Webapp with Form-Based Authentication shows empty page instead of login page

[alamakih]

I have a webapp with Form-Based Authentication configured in web.xml and gretty configured to use tomcat9 with a serverConfigFile where Realm is configured.

The the app works fine when run from war on normal tomcat install, but when started with gretty's tomcat, trying to load a secured page shows only a blank page (or browser's own 403 page on chrome). Non-secured pages work as intended.

Gretty version is 2.2.0

[javabrett]

Anything interesting logged?

[alamakih]

These are the only parts logged that caught my eye.

INFO: Starting Servlet Engine: Apache Tomcat/9.0.7
Oct 31, 2018 11:12:33 AM org.apache.catalina.startup.ContextConfig getDefaultWebXmlFragment
INFO: No global web.xml found

11:12:34 DEBUG START: context=/Maintenance, pipeline: StandardPipeline[StandardEngine[Catalina].StandardHost[localhost].StandardContext[/Maintenance]] #438760853
11:12:34 DEBUG   valves:
11:12:34 DEBUG     NonLoginAuthenticator[StandardEngine[Catalina].StandardHost[localhost].StandardContext[/Maintenance]] #1170152270
11:12:34 DEBUG     StandardContextValve[StandardEngine[Catalina].StandardHost[localhost].StandardContext[/Maintenance]] #278898914

[javabrett]

If anyone has a minimal project to reproduce this, please share.

[arcesino]

This is also happening in Gretty v3.04. In my case, I'm using Tomcat 9 and need to set up a DataSourceRealm so that the users are read from a DB. I came up with a working configuration that runs as expected when I deploy the WAR file in an external Tomcat instance but running the app with Gretty gives me the Tomcat's 503 error page instead of the configured login page when I try to access a secured page.

I looked at the docs and found that there's a section about Tomcat security realms. Here is described how to set up a MemoryRealm, which is backed by a tomcat-users.xml file. I gave it a try so I commented out my DataSourceRealm and followed the instructions on that web page which basically consists on adding realm 'auth' to the gretty configuration in build.gradle and adding a tomcat-users.xml with a couple users in my project's root dir (since this is one of the default locations). That done, everything worked as expected. The next step was to figure out how to make it work with the DataSourceRealm.

What I did next was to uncomment my DataSourceRealm in my local context file and removed the tomcat-users.xml file since I don't need it, right? The result was: I got Tomcat's 503 error page again when trying to access a secured resource. Then, after scratching my head for a while, I put the tomcat-users.xml file back and 🎉 everything started to work. The users are read from the DataSourceRealm and not from the tomcat-users.xml though. I think this is misleading behavior (probably an issue) since, if there's a tomcat-users.xml file, the normal expectation would be, imo, that those users are the ones available.

Last thing I tried was to remove realm 'auth' from gretty config in build.gradle but keeping the tomcat-users.xml file and, to my surprise, the DataSourceRealm kept working. So, it seems that the tomcat-users.xml is being used as a decide factor for whether setting up a Realm. This seems and issue to me and also seems to me that documentation could be improved. I don't really think we should provide a tomcat-users.xml file for enabling the usage of a different Realm.

Hope this helps @alamakih @javabrett

[boris-petrov]

@arcesino - thanks for the detailed report. I see that tomcat-users.xml is mentioned a few times in ProjectUtils.groovy and especially concerning some realms. Perhaps that's why you observe this behavior?

In any case, a PR for updating the documentation and/or fixing the issue will be appreciated. :)