Tomcat seems to only check the Authorization: headers if there is some <security-constraint> explicitly declared in web.xml. However, it appears that the optimization has been incorrectly implemented because it does not then recheck the header if request.isUserInRole(...) etc. are called. So users cannot log into a system that uses request.isUserInRole(...).
More specifically, my simple application tests request.isUserInRole(...) and request.getRemoteUser(). If the user lacks permissions the application sends a 401, and the user is prompted for a name/password which is sent back as a Authorization: Basic dGltOlBhc3N3b3JkMQ== So far so good. But Tomcat then ignores the Authorization: header which is correctly sent by the browser. The web.xml has <login-config> <auth-method>BASIC</auth-method> <realm-name>Agile UI: tim/Password1</realm-name> </login-config> in it. There is no <security-constraint> clause in the web.xml because I do not want to declare them there. (They are instead declared internally as part of a menuing system, which calls request.isUserInRole().) A hack to make Tomcat look at the Authorization: header is to add the following to web.xml <security-constraint> <web-resource-collection> <web-resource-name>dbtest</web-resource-name> <url-pattern>/dbtest/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>dummy<role-name> </auth-constraint> </security-constraint> In which case it works if one accepts the unwanted dummy query. Is it possible to tell Tomcat to always check the Authorization:? Alternatively, is it possible to grant the dummy role to anonymous users? Do anonymous users have any role that could be added to a dummy <security-constraint>? Is it possible for me to determine which users have which roles in my application so that I can check the header myself? Ie. get at the tomcat-users.xml style info, in a (fairly) web server independent manner? Or going the other way, is it possible for webapp to easily find out what roles are required for a given .jsp to run? (We want to grey out menu items that a user has no access to.) My general feeling is that attempting to use Java Servlet security is just wrong. One should simply do it oneself. Anthony -- Dr Anthony Berglas Ph. +61 7 3227 4410 (Mob. +61 42 783 0248) [EMAIL PROTECTED]; [EMAIL PROTECTED] --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]