using basic tomcat authentication

1
votes

I have a small application for which I need to implement tomcat authentication. After digging the internet, I found out Realm is the solution. Also I got how to configure my tomcat-users.xml, server.xml and web.xml. but it is still not working.

I added this code in my web.xml

<security-constraint>
    <web-resource-collection>
    <web-resource-name>hp</web-resource-name>
    <url-pattern>/pages/bill.jsp</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>Admin</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
     <auth-method>BASIC</auth-method>>
     <realm-name>default</realm-name>>
 </login-config>

at login-config, I am getting Element 'login-config' cannot have character [children], because the type's content type is element-only. What can be the issue ?

3
tomcatauthentication

3 Answers

4
votes

Your XML is invalid - you have two ">" chars

Correct the end of the data from 

<login-config>
     <auth-method>BASIC</auth-method>>
     <realm-name>default</realm-name>>
 </login-config>

to 

<login-config>
     <auth-method>BASIC</auth-method>
     <realm-name>default</realm-name>
 </login-config>

I'm not sure what error tomcat will give for your invalid xml, but it certainly won't work as it is.

3
votes

This question has probably been answered somewhere else on this very website. But here is some help.

  1. Don't use BASIC (nor DIGEST) authentication, use FORM authentication. This is why: How to force Jetty to ask for credentials with BASIC authentication after invalidating the session?

  2. You probably want to start with (Form authentication &) Memory Realm first (that is, having uers & roles defined in tomcat-users.xml), then maybe have a go with JDBC realm, & finally DatasourceRealm.

Read Tomcat documentation to have an idea of how this jazz works.

I wrote some notes about this subject (authentication methods & realms), have a look, should be easier than following tomcat documentation. https://sites.google.com/site/adrienitnotes/java/web-apps-login-system-in-tomcat-container

  • Warning: You will prob start with memory realm, be careful when running Tomcat within Eclipse (Issue with tomcat-user.xml config changes):

When you create a new server, a set of configuration files are imported (copied) from your Tomcat installation into a corresponding folder under the Servers project in your workspace. Sometimes this file is not updated by eclipse hence your changes are ignored.

Solution 1: It is recommended to run this type of application by deploying the .war file in Tomcat manually (to run Tomcat outside Eclipse).

Solution 2: modifying \Servers\Tomcat v7.0 Server at localhost-config\tomcat-users.xml with the relevant changes may fix this.

1
votes

I happened to stumble on this old question, you have probably solved the problem a long time ago but I thought I could provide an answer anyway.

You have extra > characters after </auth-method> and </realm-name>. Removing those should solve the problem.