Issues with Embedded Tomcat and Security Realm with Basic Authentication

Hi all,

I am in the process of upgrading our server from Tomcat 5.5 to Tomcat 7, and I am running into issues porting from the Embedded class to the Tomcat class. I am able to start the server successfully. When I try to access the secure realm, I am challenged with the basic authentication login dialog. If I enter the wrong credentials, I get a 401 and am presented the basic authentication login dialog. However, if I enter the correct credentials, I am presented with a 403 error. I figure that somehow, I didn't associate the user list with the secure realm, but I am not sure how to proceed. Can anyone provide any suggestions? Thanks in advance.

My code is attached below. FYI, the class OurTomcat extends the Tomcat class by providing a method to add a web app that uses the default web.xml. This is because our root app does not have a specific web.xml. However, the secure realm does have its own web.xml.

Howard

public void start() {
        // Create the embedded server.
        tomcat = new OurTomcat();
        securityRealm = new SRMUserRealm(userDAO);

try {
            tomcat.setBaseDir(catalinaHome);
            tomcat.init();

tomcat.setHostname(getHostName());
            tomcat.setRealm(securityRealm);

// Create the ROOT app context
            rootContext = tomcat.addWebappWithGlobalWebXml("", docBase);

Context rsViewerContext = tomcat.addWebapp("/rsviewer", "rsviewer");
            rsViewerContext.setPrivileged(true);

//bug 14168, need to set this to show flash chart in IE
            StandardContext myStdContext = (StandardContext) rsViewerContext;
            AuthenticatorBase mybasicAuth = new BasicAuthenticator();
            mybasicAuth.setSecurePagesWithPragma(false);
            mybasicAuth.setChangeSessionIdOnAuthentication(false);  // New to Tomcat 7.0 - changes the session ID when the 401 challenge dialog is displayed - try disabling
            mybasicAuth.setAlwaysUseSession(true);                  // New to Tomcat 7.0 - adds a session, which was the way it worked in Tomcat 5.5 
            myStdContext.addValve( mybasicAuth );

// Get an IP address to which to bind the server.
            log.info("binding to host: ", getHostName());
            Service tomcatService = tomcat.getService();
            Connector httpConnector = tomcat.getConnector();
            if (httpConnector == null) {
                httpConnector = new Connector();
                tomcatService.addConnector(httpConnector);
            }
            httpConnector.setPort(webServerProperties.getHttpPort());
            httpConnector.setSecure(false);
            httpConnector.setRedirectPort( webServerProperties.getUserHttpsPort() );
            httpConnector.setService(tomcatService);

Connector httpsConnector = new Connector();
            httpsConnector.setPort(webServerProperties.getHttpsPort());
            httpsConnector.setSecure(true);
            httpsConnector.setScheme("https");
            httpsConnector.setAttribute("SSLEnabled", true);

// we have to set every property under the sun because...
            // http://svn.apache.org/repos/asf/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/startup/Embedded.java
            // "javax.net.ssl.trustStore" is a necessary system property, but is
            // not a mentioned connector property
            IntrospectionUtils.setProperty(httpsConnector, "algorithm", "SunX509");
            IntrospectionUtils.setProperty(httpsConnector, "clientAuth", "false");
            IntrospectionUtils.setProperty(httpsConnector, "keystoreFile", System.getProperty("javax.net.ssl.keyStore"));
            IntrospectionUtils.setProperty(httpsConnector, "keystorePass", System.getProperty("javax.net.ssl.keyStorePassword"));
            IntrospectionUtils.setProperty(httpsConnector, "keystoreType", "JKS");
            IntrospectionUtils.setProperty(httpsConnector, "sslProtocol", "TLS");
            IntrospectionUtils.setProperty(httpsConnector, "ciphers", SSL_CIPHERS);

tomcat.setHttpsConnector(httpsConnector);
        } catch (ServletException se) {
            throw new IllegalStateException("Error configuring embedded Tomcat.", se);
        } catch (LifecycleException e) {
            throw new IllegalStateException("Error starting embedded Tomcat.", e);
        }

// Start it up.
        try {
            log.info("server starting up....");
            tomcat.start();
        } catch (LifecycleException e) {
            throw new IllegalStateException("Error starting embedded Tomcat.", e);
        }
}

class OurTomcat extends Tomcat {
    protected int httpsPort;
    protected Connector httpsConnector;

public Connector getHttpsConnector() {
        return httpsConnector;
    }

public void setHttpsConnector(Connector connector) {
        if (httpsConnector != null) {
            service.removeConnector(httpsConnector);    // remove the old connector
        }
        httpsConnector = connector;
        if (connector != null) {
            httpsPort = connector.getPort();
            service.addConnector(httpsConnector);
        } else {
            httpsPort = 0;
        }
    }

public Realm getRealm() {
        return host.getRealm();
    }

public void setRealm(Realm realm) {
        setDefaultRealm(realm);
    }

public Context addWebappWithGlobalWebXml(String contextPath, String baseDir) throws ServletException {
        Context result;

// create a webapp context
        result = new StandardContext();

// configure it (via the global web.xml)
        result.setName(contextPath);
        result.setPath(contextPath);
        result.setDocBase(baseDir);

ContextConfig ctxCfg = new ContextConfig();
        result.addLifecycleListener(ctxCfg);
        ctxCfg.setDefaultWebXml(Constants.DefaultWebXml);
        
        // add it to a host
        if (host == null) {
            host = getHost();
        }
        host.addChild(result);

return result;
    }

}

The issue turned out to be the custom class I created to extend RealmBase to manage my user authentication and authorization. Because of my custom roles, I had to override the hasRole() method to reflect my role hierarchy. Thanks for looking.

Howard

And thank you for sharing your solution, so others may benefit from it in the future

I want to upgrade my Embedded Tomcat5 to Embedded tomcat 7.
Could you please share your full source code for the reference.
I am not getting many terms by refering above code.
It will be my pleasure if you share the source code.