This discussion is archived
10 Replies Latest reply: Aug 15, 2013 4:59 PM by EJP RSS

security on tomcat

francy77 Newbie
Currently Being Moderated

Hi all,

my be this is not the right place for this question but i'm in serius trouble, so i try anyway.

 

I’ve tried to configuring tomcat (both Apache Tomcat 7.0.27 and Apache Tomcat 7.0.34) to using realm UserDatabase (that is using tomcat-user.xml as a database).

I’m using netbeans 7.3.

 

When I try to access the resources even if inserting the right username and password I see the following:

 

HTTP Status 403 - Access to the requested resource has been denied

 


type Status report

message Access to the requested resource has been denied

description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.

 


Apache Tomcat/7.0.27

 

 

These are the step I did:

  1. Adding the following statement to the the tomcat-user.xml:

 

  <role rolename="UserRole"/>

<user username="user" password="uuu" role="UserRole"/>

 

 

2)take sure that on the server.xml the following statement are present:

<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
  type="org.apache.catalina.UserDatabase"
  description="User database that can be updated and saved"
  factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
  pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>

 

<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
  resourceName="UserDatabase"/>
</Realm>

 

 

3)Configuring web.xml (inside the WEB-INF directory) as following:

<?xml version="1.0" encoding="UTF-8"?>

<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">

<session-config>

<session-timeout>

30

</session-timeout>

</session-config>

<welcome-file-list>

<welcome-file>index.jsp</welcome-file>

</welcome-file-list>

<security-constraint>

<display-name>VincoloUtente</display-name>

<web-resource-collection>

<web-resource-name>area protetta</web-resource-name>

<description/>

<url-pattern>/CartellaProtetta/*</url-pattern>

</web-resource-collection>

<auth-constraint>

<description/>

<role-name>UserRole</role-name>

</auth-constraint>

</security-constraint>

<login-config>

<auth-method>FORM</auth-method>

<form-login-config>

<form-login-page>/login.jsp</form-login-page>

<form-error-page>/error.jsp</form-error-page>

</form-login-config>

</login-config>

    <security-role>

<description>Utenti che hanno questo ruolo (user) possono accedere all'area protetta</description>

<role-name>UserRole</role-name>

</security-role>

</web-app>

 

 

 

4) creating the file index.jsp,login.jsp and error.jsp.

5)creating the path and file at “web pages/CartellaProtetta/fileProtetto.html”

 

 

 

 

It seems that this kind of authentication no more works (with tomcat 7.xx), could you give me some helpful indication? Or say that is a bug inside tomcat?

 

Thanks really much

Francesco

Italy

  • 1. Re: security on tomcat
    rp0428 Guru
    Currently Being Moderated

    my be this is not the right place for this question but i'm in serius trouble, so i try anyway.

    No it isn't - please mark the thread ANSWERED and post it in a TomCat forum.

     

    This forum is for Java.

  • 2. Re: security on tomcat
    masijade Explorer
    Currently Being Moderated

    Yes, you should go to a Tomcat forum, HOWEVER, what appears in your logs?

  • 3. Re: security on tomcat
    francy77 Newbie
    Currently Being Moderated

    This are the log, thanks anyway for your help (i think it is a bug on tomcat!!!!!).

     

    file manager.2013-08-12.log

    manager.2013-08-12.log

    12-ago-2013 13.53.20 org.apache.catalina.core.ApplicationContext log

    INFO: Manager: list: Listing contexts for virtual host 'localhost'

    12-ago-2013 13.53.20 org.apache.catalina.core.ApplicationContext log

    INFO: Manager: list: Listing contexts for virtual host 'localhost'

     

     

    file localhost_access_log.2013-08-12.txt

    localhost_access_log.2013-08-12.txt

     

    127.0.0.1 - - [12/Aug/2013:13:53:19 +0200] "HEAD /netbeans-tomcat-status-test HTTP/1.1" 404 -

    127.0.0.1 - - [12/Aug/2013:13:53:19 +0200] "HEAD /netbeans-tomcat-status-test HTTP/1.1" 404 -

    127.0.0.1 - - [12/Aug/2013:13:53:20 +0200] "GET /manager/text/list HTTP/1.1" 401 2550

    127.0.0.1 - francesco [12/Aug/2013:13:53:20 +0200] "GET /manager/text/list HTTP/1.1" 200 336

