aspose file tools*
The moose likes Tomcat and the fly likes BASIC Authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "BASIC Authentication" Watch "BASIC Authentication" New topic
Author

BASIC Authentication

Nick Bour
Greenhorn

Joined: May 02, 2013
Posts: 1
Hello,

I'm trying to do a BASIC Authentication for one of my webapp. I put that code in the web.xml of my webapp :

<security-constraint>
<display-name>logs</display-name>
<web-resource-collection>
<web-resource-name>application</web-resource-name>
<url-pattern>/*</url-pattern> //applicable to all urls in the application
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>HEAD</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>logs</role-name>
</auth-constraint>
</security-constraint>

This is working great. But as soon as I add that code in the global web.xml to redirect everyone to https it stop working. The webapp is working but it is not asking me for user / password anymore :

<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

What can I do to have a BASIC Authentication on a specific webapp with a redirect to https on all webapp.

Thank you very much,
Nicholas
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15632
    
  15

BASIC authentication isn't actually all that great. Most of us use form-based authentication most of the time. BASIC authentication is considered less secure and logging out of apps may require shutting down the client app (browser), which isn't something I want to do considering how many tabs I typically have open.

One thing to note is transport security and authentication are 2 different things. You don't actually need any sort of authentication just to get TLS (https).

I can't see anything that rings alarm bells in your samples (hint: use the Code button to format stuff like this). Which is why I waited to see if anyone else did. About the only other thing that I can think of is that you check your server.xml connectors. I got burned a while back because a form-based connector was being used when a basic connector should have been (or maybe the other way around. I forget).


Customer surveys are for companies who didn't pay proper attention to begin with.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: BASIC Authentication
 
Similar Threads
Adding users and roles
About the security and role in web.xml
BASIC Authentication and SSL configuration failed in Tomcat 6.0
How to add authentication on my jsp page
SSL and certificates Configuration in WebSphere Application Server 7