basic authentication does not work even for correct credentials

Question

I am trying to configure Tomcat 7 JDBC realm configuration. I have followed this tutorial completely: http://www.avajava.com/tutorials/lessons/how-do-i-use-a-jdbc-realm-with-tomcat-and-mysql.html

I get the basic authentication pop-up, but even if I enter correct credentials, user is not authenticated. I don't get any error message.

Tutorial specifies Tomcat 5.5 but I am using Tomcat 7. I have just changed the connectionPasword and connectionName and the name of dynamic web project.

Here is server.xml JDBC realm configuration

    <Realm  className="org.apache.catalina.realm.JDBCRealm"
            driverName="com.mysql.jdbc.Driver"
            connectionURL="jdbc:mysql://localhost:3306/tomcat_realm"
            connectionName="root" 
            connectionPassword="root"
            userTable="tomcat_users" 
            userNameCol="user_name" 
            userCredCol="password"
            userRoleTable="tomcat_users_roles" 
            roleNameCol="role_name" />

Here is web.xml

<servlet>
    <servlet-name>TestServlet</servlet-name>
    <servlet-class>test.TestServlet</servlet-class>
</servlet>
<servlet-mapping>
    <servlet-name>TestServlet</servlet-name>
    <url-pattern>/test</url-pattern>
</servlet-mapping>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Wildcard means whole app requires authentication</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>dude</role-name>
    </auth-constraint>

    <user-data-constraint>
        <!-- transport-guarantee can be CONFIDENTIAL, INTEGRAL, or NONE -->
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>

<login-config>
    <auth-method>BASIC</auth-method>
</login-config>

All I can see is, I get this message regarding security:

Security role name dude used in an <auth-constraint> without being defined in a <security-role>

Can you please help me sort this out? Is this issue related to Tomcat 7?

Answer 1

Per the Java Servlet Spec, you need to define the dude role as a security role. To do this, add the <security-role> element to your web.xml, as shown below:

<servlet>
<!-- ... -->
<security-constraint>
    <web-resource-collection>
        <web-resource-name>Wildcard means whole app requires authentication</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>dude</role-name>
    </auth-constraint>
<!-- ... -->
</security-constraint>

<login-config>
     <auth-method>BASIC</auth-method>
</login-config>

<security-role>
    <role-name>dude</role-name>
</security-role>

This would allow GET/POST requests to any user having the dude role.

I'll suggest you don't include the <http-method> elements as they don't work as you might expect. Including this element for GET and POST means that the security constrain applies only to these two methods; any other method is allowed. Here is what the Servlet Spec says:

The sub-element web-resource-collection identifies a subset of the resources and HTTP methods on those resources within a Web application to which a security constraint applies.

See this reference for details.