Bug 62104 - Unable to login with HttpServletRequest.login(String, String) due to missing Authenticator (Tomcat 8.5.28)
Summary: Unable to login with HttpServletRequest.login(String, String) due to missing ...
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 8.5.28
Hardware: PC All
: P2 critical (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
: 62142 (view as bug list)
Depends on:
Reported: 2018-02-15 13:08 UTC by Karl Dahlgren
Modified: 2018-02-27 21:47 UTC (History)
1 user (show)


Note You need to log in before you can comment on or make changes to this bug.
Description Karl Dahlgren 2018-02-15 13:08:32 UTC
Unable to login towards a Tomcat UserDatabase Realm when using the HttpServletRequest.login(String, String) method. This feature has worked up until Tomcat 8.5.28 (Worked with Tomcat 8.5.27). The problems occurs when trying to retrieve the Authenticator from the StandardContext. 

* New installation of Tomcat 8.5.28
* Use the default Tomcat Realm configuration (UserDatabase)
* Add new user to the tomcat-users.xml

Steps to reproduce:
* Try to authenticate by using the method HttpServletRequest.login(String, String)

Expected result: 
* Login successful

Actual result: 
* Unable to retrieve the NonLoginAuthenticator from the StandardContext.getAuthenticator(). The valve(s) in the pipeline is not an instance of Authenticator (NonLoginAuthenticator). The method will return null, which will cause the Request.login method to throw a new ServletException with the error message "no authenticator".

Tomcat version:
Tomcat 8.5.28

Additional Information:
Might be related to issue 62036 which was part of the Tomcat 8.5.28 release.
Comment 1 Remy Maucherat 2018-02-15 15:24:55 UTC
I don't get it at this point. The fix for 62036 cannot break this. NonLoginAuthenticator still extends AuthenticatorBase which implements Authenticator.
Comment 2 Remy Maucherat 2018-02-15 15:52:00 UTC
The problem is that ContextConfig.authenticatorConfig is not appropriate with the login API (which was introduced later). Assuming the webapp has no security constraints, before r1823310 there would be a problem if metadata-complete was true (not very common), but now it's always. Oops.

This fix is rather obvious (always set the NLA is there is no login config). The side effect is that a realm is now mandatory (Tomcat has no way to know if an app will call login).
Comment 3 Mark Thomas 2018-02-15 20:23:59 UTC
There is an equivalent NullRealm that is used if no Realm is configured.

I've back-ported remm's fix for 9.0.x.

Fixed in:
- trunk for 9.0.6 onwards
- 8.5.x for 8.5.29 onwards
- 8.0.x for 8.0.51 onwards
- 7.0.x for 7.0.86 onwards
Comment 4 Remy Maucherat 2018-02-15 20:35:09 UTC
Thanks, I was waiting for a bit of testing before backporting.
Comment 5 Mark Thomas 2018-02-15 20:39:32 UTC
Sorry, didn't mean to step on your toes. I know that code fairly well so I was  confident your patch was correct.
Comment 6 Mark Thomas 2018-02-27 21:47:18 UTC
*** Bug 62142 has been marked as a duplicate of this bug. ***