Please see my replies after the >> sign:
Note: I've re-formatted this to make it more readable - Tim
Tim Holloway wrote:
There are two things I note.
First, the manager /META-INF/context.xml resource gets overridden by the catalina/localhost/manager.xml. And I'm pretty sure it's an all-or-nothing override, so you'd lose any options not repeated in manager.xml.
>> \Catalina\localhostmanager.xml file is as below in both Production (where I face 401) and in Lab (Ok):
>> manager /META-INF/context.xml (I put back the original, no localhost restriction)
-->
>> Note: The production setup is used in Domain Group policy .. while Lab setup in WORGROUP
Tim Holloway wrote:
Secondly, for container-based login to work, you have to specify a Realm. In Tomcat, a Realm can be defined in the Context or in server.xml. Unless you're setting the same Realm for all webapps, usually you'd do in in the Context, and you haven't.
>> tomcat\conf\context.xml are left by default in both Production and Lab
>> Everything option inside is left commented.
You still haven't defined a security Realm. Actually, what you have defined is mostly just weird. Your context.xml file provides a Manager definition that is overly-picky and would be something that you should only be using in a very unique clustered environment.
I've never had the need to explicitly provide a Manager element at all - the default one works most of the time. Likewise, the Valve in your hostmanager.xml file is something that I have never had need to use.
What I
do use, however, is a Realm definition. Like this one:
Here I'm actually using the same database for both the application data and the Realm authentication credential data. Not required, but sometimes convenient. A more paranoid system would use 2 different databases.
>> Question: is there a way to track/debug step by step the Authentication handshake failure ? Logs do not say enough details about the reason !
You can't track authentication if you don't have a Realm to Authenticate to. That's the primary reason why the logs don't help.
Actually, if you need to track authentication for a Realm, each Realm has its own logging channel, so you'd have to check the Realm's source code to see what the channel name and options were. But in general, they Just Work, so about the only time I've ever had to log a Realm is when it was a custom Realm I'd coded myself.