How to fix access to the requested resource which has been denied in Tomcat?

Question

I want to enable form based authentication by using database as realm but I'm always getting that message whenever I try to authenticate as Tomcat manager in Tomcat 6. I have already created a table user_name and user_roles and mapped the username(blue) to admin and manager as role in user_roles table in mysql, but I'm still unable to authenticate. I've already recreated realm tag in server.xml file:

 <Realm className      = "org.apache.catalina.realm.JDBCRealm"
        debug          = "99" 
        driverName     = "com.mysql.jdbc.Driver"
        connectionURL  = "jdbc:mysql://localhost:3306/mail" 
        connectionName = "root" 
        userTable      = "users"
        userNameCol    = "user_name"
        userCredCol    = "user_pass"
        userRoleTable  = "user_roles" 
        roleNameCol    = "role_name" 
 /> 

Could anyone please tell me what's wrong I'm doing, and how I enable form based authentication by using database?

1. I've declared the user "blue" as both admin and manager, and when I'm trying to login in tomcat manager page, it is giving me the message:

   HTTP Status 403 - Access to the requested resource has been denied

2. When I enter wrong username or password, tomcat again asks for username and password instead of showing that message.

Answer 1

I havent tried this myself. Can you try changing the auth-method in the TOMCAT_HOME_DIR\webapps\manager\WEB-INF\web.xml to point the auth-method set to FORM. The realm-name does not matter.

<login-config>   <auth-method>FORM</auth-method>   <realm-name>Tomcat Manager Application</realm-name> </login-config>

Also just confirm - you'll have to keep only one Realm in the server.xml, comment out the default one.

Answer 2

HTTP Status 403 (Access to the requested resource has been denied) can indicate that either you typed too many incorrect credentials or you've some problem with your configuration.

One possible issue could be that your browser could have your authentication credentials cached, because with BASIC auth, your browser will only prompt you for credentials the first time you authenticate to your site. After a successful authentication, it will not prompt you again and to force your browser to prompt you again, sometimes you need to completely close out the browser (or try with another web browser).

If you have not changed any configuration files, please examine the file conf/tomcat-users.xml in your installation (locate tomcat-users.xml). That file must contain the credentials to let you use Tomcat webapp.

For example, to add the manager-gui role to a user named tomcat with a password of s3cret, add the following to the config file listed above:

<role rolename="manager-gui"/>
<user username="tomcat" password="s3cret" roles="manager-gui"/>

Then you can access your webapps manager from /manager/html (e.g. reloading after config changes).

Read more: Manager App HOW-TO

If you're trying to implement your own security constraint (in web.xml), try the following example (add it before </web-app> ending):

<!-- This security constraint protects your webapp interface. -->
<login-config>
  <!-- Define the Login Configuration -->
  <auth-method>BASIC</auth-method>
  <realm-name>Webapp</realm-name>
</login-config>
<security-constraint>
  <web-resource-collection>
    <web-resource-name>Admin</web-resource-name>
    <url-pattern>/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
    <role-name>*</role-name>
  </auth-constraint>
  <!-- Specifying a Secure Connection -->
  <user-data-constraint>
    <!-- transport-guarantee can be CONFIDENTIAL (forced SSL), INTEGRAL, or NONE -->
    <transport-guarantee>NONE</transport-guarantee>
  </user-data-constraint>
</security-constraint>
<!-- Authorization, see: tomcat-users.xml --> 
<security-role>
  <role-name>*</role-name>
</security-role>

The login-config element contains the auth-method element, which specifies the authentication method that we use, which is BASIC. The security-constraint element contains 3 elements: web-resource-collection, auth-constraint, and user-data-constraint. The web-resource-collection specifies the parts of our application that require authentication. The /* indicates that the whole application requires authentication. The auth-constraint specifies the role that a user needs to have in order to access the protected resources. The user-data-constraint's transport-guarantee can be NONE, CONFIDENTIAL or INTEGRAL. We set it to NONE, which means that redirecting to SSL is not required when you try to hit the protected resource.

Also make sure that you've line:

<Realm className="org.apache.catalina.realm.MemoryRealm" />

inside your conf/server.xml (Engine section).

If you still having the problem, try:

• check if you're editing the right XML file,
• validate your XML files, e.g. catalina.sh configtest or xmlstarlet val /etc/tomcat?/*.xml /var/lib/tomcat7/webapps/*/WEB-INF/*.xml,
• your <url-pattern> matches in your <security-constraint> or set to /*,
• check your Tomcat logs (e.g. /var/log/tomcat7),
• increase logging level (INFO -> FINE/FINEST) in logging.properties or log4j.properties (INFO, SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST or ALL), restart Tomat and check the logs,
• if nothing in logs, check if you're checking the right logs (sudo lsof | grep -E "java.*(out|txt|log)$", tail -f /var/log/tomcat7/*.log /var/log/tomcat7/*.txt /var/log/tomcat7/*.out),
• when using log4j logging system, make sure you initialized it properly by placing libs and log4j.properties into the right folder and configuring it,

• test BASIC authentication with cURL:

  • without credentials:

    $ curl -vv http://example.com:8983/solr/
    

    Normally request should return HTTP/1.1 401 Unauthorized and the "WWW-Authenticate" header should indicate Basic authentication is required.

  • with credentials:

    $ curl -vv -u tomcat:tomcat http://example.com:8983/solr/
    

    The request should be sent with an "Authorization" header and it should authenticate. If your credentials are invalid, you should get: HTTP/1.1 401 Unauthorized. If the user is authenticated, but does not have access to view the resource you should get: HTTP/1.1 403 Forbidden.

• maybe a user lock out mechanism has been activated for too many failed authentication attempts (LockOutRealm),

• stop and run Tomcat manually (in the same way as in: ps wuax | grep ^tomcat), e.g.:

  # ps wuax | grep ^tomcat
  tomcat7    884  /usr/lib/jvm/java-7-openjdk-amd64/bin/java -Djava.util.logging.config.file=/var/lib/tomcat7/conf/logging.properties ... org.apache.catalina.startup.Bootstrap start
  $ /etc/init.d/tomcat7 stop
  $ sudo sudo -u tomcat7 /usr/lib/jvm/java-7-openjdk-amd64/bin/java ...  -Dorg.apache.catalina.level=FINEST org.apache.catalina.startup.Bootstrap start
  

  Alternatively start using catalina.sh script like:

  $ . /etc/default/tomcat7
  $ export JAVA_HOME=/usr/lib/jvm/java-7-openjdk-amd64 CATALINA_HOME=/usr/share/tomcat7 CATALINA_BASE=/var/lib/tomcat7 CATALINA_PID=/var/run/tomcat7.pid CATALINA_TMPDIR=/tmp LOGGING_CONFIG="-Dorg.apache.catalina.level=FINEST"
  $ /usr/share/tomcat7/bin/catalina.sh run
  

  Or in debug mode:

  $ JPDA_SUSPEND=y catalina.sh jpda start
  

  and check your catalina.out log.

• last resort is to debug process by: sudo strace -fp PID.