OK, it's my turn! I've been working with FORM-based authentication since about 2000 on Windows, Linux, Solaris and maybe even the odd IBM iSeries. No problems. Until now.
I have one (and only one) server at a particular hosting provider that is positively off the wall. When I access a secured resource, it doesn't present the login form. Instead it pops up a Dialog, meaning it's attempting BASIC instead of FORM. It
does authenticate - only valid user IDs and passwords are accepted. However, it
doesn't honor security roles!
We upgraded the OS, I installed a fresh copy of
Tomcat and the latest Sun, er, Oracle JVM. No change. I switched the proxy off Apache, set up a firewall redirect from port 443 to 8443 to compensate, verified that 443 wasn't being listened to and 8443 belonged to Tomcat. Checked the 8443 Connector parameters. All good.
This is an app that works just fine on my desktop and development server, although I don't route through Apache on those systems. I've got other systems at the same hosting service that don't have a problem with form-based authentication. I'll admit that since there are other fingers in this particular pie, there may be things going on I don't know about, but if there ARE, I need to know them, and I haven't a clue.
Anybody ever seen anything like this before?