="3600"> >>> <Realm className="org.apache.catalina.realm.JDBCRealm" >>> driverName="org.postgresql.Driver" >>> connectionURL = "jdbc:postgresql://localhost:5432/tomcat" >>> connectionName="tomcat" >>> connectionPassword="xxxxx" >>> userTable = "users" >>> userNameCol="user_name" userCredCol="user_pass" >>> userRoleTable="user_roles" >>> roleNameCol="role_name" >>> /> >>> </Realm> >>> </Host> >>> </Engine> >>> >>> and two web applications, both inside the webapps folder on the tomcat >>> server, with identical security settings in their web.xml files: >>> >>> <security-role> >>> <role-name>test-role</role-name> >>> </security-role> >>> >>> <security-constraint> >>> <web-resource-collection> >>> <web-resource-name>Memory Realm</web-resource-name> >>> <url-pattern>/*</url-pattern> >>> </web-resource-collection> >>> <auth-constraint> >>> <role-name>test-role</role-name> >>> </auth-constraint> >>> </security-constraint> >>> >>> <login-config> >>> <auth-method>BASIC</auth-method> >>> </login-config> >>> >>> >>> However, one application uses the JDBCRealm, as I'd expect, while the >>> other >>> uses conf/tomcat-users.xml. >>> Looking at the postgresql logs, the second application never even >>> queries >>> the database. >>> >>> I can't see anything different in the two configurations. Without any >>> declaration of a UserDatabaseRealm I don't >>> see how any applications would get to look at tomcat-users.xml. >>> >>> I'm wondering if anyone here could help me diagnose what's wrong. >> >> >> 1. Full Tomcat version = ? >> >> (Per mailinglist rules, >> http://tomcat.apache.org/lists.html#tomcat-users >> -> 1.) >> >> 2. The problem is odd. I do not remember similar reports. >> >>> no META-INF/context.xml >> >> The context file can also be in >> ${catalina.base}/conf/${engineName}/${hostName}/ >> being a file named ${appName}.xml [1] >> >> 3. You can dump effective web.xml by setting logEffectiveWebXml="true" >> on Context [1] >> >> 4. You can copy your misbehaving web application and try to simplify >> it until you can isolate your issue. >> >> 5. You can try debugging [2]. >> >> Possible place for a breakpoint: >> org.apache.catalina.authenticator.AuthenticatorBase#invoke() >> // Realm realm = this.context.getRealm(); >> >> 6. Generally, I do not like JDBCRealm as it uses a single database >> connection. The recommended alternative is DataSourceRealm [3] >> >> [1] >> http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Defining_a_context >> >> >> [2] https://wiki.apache.org/tomcat/FAQ/Developing#Debugging >> >> [3] http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html >> >> Best regards, >> Konstantin Kolinko >> > > > Thanks for your various pointers Konstantin, > >> 1. Full Tomcat version > > Apologies! Apache Tomcat/7.0.55 on Windows Server 2012 R2. > > I'd been following your suggestion 4, simplifying to try & isolate the > cause. > > Anyway, the problem has now vanished. As far as I know, the only thing I > did differently was to edit the project locally in eclipse & re-upload > the war. Previously, I'd been editing in situ on the Tomcat server & > then restarting the service. > > I'm assuming that all Tomcat's configuration is reloaded from scratch on > a service restart, so I don't know why I saw the previous behaviour.
I'd recommend putting your <Realm> configuration into your applications' META-INF/context.xml file. That will make it a bit easier to modify the configuration -- you won't have to restart Tomcat to pick-up any changes. -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org