Hi, thank you for the information.
We have not succeeded so far. I want to give you some more information what
happens, the context.xml and the web.xml
What we have changed versus the existing setup, working on 7.0.11
- We have moved the login.jsp into the protection domain (was outside
before). This did not remove the issue.
- We have changed the preemptiveAuthentication setting. This did not remove
the issue.
This is the flow through the system that we can see:
Client sends request to /portal
/portal is not protected
/portal/jsp/main.jsp is welcome page and protected (see web.xml)
portal context configures formauthentication on the protection
domain
Tomcat redirects/forwards incoming call to /jsp/login.jsp (protected
resource)
FormAuthentication Valve is called
Request Listener is called (expected: principal is null -> OK!)
jsp/login.jsp is displayed, waiting for user
User adds information, press submit
Client sends request to j_security_check is initiated by browser with form
data
(something happens here?)
Realm is called: Authentication succeeds, realm creates principal
Realm provides its own implementation of Principal Object
Realm uses different table-structure than original DataSource Realm
(something happens here?)
Request Listener is called (expected: principal is not null -> FAILS!)
(something happens here?)
jsp/main.jsp is called, principal in request is not null -> can be dumped to
the JSP view
Following here is the used context.xml
--- 8< ----------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<Context antiJARLocking="false"
antiResourceLocking="false"
fireRequestListenersOnForwards="true"
preemptiveAuthentication="true">
<Valve className="org.apache.catalina.valves.AccessLogValve"
fileDateFormat="yyyy-MM-dd"
pattern="%h %l %u %t "%r" %s %b "%{Referer}i"
"%{User-Agent}i""
prefix="portal-srs-standard."
suffix=".log"/>
<Valve className="org.apache.catalina.authenticator.FormAuthenticator"
changeSessionIdOnAuthentication="false"
alwaysUseSession="true"
landingPage="/jsp/main.jsp" />
<ResourceLink global="pendb"
name="jdbc/DataSource"
type="javax.sql.DataSource"/>
<WatchedResource>WEB-INF/web.xml</WatchedResource>
</Context>
--- 8< ----------------------------------------------------------
Follwing here is the web.xml
--- 8< ----------------------------------------------------------
<?xml version="1.0" encoding="utf-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd";
version="3.0" metadata-complete="true">
<display-name>SRS Standard Portal - PDX Application</display-name>
<filter>
<filter-name>CharacterEncodingFilter</filter-name>
<filter-class>de.srs.pen.portal.utils.server.filter.SetCharacterEncodingFilt
er</filter-class>
<init-param>
<param-name>ignore</param-name>
<param-value>false</param-value>
</init-param>
</filter>
<filter>
<filter-name>RequestDumper</filter-name>
<filter-class>
org.apache.catalina.filters.RequestDumperFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>RequestDumper</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CharacterEncodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- Listener -->
<listener>
<listener-class>de.srs.pen.portal.utils.server.servlet.PortalSessionManager<
/listener-class>
</listener>
<listener>
<listener-class>de.srs.pen.portal.utils.server.ObjectLockHandler</listener-c
lass>
</listener>
<listener>
<listener-class>de.srs.pen.portal.utils.server.servlet.PortalRequestListener
</listener-class>
</listener>
<listener>
<listener-class>de.srs.pen.portal.app.server.PortalContextListener</listener
-class>
</listener>
<!-- Servlets und GWT Services -->
<servlet>
<description>Single point of entry fuer die Web
Applikation</description>
<display-name>DelegatingPortalServlet</display-name>
<servlet-name>DelegatingPortalServlet</servlet-name>
<servlet-class>de.srs.pen.portal.utils.server.servlet.DelegatingPortalServic
eServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<description>gets PDF for Instance</description>
<display-name>DisplayPDFServlet</display-name>
<servlet-name>DisplayPDFServlet</servlet-name>
<servlet-class>de.srs.pen.portal.utils.server.servlet.DisplayPDFServlet</ser
vlet-class>
<init-param>
<param-name>DPI</param-name>
<param-value>120</param-value>
</init-param>
</servlet>
<servlet>
<display-name>DownloadServlet</display-name>
<servlet-name>DownloadServlet</servlet-name>
<servlet-class>de.srs.pen.portal.utils.server.servlet.DownloadServlet</servl
et-class>
</servlet>
<servlet>
<display-name>DeployFormServlet</display-name>
