Reputation: 427
Tomcat JSP authentication fails
I have a Tomcat 7.0.52 server running. In it there is a File Browser (http://www.vonloesch.de/filebrowser.html it's a bit old but it does what I need it to do)
However, I want to password protect the browser and not store the password as plain text so I have updated the Realm section as follows:
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
digest="SHA-1" digestEncoding="UTF-8"
resourceName="UserDatabase"/>
The File Browser was installed in ${CATALINA_HOME}/webapps/Browser/index.jsp
Then I created the file ${CATALINA_HOME}/webapps/Browser/WEB-INF/web.xml as follows:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<display-name>Browser</display-name>
<description>A JSP file manager for Tomcat</description>
<!-- Security roles referenced by this web application -->
<security-role>
<role-name>browser</role-name>
</security-role>
<!-- Define a Security Constraint on this Application -->
<!-- NOTE: None of these roles are present in the default users file -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Browser</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>browser</role-name>
</auth-constraint>
</security-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
</web-app>
And finally, I added the following lines to the section in the ${CATALINA_HOME}/conf/tomcat-users.xml file:
<role rolename="browser"/>
<user username="fadmin" password="...pw hash removed..." roles="browser"/>
The tomcat-users.xml file also contains information for accessing the Tomcat manager page. Also I have checked the web.xml I created against the web.xml of the Tomcat manager and the , and sections look very similar
Now, when I access the Tomcat manager page, I get a username/password box and when I enter the correct credentials I get access to the manager page. However, when I try to access the Browser page, I don't get the username/password box but I immediately get a 403 page with the following content:
HTTP Status 403 - Access to the requested resource has been denied
--------------------------------------------------------------------------------
type Status report
message Access to the requested resource has been denied
description Access to the specified resource has been forbidden.
What am I doing wrong?
As per request, here is the contents of the tomcat-users.xml file (I did leave out the comments though and removed the password hashes)
<tomcat-users>
<role rolename="tomcat"/>
<role rolename="admin-gui"/>
<role rolename="manager-gui"/>
<role rolename="manager-status"/>
<user username="tcadmin" password="...pw hash removed..." roles="tomcat,admin-gui,manager-gui,manager-status"/>
<role rolename="browser"/>
<user username="fadmin" password="...pw hash removed..." roles="browser"/>
</tomcat-users>
Upvotes: 0
Views: 788
Answers (1)
Reputation: 427
And the solution was so simple......
Restart Tomcat after changing the tomcat-users.xml
Now it works as expected.
Upvotes: 1
Related Questions
- "Authentication failed! Invalid username or password when running" in .jsp IntelliJ
- basic authentication does not work even for correct credentials
- Form authentication with Tomcat
- Cannot access web page with credentials from java
- HTTP Status 408 error with tomcat form based authentication
- JSP web application form based authentication in tomcat
- basic http authentication tomcat not working
- Tomcat Basic Authentication Permissions Issue
- j_security_check gives 403 page with correct credentials
- Error during FORM auth in Tomcat