Tomcat seems to only check the Authorization: headers if there is some
<security-constraint> explicitly declared in web.xml. However, it
appears that the optimization has been incorrectly implemented because
it does not then recheck the header if request.isUserInRole(...) etc.
are called. So users cannot log into a system that uses
request.isUserInRole(...).
More specifically,
my simple application tests request.isUserInRole(...) and
request.getRemoteUser(). If the user lacks permissions the application
sends a 401, and the user is prompted for a name/password which is sent
back as a Authorization: Basic dGltOlBhc3N3b3JkMQ==
So far so good. But Tomcat then ignores the Authorization: header which
is correctly sent by the browser.
The web.xml has
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Agile UI: tim/Password1</realm-name>
</login-config>
in it.
There is no <security-constraint> clause in the web.xml because I do not
want to declare them there. (They are instead declared internally as
part of a menuing system, which calls request.isUserInRole().)
A hack to make Tomcat look at the Authorization: header is to add the
following to web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>dbtest</web-resource-name>
<url-pattern>/dbtest/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>dummy<role-name>
</auth-constraint>
</security-constraint>
In which case it works if one accepts the unwanted dummy query.
Is it possible to tell Tomcat to always check the Authorization:?
Alternatively, is it possible to grant the dummy role to anonymous
users? Do anonymous users have any role that could be added to a dummy
<security-constraint>?
Is it possible for me to determine which users have which roles in my
application so that I can check the header myself? Ie. get at the
tomcat-users.xml style info, in a (fairly) web server independent
manner?
Or going the other way, is it possible for webapp to easily find out
what roles are required for a given .jsp to run? (We want to grey out
menu items that a user has no access to.)
My general feeling is that attempting to use Java Servlet security is
just wrong. One should simply do it oneself.
Anthony
--
Dr Anthony Berglas
Ph. +61 7 3227 4410
(Mob. +61 42 783 0248)
[EMAIL PROTECTED]; [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
