You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Robert Jacobson <vv...@snkmail.com> on 2010/03/08 19:31:46 UTC
Adding security constraint breaks sql functionality
Hi,
I'm running Tomcat 6.0.20 on Windows 2003 Server, with JRE 1.6.0_14.
I have a working Tomcat configuration using MySQL authentication to access to ROOT webapp. I'm using DataSourceRealm just like the one in the Tomcat docs (http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#DataSourceRealm).
What I previously didn't have was a method for users to change their passwords through the web interface. I managed to figure out a way to do it using a jdbc resource and sql:query and sql:update tags in a couple JSP files. I basically started out with example code from the tomcat wiki for DataSource (datasourcedemo.war). I deployed my modified code on the server as a separate application (i.e. not in the ROOT app) under "/changepass"
Well, the code works wonderfully when I don't have any security constraints on the application. However, when I try adding security constraints (using the same security constraints as the ROOT app), it stops working! To be more specific, Tomcat requires me to login to access the app, but the sql stuff no longer works. I reduced the problem code down to a simple SQL query which works w/o security constraints, but fails when I implement constraints.
The code below (dbtest.jsp) just prints the contents of the authority table. At least, it does when I don't have security constraints. However, when I add security constraints, it instead prints only (literally):
${row.user_name} ${row.user_pass}
And that's it!
I imagine I'm doing something wrong (well, I'm sure there's multiple things...) -- can someone please clue me in? I obviously do not want people accessing the /changepass application w/o logging in first. (BTW, I can post the changepass code if someone cares, but it doesn't seem relevant here...)
I'm not sure if it's relevant, but I'm using a different JDBC Resource for server authentication and for changepass. Obviously they are both accessing the same database, but I wanted to make sure that the login process used a read-only account, and /changepass using a different account with UPDATE privs. The authentication resource is in the GlobalNamingResources, while the /changepass resource is defined in the webapp's context.xml.
---- BEGIN dbtest.jsp
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"%>
<%@ taglib prefix="sql" uri="http://java.sun.com/jsp/jstl/sql" %>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt" %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Assignment List</title>
</head>
<body>
<sql:setDataSource dataSource="jdbc/chngpass" />
<table>
<sql:query var="qryAsmts" >
SELECT * FROM users
</sql:query>
<c:forEach var="row" items="${qryAsmts.rows}">
<tr>
<td>${row.user_name}</td>
<td>${row.user_pass}</td>
</tr>
</c:forEach>
</table>
</body>
</html>
---- END JSP
--- BEGIN web.xml for /changepass
<web-app>
<!-- Security constraint for the webapp -->
<security-constraint>
<web-resource-collection>
<web-resource-name>changepass Web</web-resource-name>
<url-pattern>/changepass/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>appuser</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Tomcat Manager Application</realm-name>
</login-config>
<security-role>
<description>
The role that is required to log in to APP
</description>
<role-name>appuser</role-name>
</security-role>
</web-app>
--- END web.xml
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Adding security constraint breaks sql functionality
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Robert Jacobson [mailto:vvnxbdd8zq@snkmail.com]
> Subject: Adding security constraint breaks sql functionality
>
> --- BEGIN web.xml for /changepass
> <web-app>
> <!-- Security constraint for the webapp -->
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>changepass Web</web-resource-name>
> <url-pattern>/changepass/*</url-pattern>
Not sure what else is going on, but the above is incorrect for your webapp - the context name is *not* part of the <url-pattern>. What you're protecting with the above is requests to:
http://host/changepass/changepass/[whatever]
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>Tomcat Manager Application</realm-name>
Is that the proper Realm reference? Might want to post an expurgated copy of your <Realm> declaration.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
Re: Adding security constraint breaks sql functionality
Posted by Robert Jacobson <vv...@snkmail.com>.
Chuck wrote:
> Not sure what else is going on, but the above is incorrect for your webapp - the context name is *not* part of the <url-pattern>.
Oops! You're right of course. Thank you! I'm a little confused as to
why having an incorrect url-pattern would cause the SQL to fail.
About the realm-name -- I guess I don't understand what that should be.
I mean, the authentication still works even though it's set to "Tomcat
Manager Application".
Below is the working web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>change pass demo</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>changepass Web</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>app</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Tomcat Manager Application</realm-name>
</login-config>
<security-role>
<description>
The role that is required to log in to app
</description>
<role-name>app</role-name>
</security-role>
</web-app>
--
Rob
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Adding security constraint breaks sql functionality
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Robert,
On 3/8/2010 1:31 PM, Robert Jacobson wrote:
> I managed to figure out a way to do it using a jdbc resource and
> sql:query and sql:update tags in a couple JSP files.
Yuck :(
> Well, the code works wonderfully when I don't have any security
> constraints on the application. However, when I try adding security
> constraints (using the same security constraints as the ROOT app), it
> stops working! To be more specific, Tomcat requires me to login to
> access the app, but the sql stuff no longer works. I reduced the problem
> code down to a simple SQL query which works w/o security constraints,
> but fails when I implement constraints.
[snip]
> However, when I add security constraints, it instead prints only (literally):
>
> ${row.user_name} ${row.user_pass}
> And that's it!
>
> I imagine I'm doing something wrong (well, I'm sure there's multiple
> things...) -- can someone please clue me in? I obviously do not want
> people accessing the /changepass application w/o logging in first. (BTW,
> I can post the changepass code if someone cares, but it doesn't seem
> relevant here...)
>
> I'm not sure if it's relevant, but I'm using a different JDBC
> Resource for server authentication and for changepass. Obviously they
> are both accessing the same database, but I wanted to make sure that
> the login process used a read-only account, and /changepass using a
> different account with UPDATE privs. The authentication resource is
> in the GlobalNamingResources, while the /changepass resource is
> defined in the webapp's context.xml.
Did you mean "jdbc/changepass"?
> <sql:setDataSource dataSource="jdbc/chngpass" />
Typo ("jdbc/chngpass")?
Does the DataSource get set correctly? Any way to check that?
> <sql:query var="qryAsmts" >
> SELECT * FROM users
> </sql:query>
>
> <c:forEach var="row" items="${qryAsmts.rows}">
> <tr>
> <td>${row.user_name}</td>
> <td>${row.user_pass}</td>
> </tr>
> </c:forEach>
That all looks good to me. Check the documentation for <sql:query>: what
does it say if no results are returned and you call qryAsmts.getRows()?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkuWiAcACgkQ9CaO5/Lv0PCYogCfbPzyzmCRKHdDEtlbjiPvHjZR
13IAoK8Z6CsTBrs+Ua7f/QPwkRDZNHsJ
=AoyZ
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org