Dear all, no, this is not a one2one-conversation, we succeeded, however, there appears to be a bug in Tomcat. Before we're submitting this one, I'd like to have your oppinions - maybe we're missing something here.
As you may have read, the basics: - Tomcat 5.5.17 - Debian Sarge - Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_07-b03) Our context-definition-file in $catalina_home/conf/Catalina/localhost SingleSignOn.xml: <Context path="/SingleSignOn" docBase="SingleSignOn" debug="4" reloadable="true" crossContext="true"> <Resource name="jdbc/SSODS" auth="Container" type="javax.sql.DataSource" driverClassName="com.mysql.jdbc.Driver" url="jdbc:mysql://dekold4712/apacheSSO" username="username" password="password" maxActive="100" maxIdle="30" maxWait="10000"/> </Context> Fact: If we map a Servlet to either "/" or "/*", FormBasedAuthentication is bypassed. If we map a Servlet to it's name, FormBasedAuthentication is called. ======================================= web.xml #1 (FormBasedAuthentication is bypassed): URL called is http://myhost:8080/SingleSignOn <?xml version="1.0" encoding="ISO-8859-1"?> <web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> <security-constraint> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>/</url-pattern> </web-resource-collection> <auth-constraint> <role-name>domuser</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>Dom4Bereich</realm-name> <form-login-config> <form-login-page>/jsp/loginForm.html</form-login-page> <form-error-page>/jsp/error.html</form-error-page> </form-login-config> </login-config> <security-role> <description>DOM-Users</description> <role-name>domuser</role-name> </security-role> <servlet> <servlet-name>SingleSignOn</servlet-name> <servlet-class>com.cr.web.sso.SingleSignOn</servlet-class> </servlet> <servlet-mapping> <servlet-name>SingleSignOn</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> </web-app> ======================================= web.xml #2 (FormBasedAuthentication is bypassed): URL called is http://myhost:8080/SingleSignOn <?xml version="1.0" encoding="ISO-8859-1"?> <web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> <security-constraint> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>domuser</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>Dom4Bereich</realm-name> <form-login-config> <form-login-page>/jsp/loginForm.html</form-login-page> <form-error-page>/jsp/error.html</form-error-page> </form-login-config> </login-config> <security-role> <description>DOM-Users</description> <role-name>domuser</role-name> </security-role> <servlet> <servlet-name>SingleSignOn</servlet-name> <servlet-class>com.cr.web.sso.SingleSignOn</servlet-class> </servlet> <servlet-mapping> <servlet-name>SingleSignOn</servlet-name> <url-pattern>/*</url-pattern> </servlet-mapping> </web-app> ======================================= web.xml #3 (FormBasedAuthentication is bypassed): URL called is http://myhost:8080/SingleSignOn <?xml version="1.0" encoding="ISO-8859-1"?> <web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> <security-constraint> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>domuser</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>Dom4Bereich</realm-name> <form-login-config> <form-login-page>/jsp/loginForm.html</form-login-page> <form-error-page>/jsp/error.html</form-error-page> </form-login-config> </login-config> <security-role> <description>DOM-Users</description> <role-name>domuser</role-name> </security-role> <servlet> <servlet-name>SingleSignOn</servlet-name> <servlet-class>com.cr.web.sso.SingleSignOn</servlet-class> </servlet> <servlet-mapping> <servlet-name>SingleSignOn</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> </web-app> ======================================= web.xml #4 (FormBasedAuthentication working): URL called is http://myhost:8080/SingleSignOn/SingleSignOn <?xml version="1.0" encoding="ISO-8859-1"?> <web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> <security-constraint> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>domuser</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>Dom4Bereich</realm-name> <form-login-config> <form-login-page>/jsp/loginForm.html</form-login-page> <form-error-page>/jsp/error.html</form-error-page> </form-login-config> </login-config> <security-role> <description>DOM-Users</description> <role-name>domuser</role-name> </security-role> <servlet> <servlet-name>SingleSignOn</servlet-name> <servlet-class>com.cr.web.sso.SingleSignOn</servlet-class> </servlet> <servlet-mapping> <servlet-name>SingleSignOn</servlet-name> <url-pattern>/SingleSignOn</url-pattern> </servlet-mapping> </web-app> ======================================== To my understanding (please do correct me if I'm wrong) I'm stating with a "/*" in the element <web-ressource><url-pattern>..., that all content including and below the mentioned pattern is seen as a webressource. As this web-ressource is inside an element <security-constraint>, this means that all mentioned content is protected and needs the specified role (in our case: domuser). My understanding is further, that when I specify <servlet-mapping><url> as "/*", that any request belonging to the mentioned context (in our case: SingleSignOn) is handled by the specified servlet, ie.e http://myhost/SingleSignOn/Foo as well as http://myhost/SingleSignOn/Bar. Please do correct me if my understanding is wrong here or if we do miss some points, otherwise we considers this a bug, which we do believe seems to be quite severe. Thanks for your attention and comments! Greg -- what's puzzlin' you, is the nature of my game --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]