    127.0.0.1 - - [12/Aug/2013:13:53:20 +0200] "GET /manager/text/list HTTP/1.1" 401 2550

    127.0.0.1 - francesco [12/Aug/2013:13:53:20 +0200] "GET /manager/text/list HTTP/1.1" 200 336

    127.0.0.1 - - [12/Aug/2013:13:53:20 +0200] "GET /WebApplicationSecurezza HTTP/1.1" 302 -

    127.0.0.1 - user [12/Aug/2013:13:53:21 +0200] "GET /WebApplicationSecurezza/ HTTP/1.1" 200 354

    127.0.0.1 - - [12/Aug/2013:13:53:37 +0200] "GET /WebApplicationSecurezza/CartellaProtetta/fileProtetto.html HTTP/1.1" 200 464

    127.0.0.1 - - [12/Aug/2013:13:53:38 +0200] "GET /favicon.ico HTTP/1.1" 200 21630

    127.0.0.1 - - [12/Aug/2013:13:53:43 +0200] "POST /WebApplicationSecurezza/CartellaProtetta/j_security_check HTTP/1.1" 302 -

    127.0.0.1 - user [12/Aug/2013:13:53:43 +0200] "GET /WebApplicationSecurezza/CartellaProtetta/fileProtetto.html HTTP/1.1" 403 1108

  • 4. Re: security on tomcat
    masijade Explorer
    Currently Being Moderated

    What about catalina.log (and anywhere else you are also maybe logging stdout and/or stderr to, you are, hopefully, logging these somewhere)?

     

    The access and manager logs don't tell you anything in this regard.

  • 5. Re: security on tomcat
    francy77 Newbie
    Currently Being Moderated

    Hi,

    catalina.log is empty, i do not know (for now) how to indicate at tomcat to write there, if you could suggest to me some advice, i will try it.

    I'm not logging stdout and/or stderr in any place, because there are a index.jsp page which has a link to a protect area, when i press on that link it redirect me to the login.jsp page.

    So I insert user and password and the message 403 appear on the screen, where i can find stdout and/or stderr?

     

    Thanks really much any help will be very appreciated.

  • 6. Re: security on tomcat
    15338dca-4885-4389-a626-eecf309169f0 Newbie
    Currently Being Moderated

    Now you definitely need to go to a Tomcat forum, or actually read your tomcat documentation.  It has been years since I have worked with tomcat so I do not remember exactly how you active the stdout and stderr logging, the documentation will tell you though.  You CANNOT, however, even BEGIN to judge what the problem MIGHT be until you get that logging information as this 403 tells you next to nothing.  It is like that standard error description "it doesn't work", and the response to that is "it doesn't work, doesn't help".  And hopefully you are not catching and ignoring any exceptions in your code.

  • 7. Re: security on tomcat
    masijade Explorer
    Currently Being Moderated

    15338dca-4885-4389-a626-eecf309169f0 wrote:

     

    Now you definitely need to go to a Tomcat forum, or actually read your tomcat documentation.  It has been years since I have worked with tomcat so I do not remember exactly how you active the stdout and stderr logging, the documentation will tell you though.  You CANNOT, however, even BEGIN to judge what the problem MIGHT be until you get that logging information as this 403 tells you next to nothing.  It is like that standard error description "it doesn't work", and the response to that is "it doesn't work, doesn't help".  And hopefully you are not catching and ignoring any exceptions in your code.

    This was me.  I have no idea why it gave me that user id, but ...

  • 8. Re: security on tomcat
    francy77 Newbie
    Currently Being Moderated

    Thanks so much, going to tomcat forum i find out the problem there is just a missed "s".

    In other words, the following line:

    <user username="user" password="uuu" role="UserRole"/>

     

    should be writed as

    <user username="user" password="uuu" roles="UserRole"/>

     

    with an s appended to the word role.

  • 9. Re: security on tomcat
    gimbal2 Guru
    Currently Being Moderated

    That is just nasty. I can hardly believe that the startup logging did not at least log a warning stating that the "role" attribute is unknown.

  • 10. Re: security on tomcat
    EJP Guru
    Currently Being Moderated

    Tomcat doesn't apply schema checking to several of its files. server.xml and config.xml are other examples. The reason is that they have to allow arbitrary bean properties as XML attributes. However that doesn't apply to the user database XML :-|

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points