Bug 52846

Summary: Programmatic login using UserDatabaseRealm returns 403 error.
Product: Tomcat 7 Reporter: Keiichi Fujino <kfujino>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Severity: minor    
Priority: P2    
Version: trunk   
Target Milestone: ---   
Hardware: All   
OS: All   
Attachments: patch against 7.0 trunk

Description Keiichi Fujino 2012-03-07 08:40:46 UTC
IMHO,HttpServletRequest#login does not need to define a <login-config>.
NonLoginAuthenticator is used when <login-config> is not specified in HttpServletRequest#login. 

When UserDatabaseRealm is used, not GenericPrincipal but Memory User is set to a session.
In AuthenticatorBase#invoke, principal registered into a session is set to a request. 
Because MemoryUser is set to a request as principal, RealmBase#hasRole always returns false. 
As a result, 403 error is returned.
Comment 1 Keiichi Fujino 2012-03-07 08:46:26 UTC
Created attachment 28427 [details]
patch against 7.0 trunk
Comment 2 Keiichi Fujino 2012-03-07 09:25:24 UTC
Fixed in 7.0.x and will be in 7.0.27 onwards.