https://bz.apache.org/bugzilla/show_bug.cgi?id=66349
Thorsten Schöning <tschoen...@am-soft.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |RESOLVED
Resolution|--- |WORKSFORME
--- Comment #2 from Thorsten Schöning <tschoen...@am-soft.de> ---
I was wrong, the setup DOES work as intended now. Looking at my configs again,
I recognized that auth-method in web.xml was still configured to DIGEST instead
of BASIC and DIGEST in combination with a digest as password in
tomcat-users.xml doesn't work. That's most likely simply the reason why login
using the DIGEST instead of the original clear-text-password worked.
Changing things back to BASIC, checking configured realms and the credential
helper again, putting the correctly digested password into tomcat-users.xml
etc. made the login work as expected. I have a secure DIGEST in
tomcat-users.xml now, but need to provide the plain-text password in the
browser.
I guess the reason for LockOutRealm warning about an explicitly configured
credential handler is that LockOutRealm itself doesn't mutate passwords on its
own for login purposes. It forwards to other realms only and those seem to take
THEIR configured credential handlers into account properly, at least in my
described setup.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
