You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Alexander Wallace <to...@rwsoft-online.com> on 2002/08/27 13:11:36 UTC

Re: JDBCRealm + Form Based Auth. How do I tell it were to go if login is ok?

Cool! I get it, thank you very much.

Now I have another problem. Wheny my app redirects to the login page, no
matter what I enter, (an existing or inexisting user in the database), I
am taken to the login error page. The user is null. How can I make sure
the users are being pulled from the db? Thank you in advance. Following
are my realm def in my context and then web.xml:

<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
	driverName="org.postgresql.Driver"
	connectionURL="jdbc:postgresql://10.100.101.1/awallace?user=awallace;password=pass"
	userTable="tbl_users" userNameCol="user_name" 	userCredCol="password"
	userRoleTable="user_roles" roleNameCol="role_name"
digest="MD5"/>

And my web.xml goes:

<web-app>

<!-- PostgreSQL resource for Connection Pooling -->
    <resource-ref>
        <description>postgreSQL Datasource</description>
        <res-ref-name>jdbc/postgres</res-ref-name>
        <res-type>javax.sql.DataSource</res-type>
        <res-auth>Container</res-auth>
    </resource-ref>

<!-- For the login        -->
    <servlet>
        <servlet-name>Login</servlet-name>
        <servlet-class>com.lto.servlets.Login</servlet-class>
    </servlet>


    <servlet-mapping>
        <servlet-name>
            Login
        </servlet-name>
        <url-pattern>
            /login
        </url-pattern>
    </servlet-mapping>
    

<!-- Security Realm -->
        
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Java Application</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>Admin</role-name>
        </auth-constraint>
    </security-constraint>   

    <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>Java Application</realm-name>
      <form-login-config>
        <form-login-page>/login</form-login-page>
        <form-error-page>/loginError.jsp</form-error-page>
      </form-login-config>
    </login-config>    

     <!-- Security roles referenced by this web application -->
    <security-role>
      <role-name>Admin</role-name>
    </security-role>
    <security-role>
      <role-name>GM</role-name>
    </security-role>
    <security-role>
      <role-name>Sales</role-name>
    </security-role>

    <welcome-file-list>
        <welcome-file>/servlet/TestPGPool</welcome-file>
    </welcome-file-list>
    
    <session-config>
        <session-timeout>
            30
        </session-timeout>
    </session-config>

</web-app>

Thanks again!

On Tue, 2002-08-27 at 16:59, Craig R. McClanahan wrote:
> 
> 
> On 27 Aug 2002, Alexander Wallace wrote:
> 
> > Date: 27 Aug 2002 09:17:58 +0100
> > From: Alexander Wallace <to...@rwsoft-online.com>
> > Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> > To: Tomcat Users List <to...@jakarta.apache.org>
> > Subject: JDBCRealm + Form Based Auth. How do I tell it were to go if
> >     login is ok?
> >
> > Hello there. Very new to realms and java, so sorry if this is too
> > stupid.
> >
> > I have set up a JDBCRealm using PostgreSQL and it all seems to work, It
> > does connect and load the roles, and when I try to access protected
> > resources, it does go to the Form based login I specigy in web.xml and
> > the error page for that works too.
> >
> > My question is, since the form action in the login page points to <%=
> > response.encodeURL("j_security_check") %>, how, or where do I specify
> > where my app goes after a succesful login?
> >
> 
> Short answer - your application should *never* reference the URL of the
> login page, or the "j_security_check" page directly.
> 
> Longer answer - the basic philosohpy of form-based login is to mimic BASIC
> login.  The formal definition of the algorithm is in the servlet spec:
> 
>   http://java.sun.com/products/servlet/download.html
> 
> in Chapter 12.  Essentially, it goes like this on each request:
> 
> * Client submits a request for a particular URI
> 
> * Server determines of there is a security constraint
>   covering that URI
>   --> If none, allow the request to proceed
> 
> * Server determins if the user is already logged on
>   --> If so, check roles and allow or disallow access
> 
> * Server SAVES the original request and sends back
>   the form login page
> 
> * User submits the login credentials
> 
> * Server checks the credentials
>   --> If incorrect, send back the form error page
>   --> If correct, RESTORES the original request and proceeds
> 
> So, the answer to the question "where do I go after logging in" is "the
> page you originally asked for that triggered the authentication dialog."
> 
> If the flow is still confusing, temporarily switch your application to use
> BASIC authentication instead (where the browser pops up a
> username/password dialog box).  There is no way to address that dialog
> box, right?  Or to say where it should go afterwards?  That's because the
> browser (in the case of BASIC) is doing the same thing -- it will resubmit
> your original request for you along with the username/password.
> 
> 
> > Thanks in advance!
> >
> 
> Craig
> 
> 
> --
> To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
> 



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>