0

I have the following in my web.xml

<security-constraint>
    <web-resource-collection>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>rolename</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>BASIC</auth-method>
</login-config>
<security-role>
    <role-name>rolename</role-name>
</security-role>

And also have the following in my tomcat-users.xml file:

<role rolename="rolename"/>
<user username="username" password="password" roles="rolename"/>

The Authentication Required dialogue box appears when I try to navigate to my localhost site, but even though I enter the correct credentials, the dialogue box just refreshes itself and nothing happens.

Any reason why this isn't working? Doesn't seem as basic as the auth-method suggests.

kenorb
  • 155,785
  • 88
  • 678
  • 743
Kevin Orriss
  • 471
  • 1
  • 4
  • 13
  • Are you using IDE? Or are you running Tomcat directly? – Dilnei Cunha Jun 13 '17 at 14:49
  • I am using NetBeans 8.2. I have deployed the code above to my webserver and it works fine on that. So it seems like having this on a localhost dev machine needs something different. I am trying to fiddle with starting and stopping the server via command line, to rule out the IDE. – Kevin Orriss Jun 13 '17 at 15:37

2 Answers2

1

The setting looks correct, when you use Netbeans when adding the server you configure the existing user and password in the manager or manager-script role, for example if you have:

enter image description here

If you using Tomcat server that who comes embedded with Netbeans there is a cache place for Tomcat files, eg:

C:\Users\user\AppData\Roaming\NetBeans\8.2\apache-tomcat-8.0.27.0_base\conf

enter image description here

In case you using Eclipse IDE the cache files tomcat stay in folder:

C:\projects\workspace\Servers\Tomcat v8.5 Server at localhost-config

enter image description here

Dilnei Cunha
  • 159
  • 4
  • 10
  • Thanks very much for this, I am using NetBeans and yeah, it is using its own tomcat-users.xml file, which explains why it wasn't working as my user and role was not there. – Kevin Orriss Jun 14 '17 at 09:06
0

Maybe you forgot to put the security-role tag at the level of security-constraint tag.

<security-role>
        <role-name>rolename</role-name>
    </security-role>

    <security-constraint>
        <web-resource-collection>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>rolename</role-name>
        </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>BASIC</auth-method>
    </login-config>

Look here for an example

http://docs.oracle.com/javaee/5/tutorial/doc/bncbe.html

edu
  • 302
  • 1
  • 6
  • I added the security-role tag outside of the security-constraint (so same level as in your example) but this still doesn't solve the problem. – Kevin Orriss Jun 13 '17 at 13:33