Tomcat memory realm security issue?

ihateuselessitbooks
ihateuselessitbooks used Ask the Experts™
on
I've changed the server.xml for Tomcat 6, added the necessary files in web.xml for a website.  I'm getting my login page and login error page coming up, asking for user/password, but the user/password is not working.  I think possibly I'm missing some code from server.xml when Tomcat starts up...heres the line of code I added inside the <engine>...

   <Realm className="org.apache.catalina.realm.MemoryRealm"/>

The web.xml looks to be exactly what is required with roles and security constraints.

Any initial ideas?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
can u post server.xml flie
Have you added the users, roles and password to the $CATALINA_BASE/conf/tomcat-users.xml file? Since you have not specified a path, Tomcat will try to load the memory realm data from this default file.

Author

Commented:
w<?xml version='1.0' encoding='utf-8'?>
<Server port="9076" shutdown="SHUTDOWN">

  <!--APR library loader. Documentation at /docs/apr.html -->
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
  <Listener className="org.apache.catalina.core.JasperListener" />
  <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -->
  <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />

  <GlobalNamingResources>
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>

  <Service name="Catalina">
 
    <Connector port="9078" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
    <Connector port="9077" protocol="AJP/1.3" redirectPort="8443" />


    <Engine name="Catalina" defaultHost="localhost">
      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
             resourceName="UserDatabase"/>

      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true"
            xmlValidation="false" xmlNamespaceAware="false">
     
      <Realm className="org.apache.catalina.realm.MemoryRealm"/>    
               

<Context path="/jazzensemble"

                docBase="/apache-tomcat-6.0.18"

                debug="1"

                reloadable="true" > 

</Context>


      </Host>

    </Engine>
  </Service>
</Server>
OWASP: Avoiding Hacker Tricks

Learn to build secure applications from the mindset of the hacker and avoid being exploited.

You are having issues because you are using 2 realms in the same engine causing confusion for Tomcat.

Remove the entry for "MemoryReam" from the server.xml as you already have entry for an "UserDatabaseRealm". After that add roles(corresponding to those defined in web.xml) and corresponding users to "conf/tomcat-users.xml" and you should be good to go.

Author

Commented:
interesting, I didn't realize Tomcat could not use 2 realms at a time.  I'll have to look in that.

Author

Commented:
not convinced 100% that Tomcat cannot use 2 realms, but you've peaked my curiousity...

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial