tomcat 7 Form based authentification

Question

given a Servlet HelloServlet:

@WebServlet("/HelloServlet")
public class HelloServlet extends HttpServlet {
    private static final long serialVersionUID = 1L;

    /**
     * Default constructor.
     */
    public HelloServlet() {
    // TODO Auto-generated constructor stub
    }


   @Override
    protected void doGet(HttpServletRequest request,
        HttpServletResponse response) throws ServletException, IOException {
    // TODO Auto-generated method stub
    System.out.print("hello my Friend: " + request.getRemoteUser());
    response.setContentType("text/html");
    PrintWriter out = response.getWriter();
    out.println("This is the Test Servlet");

    Enumeration headerNames = request.getHeaderNames();
    while (headerNames.hasMoreElements()) {
        String headerName = (String) headerNames.nextElement();
        out.print("<br/>Header Name: <em>" + headerName);
        String headerValue = request.getHeader(headerName);
        out.print("</em>, Header Value: <em>" + headerValue);
        out.println("</em>");
    }
    }
....
}

with a declared tomcat security policy in web.xml:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>my application</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>

    <auth-constraint>
        <role-name>tomcat</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
        <form-login-page>/login.jsp</form-login-page>
        <form-error-page>/login-failed.jsp</form-error-page>
    </form-login-config>
</login-config>

and tomcat-roles definitions in conf/tomcat-users.xml

  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="tomcat" password="tomcat" roles="tomcat"/>
  <user username="both" password="tomcat" roles="tomcat,role1"/>
  <user username="role1" password="tomcat" roles="role1"/>

the realm in "server.xml" is:

  <Realm className="org.apache.catalina.realm.LockOutRealm">
    <!-- This Realm uses the UserDatabase configured in the global JNDI
         resources under the key "UserDatabase".  Any edits
         that are performed against this UserDatabase are immediately
         available for use by the Realm.  -->
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
           resourceName="UserDatabase"/>
  </Realm>

,I tried to access the Servlet "HelloServlet" with url localhost/jsfWorkgroup/HelloServlet.

like expected, I am (re)directed to the login-page:

<form method="POST" action="j_security_check">
<table>
  <tr>
    <td colspan="2">Login to the Tomcat-Demo application:</td>
  </tr>
  <tr>
    <td>Name:</td>
    <td><input type="text" name="j_username" /></td>
  </tr>
  <tr>
    <td>Password:</td>
    <td><input type="password" name="j_password"/ ></td>
  </tr>
  <tr>
    <td colspan="2"><input type="submit" value="Go" /></td>
  </tr>
</table>
</form>

No matter which id-Token I used:

1. username:tomcat passwort:tomcat
2. username:both passwort:tomcat

I still come to the failure /login-failed.jsp.

here is my take on this: tomcat acts on redirect me to the to login page, but does not read the conf/tomcat-users.xml to valid my login(even after several reboots).

what do you think about it ?

configuration: Tomcat 7.0.23, Eclipse-Indigo

Answer 1

following to proposition of @pd40 I tried the examples/jsp/security/protected/ examples but not in the Eclipse IDE where Tomcat is usually embedded along with the other servers (Glassfish, JBoss, ect..) , rather I started the tomcat server as standalone (in its /bin directory) .. and there it works.

but when it's attemped to run security based Web-application in Tomcat within Eclipse, it failed again, even using the configuration described above.

I don't know if I am right but Web-Application Security is only supported when tomcat runs outside of eclipse..

Answer 2

The tomcat example web.xml includes the following section below <login-config>:

<!-- Security roles referenced by this web application -->
<security-role>
  <role-name>role1</role-name>
</security-role>
<security-role>
  <role-name>tomcat</role-name>
</security-role>

which you may need.

---

Tomcat includes an example war which contains an auth using tomcat-users.xml similar to what you are trying. If tomcat home/webapps/examples is deployed try accessing http://localhost/examples/jsp/security/protected/. Make sure the XML comments around the role/user section of tomcat-users.xml have been removed. They are commented out by default.

<!-- Un comment me 
<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="both" password="tomcat" roles="tomcat,role1"/>
<user username="role1" password="tomcat" roles="role1"/>
-->

---

You can consider bumping up the logging to help diagnose the auth issue.

Answer 3

This is too late for me to answer but maybe someone coming here may find this useful.

Actually if you are facing the problem of not getting the tomcat configuration to work through eclipse and running outside it, then just delete the server from eclipse servers tab and add again. This should solve the problem.

Answer 4

You have restricted access to your content by defining secured pages in web.xml:

<url-pattern>/*</url-pattern>

that wildcard is refering to all pages in content path. So you obtain an infinitive loop of redirections to login page.

Answer 5

I discovered that if you change the configuration of users in the tomcat-users.xml that is embedded in eclipse you must restart eclipse not just the server for the new users to be recognised. I guess that eclipse caches the tomact-user.xml file.