File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Tomcat and the fly likes Tomcat 7 Web Application Authentication Issue Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Tomcat 7 Web Application Authentication Issue" Watch "Tomcat 7 Web Application Authentication Issue" New topic

Tomcat 7 Web Application Authentication Issue

Dana Peele

Joined: Aug 04, 2012
Posts: 6
I am trying to get authentication to work for a web application using Eclipse paired with Tomcat 7.

I have been working on this for over two hours and am getting nowhere. There are no errors in the console. The authentication page comes up properly when I try to hit any of the pages in my web application. But when I type in the username and password, I get the authentication page again with the "Login failed, please try again." message at the top indicating I entered the wrong credentials. Originally, I didn't have the <security-role> element in my web.xml file but added it because I got a warning in the console but this didn't fix anything (except that the warning in the console went away). I have restarted the server many times and have confirmed that my xml files are not being overwritten. I have also double checked that none of the relevant elements are commented out. I have read through all the other posts I could find on this and other forums but haven't found an answer. I believe my problem may lie in my server.xml file. I keep reading that I need to have a security realm enabled and that one isn't enabled by default but I see the UserDatabaseRealm defined and it isn't commented out so I don't see what else I need. Please help!

Thank you in advance,


Here are the relevant pieces of code:

web.xml from my web application (in my Eclipse workspace under \test\WEB-INF):


<!-- The following stanza is for the FORM method only -->

tomcat-users.xml from my Tomcat 7 server conf directory (%CATALINA_HOME%\conf):

<role rolename="dana"/>
<user username="dana" password="dana" roles="dana"/>

server.xml from my Tomcat 7 server conf directory (%CATALINA_HOME%\conf):

<?xml version='1.0' encoding='utf-8'?>
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<Listener className="org.apache.catalina.core.JasperListener" />
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="conf/tomcat-users.xml" />
<Service name="Catalina">
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="%h %l %u %t "%r" %s %b" />

Authentication page (in my eclipse workspace under \test\WebContent:

if (String.valueOf(request.getParameter("error")).equals("true")) {
out.println ("Login failed, please try again.");
<form method=post action="j_security_check">
Username: <input type=text name="j_username" size=20><BR>
Password: <input type=text name="j_password" size=20><BR>
<input type=submit>
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 17410

Welcome to the JavaRanch, Dana! Yes, you absolutely do have to have a security Realm configured. J2EE container security has 2 components - the part that's in the webapp and the part that's in the webapp server.

Realms are implements as plugin modules. There is no default Realm, so one must be explicitly requested.

There are 2 possibilities that would explain your problem:

1. The Realm definition that you think isn't commented-out actually is commented out and you missed it (a personal favorite hair-tearer of mine).

2. The Realm definition is defined but not for the webapp that you want it to apply to.

Realms may be configured at either the individual webapp level or at the global level, with individual level taking precedence. You would generally only define at the global level for cases where the same security system services all installed webapp - Single Signon, for example. More commonly, I define the Realm as part of my webapp Context file, because I usually am dealing with multiple security systems.

An IDE is no substitute for an Intelligent Developer.
Dana Peele

Joined: Aug 04, 2012
Posts: 6

Thank you very much for taking the time to reply.

I figured out the issue, finally, after another 2 hours of work, with the help of another thread on JavaRanch-

To summarize, it wasn't the Realm, which was defined properly at the engine level and not commented out. In fact, the issue was that I'm using Tomcat embedded in Eclipse and Eclipse WTP (Web Tools Platform) creates a separate instance of the Tomcat server with its own version of tomcat-users.xml (and the other xml files in the conf directory including server.xml although this didn't need to be modified in this case) under the Eclipse workspace. I was editing the version of tomcat-users.xml in %CATALINA_HOME%\conf which wasn't being used by this instance at all and so the role and user information I was entering wasn't being used by my instance and authentication failed. Once I added the role and user to the correct version of tomcat-users.xml (under "C:\Users\Dana New\workspace\Servers\Tomcat v7.0 Server at localhost-config" in my case), everything worked perfectly. Hopefully this will help some other poor newbie who finds himself in my situation down the road.

Regards, Dana
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 17410

As I've said before, the Eclipse WTP is an abomination. The extra convenience (what little there is of it) is more than offset by its imperfect replication of the Tomcat run environment. The sysdeo plugin does a much better job and it's comfortably well-integrated itself.
Dana Peele

Joined: Aug 04, 2012
Posts: 6
Thanks for the tip, Tim. I'll install the plugin immediately.
I agree. Here's the link:
subject: Tomcat 7 Web Application Authentication Issue
It's not a secret anymore!