Configuring a Context specific Tomcat Security Realm

Question

I am trying to get a context specific security Realm in Tomcat 6.0, but when I start Tomcat I get the following error:

09-Dec-2010 16:12:40 org.apache.catalina.startup.ContextConfig validateSecurityRoles
INFO: WARNING: Security role name myrole used in an <auth-constraint> without being defined in a <security-role>

I have created the following context.xml file:

<Context debug="0" reloadable="true">

  <Resource name="MyUserDatabase"
            type="org.apache.catalina.UserDatabase"
            description="User database that can be updated and saved"
            factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
            pathname="conf/my-users.xml" />

  <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
         resourceName="MyUserDatabase"/>

</Context>

Created a file: my-users.xml which I have placed under WEB-INF/conf which contains the following:

<tomcat-users>
  <role rolename="myrole"/>
  <user username="test" password="changeit" roles="myrole" />
</tomcat-users>

Added the following lines to my web.xml file:

<web-app ...>
  ...
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Entire Application</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection> 
    <auth-constraint>
      <role-name>myrole</role-name>
    </auth-constraint>
  </security-constraint>

  <login-config>
    <auth-method>BASIC</auth-method>
  </login-config>
  ...
</web-app>

But seem to get the error wherever I put conf/my-users.xml. Do I have to specify an explicit PATH in the pathname or is it relative to somewhere? Ideally I would like to have it packaged up as part of my WAR file.

Any ideas?

score 4 · Answer 1 · answered Dec 09 '10 at 17:01

4

I believe you need the following in your web.xml

<security-role>
    <role-name>myrole</role-name>
</security-role>

in order to define the role. Also, I think that you will need to reference the realm in the login-config

<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>MyUserDatabase</realm-name>
 </login-config>

or similar.

answered Dec 09 '10 at 17:01

stjohnroe

3,168
1
27
27

Hi stjohnroe, That's certainly helped and had cleared the startup error, however it appears that Tomcat is completely ignoring my context.xml file. If I add <role rolename="myrole"/> <user username="test" password="changeit" roles="myrole" /> to $catalina.home/conf/tomcat-users.xml then it works, but I want a custom tomcat-users file. Any ideas or is it not possible to have two realms? – Andy Mc Dec 09 '10 at 18:03
I would create it as a separate realm, changing the path and resourceName/name properties, this should allow you to reference it as a separate realm. – stjohnroe Dec 10 '10 at 16:33
I would add: don't use BASIC authentication, see http://stackoverflow.com/questions/2180206/how-to-force-jetty-to-ask-for-credentials-after-invalidating-the-session – Adriano Sep 12 '12 at 13:57
realm-name is not important here - when using BASIC. see http://stackoverflow.com/q/10892336/539394 – Ross Nov 12 '14 at 01:46

score 0 · Answer 2 · answered Dec 09 '10 at 17:08

0

Have a look at the tomcat-users.xml file in your Tomcat configuration directory that defines security roles as an example of what you need.

Also, refer to the following article for guidance.

answered Dec 09 '10 at 17:08

Bernard

7,908
2
36
33

Configuring a Context specific Tomcat Security Realm

2 Answers2