File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Tomcat and the fly likes BASIC Authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "BASIC Authentication" Watch "BASIC Authentication" New topic
Author

BASIC Authentication

Nick Bour
Greenhorn

Joined: May 02, 2013
Posts: 1
Hello,

I'm trying to do a BASIC Authentication for one of my webapp. I put that code in the web.xml of my webapp :

<security-constraint>
<display-name>logs</display-name>
<web-resource-collection>
<web-resource-name>application</web-resource-name>
<url-pattern>/*</url-pattern> //applicable to all urls in the application
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>HEAD</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>logs</role-name>
</auth-constraint>
</security-constraint>

This is working great. But as soon as I add that code in the global web.xml to redirect everyone to https it stop working. The webapp is working but it is not asking me for user / password anymore :

<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

What can I do to have a BASIC Authentication on a specific webapp with a redirect to https on all webapp.

Thank you very much,
Nicholas
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15950
    
  19

BASIC authentication isn't actually all that great. Most of us use form-based authentication most of the time. BASIC authentication is considered less secure and logging out of apps may require shutting down the client app (browser), which isn't something I want to do considering how many tabs I typically have open.

One thing to note is transport security and authentication are 2 different things. You don't actually need any sort of authentication just to get TLS (https).

I can't see anything that rings alarm bells in your samples (hint: use the Code button to format stuff like this). Which is why I waited to see if anyone else did. About the only other thing that I can think of is that you check your server.xml connectors. I got burned a while back because a form-based connector was being used when a basic connector should have been (or maybe the other way around. I forget).


Customer surveys are for companies who didn't pay proper attention to begin with.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: BASIC Authentication
 
Similar Threads
SSL and certificates Configuration in WebSphere Application Server 7
BASIC Authentication and SSL configuration failed in Tomcat 6.0
How to add authentication on my jsp page
About the security and role in web.xml
Adding users and roles