Tomcat BASIC authentication fails in certain cases

Hi,

I've got some issue, that I can't explain. I am running a Web-Application that provides a special login for certain customers. I am running a Tomcat Server (Version 5.5.17), using BASIC authentication configured in my web.xml:

<web-app> ... <error-page> <error-code>403</error-code> <location>/WEB-INF/errors/error_403.vm</location> </error-page> <resource-ref> <description> Resource reference to a factory for java.sql.Connection instances that may be used for talking to a particular database that is configured in the /META-INF/context.xml file. </description> <res-ref-name>jdbc/dao</res-ref-name> <res-type>javax.sql.DataSource</res-type> <res-auth>Container</res-auth> </resource-ref> <login-config> <auth-method>BASIC</auth-method> <realm-name>MyRealm</realm-name> </login-config> <!-- Security roles referenced by this web application --> <!-- <security-role> <description>Admin</description> <role-name>admin</role-name> </security-role> --> <security-role> <description>Special Test User</description> <role-name>test1</role-name> </security-role> <security-role> <description>Special Test User User</description> <role-name>test_2</role-name> </security-role> </web-app>

Now if I and my colleagues log into this app everthing works fine. But one customer (one I know of) is not able to login. I first thought this is some kind of browser issue, but firefox as well as IE refuse to login. The always give 401 (not 403) after 3 'failed' attempts.

I am absolutely sure, that the provided username and password are correct. I am able to login with these.

To make things even trickier: If I provide the customer with a login to the tomcat manager webapp via tomcat-users.xml, he is able to login without problems.

I am totally !! In fact, the login action is never reached. Maybe there is some issue with SHA-1 password encryption? With the encoding (user and password contain only ASCII)?

Following my struts Login action, my context.xml and the struts-config.xml part for login:

LoginAction.java
public class LoginAction extends Action { private static Log log = LogFactory.getLog(LoginAction.class); public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws Exception { HttpSession session = request.getSession(); String forward = GlobalSettings.FORWARD_SUCCESS; if (request.isUserInRole("test1") || request.isUserInRole("test_2")) { // create some session variables } // Redirect to flash application if "Referer" contains // this apps url String referer = request.getHeader("Referer"); if (referer != null && referer.length() > 0 && referer.contains(GlobalSettings.MAPBROWSER_SITE_URL)) { return new RedirectingActionForward(referer); } else { return mapping.findForward(forward); } } }

META-INF/context.xml
<Context path="" docBase="" debug="0" reloadable="true"> <Resource name="jdbc/dao" auth="Container" type="javax.sql.DataSource" driverClassName="org.postgresql.Driver" url="jdbc :-P ostgresql://localhost:5432/my_db" username="***" password="***" maxActive="20" maxIdle="10" maxWait="-1" /> <Realm className="org.apache.catalina.realm.JDBCRealm" connectionName="***" connectionPassword="***" driverName="org.postgresql.Driver" debug="999" connectionURL="jdbc :-P ostgresql://localhost:5432/my_db" userNameCol="username" userTable="users" userCredCol="password" userRoleTable="roles" roleNameCol="rolename" digest="SHA-1"/> </Context>


struts-config.xml
... <global-forwards> <forward name="success" path="/welcome.vm" /> </global-forwards> ... <action path="/Login" type="LoginAction"> </action> ...
[ August 27, 2006: Message edited by: Markus Reinhardt ]

hi,
the problem is ur authentication method did not call during this execution u need to call the authentication machenism of ur realm.

and if u want to call the authentication at the page calling u can do it via using <security-constrain> tag where u need to give the url of pages which want authentication .

like

<security-constraint>
<web-resource-collection>
<web-resource-name>mytest</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>MyRealm</realm-name>
</login-config>

try this also

Thanks for your reply.

But my web.xml contains a security-constraint. I just forgot to copy and paste it *shameonme*

The problem persists, does anyone have any other ideas?

... </resource-ref> <security-constraint> <web-resource-collection> <web-resource-name>Special Login</web-resource-name> <url-pattern>/Login.do</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <!-- NOTE: This roles are not present in the default users file --> <role-name>test1</role-name> <role-name>test_2</role-name> </auth-constraint> </security-constraint> <login-config> ...