This week's book giveaway is in the OO, Patterns, UML and Refactoring forum.
We're giving away four copies of Five Lines of Code and have Christian Clausen on-line!
See this thread for details.
Win a copy of Five Lines of Code this week in the OO, Patterns, UML and Refactoring forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Bear Bibeault
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
  • Tim Cooke
  • Liutauras Vilda
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • fred rosenberger
  • salvin francis
  • Piet Souris
  • Frits Walraven
  • Carey Brown

basic authentication for web service not working for UserDataBaseRealm in tomcat 6

Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
i am using UserDataBaseRealm to perform basic authentication in tomcat 6.
basically my app is a copy of the example provided in with heading Container Authentication with JAX-WS – (Tomcat version) .
however my app fails to authenticate even when i provide the correct user name and password as i get the authentication screen for accessing my service URL from browser
strangely however when i use a client to call the service it does not authenticate at all no matter what ever i put as user name and password in the client it always succeeds in calling the service.

below is my web.xml , tomcat-users.xml and sun-jaxws.xml

here is my web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="";

<description>Normal operator user</description>

<web-resource-name>Operator Roles Security</web-resource-name>


<realm-name>Basic Authentication</realm-name>


here is my tomcat-users.xml

<role rolename="tomcat"/>
<role rolename="operator"/>
<role rolename="manager-gui"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="mkyong" password="mkyong" roles="operator"/>
<user name="admin" password="admin" roles="manager-gui"/>

here is my sun-jaxws.xml

<?xml version="1.0" encoding="UTF-8"?>

Saloon Keeper
Posts: 22249
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the JavaRanch, Anirban! Sorry about the delay.

You can make sample code and XML (pre-formatted text) easier to read if you use the "Code" button in our editor to wrap your text with code tags.

In order to use a Tomcat security Realm, you have to tell the webapp which Realm (if any) you are going to use. That has to be done either in a context XML for the webapp itself or in server.xml in cases where more than one webapp may be operating in the same Realm (such as the Tomcat Manager and Tomcat Admin webapps).

There is a sample UserDataBaseRealm definition in the server.xml that comes with Tomcat, but it is commented out, and therefore not active. You have to uncomment it to use it.
anirban ghosh
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ok I found it the problem lies with running the application from eclipse.
With my previous configuration the authentication works when I export my app as war from eclipse and directly deploy it in the webapps folder of tomcat.
Then run the tomcat using startup batch file.
Now there is another problem.
I am providing my service code for reference

Here is the client

The authentication works fine at wsdl access level.That is without proper authentication the application cannot access the wsdl url.
But the method level authentication is not working.
Passing any user and password I can call the service operation.

The web.xml is:

Tim Holloway
Saloon Keeper
Posts: 22249
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Web Services security is a problem in its own right, and not specifically just for Tomcat.

Tomcat, like any J2EE-compliant container provides container-based authentication and authorization based on the URL received, but using this feature with web services has problems.

For one thing, web services are not normally made interactively, so if you put a URL security pattern on the web service call and the server returns a login page, the client probably won't know what to do with it.

For another, the URL security patterns are not a very fine-grained mechanism. So while I do recommend them as a "brute force" first line of defense for most cases, there are often times when you need an additional layer that's more finely in touch with the actual functionality of the resources that the URL is addressing.

There are some books on web services security, although I'm not the person who can recommend ones that are good and up-to-date.
Posts: 43016
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You really shouldn't use servlet security with web services; that's what WS-Security is for, which is supported by all major SOAP stacks.
Don't get me started about those stupid light bulbs.
    Bookmark Topic Watch Topic
  • New Topic