JSP Tomcat security-constraint always fails

Question

I have the following in my web.xml

<security-constraint>
    <web-resource-collection>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>rolename</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>BASIC</auth-method>
</login-config>
<security-role>
    <role-name>rolename</role-name>
</security-role>

And also have the following in my tomcat-users.xml file:

<role rolename="rolename"/>
<user username="username" password="password" roles="rolename"/>

The Authentication Required dialogue box appears when I try to navigate to my localhost site, but even though I enter the correct credentials, the dialogue box just refreshes itself and nothing happens.

Any reason why this isn't working? Doesn't seem as basic as the auth-method suggests.

Answer 1

The setting looks correct, when you use Netbeans when adding the server you configure the existing user and password in the manager or manager-script role, for example if you have:

If you using Tomcat server that who comes embedded with Netbeans there is a cache place for Tomcat files, eg:

C:\Users\user\AppData\Roaming\NetBeans\8.2\apache-tomcat-8.0.27.0_base\conf

In case you using Eclipse IDE the cache files tomcat stay in folder:

C:\projects\workspace\Servers\Tomcat v8.5 Server at localhost-config

Answer 2

Maybe you forgot to put the security-role tag at the level of security-constraint tag.

<security-role>
        <role-name>rolename</role-name>
    </security-role>

    <security-constraint>
        <web-resource-collection>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>rolename</role-name>
        </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>BASIC</auth-method>
    </login-config>

Look here for an example

http://docs.oracle.com/javaee/5/tutorial/doc/bncbe.html