<servlet-name>DeployFormServlet</servlet-name>
<servlet-class>de.srs.pen.portal.app.server.services.DeployFormServlet</serv
let-class>
</servlet>
<servlet-mapping>
<servlet-name>DelegatingPortalServlet</servlet-name>
<url-pattern>/delegating/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>DownloadServlet</servlet-name>
<url-pattern>/servlet/DownloadServlet</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>DisplayPDFServlet</servlet-name>
<url-pattern>/servlet/DisplayPDFServlet</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>DeployFormServlet</servlet-name>
<url-pattern>/servlet/DeployFormServlet</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>59</session-timeout>
</session-config>
<!-- Servlets Default page to serve -->
<welcome-file-list>
<welcome-file>jsp/main.jsp</welcome-file>
</welcome-file-list>
<error-page>
<error-code>403</error-code>
<location>/error/403.jsp</location>
</error-page>
<error-page>
<error-code>500</error-code>
<location>/error/500.jsp</location>
</error-page>
<error-page>
<error-code>408</error-code>
<location>/error/408.jsp</location>
</error-page>
<security-constraint>
<display-name>PDiX Portal</display-name>
<web-resource-collection>
<web-resource-name>PDX Portal Protected</web-resource-name>
<url-pattern>/jsp/*</url-pattern>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>servlets</web-resource-name>
<url-pattern>/servlet/*</url-pattern>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>GWT Resourcen</web-resource-name>
<url-pattern>/StandardPortal/*</url-pattern>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>services</web-resource-name>
<url-pattern>/delegating/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>authenticatedUser</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>PDXRealm</realm-name>
<form-login-config>
<form-login-page>/jsp/login.jsp</form-login-page>
<form-error-page>/jsp/login.jsp?error=true</form-error-page>
</form-login-config>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<role-name>authenticatedUser</role-name>
</security-role>
</web-app>
--- 8< ----------------------------------------------------------
Mit freundlichen Grüßen
Thomas Strauß
Geschäftsführer Entwicklung
SRS PaperDynamix®
WE MAKE PAPER WORK
SRS-Management GmbH
Berliner Ring 93
64625 Bensheim
T +49 6251 85 424 - 20
F +49 6251 85 424 - 14
M +49 174 2110912
www.srs-management.de
www.srs-paperdynamix.de
HRB 25262 AG Darmstadt
Geschäftsführer: Detlev Homilius, Thomas Strauß
> -----Ursprüngliche Nachricht-----
> Von: Konstantin Kolinko [mailto:[email protected]]
> Gesendet: Donnerstag, 29. März 2012 22:56
> An: Tomcat Users List
> Betreff: Re: FormAuthentication Valve changes fail with RequestListeners?
>
> 2012/3/29 Thomas Strauß <[email protected]>:
> > Hi,
> >
> > we have a web application using the FormAuthentication with Tomcat
> 7.0.11.
> >
> > The application provides its own realm, that is valid for the whole
> > server (configured in server.xml). The realm is based on datasource
> realm.
> >
> > The application provides request listeners that rely on the
> > request.getPrincipal() method to obtain the logged on user.
> >
> > The request listener authenticates a service framework with the
> > principal from the request.
> >
> > Tomcat 7.0.11 as stated above works with this design.
> >
> >
> > In Tomcat 7.0.26 this approach fails, because the requestlistener can
> > no longer obtain the principal using request.getPrincipal(). The call
> > returns null. A webpage (jsp) called after the listener as target of
> > the request can obtain the principal from the request as expected.
> >
> > No configuration changes have been applied between 7.0.11 and 7.0.26.
> >
> > Additionally we have experimented with various valve options, but did
> > not succeed.
> >
> > We cannot explain this behavior and think it is a bug in Tomcat.
> >
> > Any help appreciated, as currently we cannot upgrade Tomcat due to
> > this issue.
> >
>
> > In Tomcat 7.0.26 this approach fails, because the requestlistener can
> > no longer obtain the principal using request.getPrincipal().
>
> Is there a security constraint on the resource that the user is accessing?
> (I.e. is user accessing a protected resource?)
>
> Look at configuration options for <Context>. See
> "preemptiveAuthentication" there.
>
>
> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
> --
> This message has been scanned for viruses and dangerous content by
> MailScanner, and is believed to be clean.
smime.p7s
Description: S/MIME cryptographic signature
