You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Alexander Wallace <to...@rwsoft-online.com> on 2002/08/27 13:11:36 UTC
Re: JDBCRealm + Form Based Auth. How do I tell it were to go if
login is ok?
Cool! I get it, thank you very much.
Now I have another problem. Wheny my app redirects to the login page, no
matter what I enter, (an existing or inexisting user in the database), I
am taken to the login error page. The user is null. How can I make sure
the users are being pulled from the db? Thank you in advance. Following
are my realm def in my context and then web.xml:
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="org.postgresql.Driver"
connectionURL="jdbc:postgresql://10.100.101.1/awallace?user=awallace;password=pass"
userTable="tbl_users" userNameCol="user_name" userCredCol="password"
userRoleTable="user_roles" roleNameCol="role_name"
digest="MD5"/>
And my web.xml goes:
<web-app>
<!-- PostgreSQL resource for Connection Pooling -->
<resource-ref>
<description>postgreSQL Datasource</description>
<res-ref-name>jdbc/postgres</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>
<!-- For the login -->
<servlet>
<servlet-name>Login</servlet-name>
<servlet-class>com.lto.servlets.Login</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>
Login
</servlet-name>
<url-pattern>
/login
</url-pattern>
</servlet-mapping>
<!-- Security Realm -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Java Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Java Application</realm-name>
<form-login-config>
<form-login-page>/login</form-login-page>
<form-error-page>/loginError.jsp</form-error-page>
</form-login-config>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<role-name>Admin</role-name>
</security-role>
<security-role>
<role-name>GM</role-name>
</security-role>
<security-role>
<role-name>Sales</role-name>
</security-role>
<welcome-file-list>
<welcome-file>/servlet/TestPGPool</welcome-file>
</welcome-file-list>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
</web-app>
Thanks again!
On Tue, 2002-08-27 at 16:59, Craig R. McClanahan wrote:
>
>
> On 27 Aug 2002, Alexander Wallace wrote:
>
> > Date: 27 Aug 2002 09:17:58 +0100
> > From: Alexander Wallace <to...@rwsoft-online.com>
> > Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> > To: Tomcat Users List <to...@jakarta.apache.org>
> > Subject: JDBCRealm + Form Based Auth. How do I tell it were to go if
> > login is ok?
> >
> > Hello there. Very new to realms and java, so sorry if this is too
> > stupid.
> >
> > I have set up a JDBCRealm using PostgreSQL and it all seems to work, It
> > does connect and load the roles, and when I try to access protected
> > resources, it does go to the Form based login I specigy in web.xml and
> > the error page for that works too.
> >
> > My question is, since the form action in the login page points to <%=
> > response.encodeURL("j_security_check") %>, how, or where do I specify
> > where my app goes after a succesful login?
> >
>
> Short answer - your application should *never* reference the URL of the
> login page, or the "j_security_check" page directly.
>
> Longer answer - the basic philosohpy of form-based login is to mimic BASIC
> login. The formal definition of the algorithm is in the servlet spec:
>
> http://java.sun.com/products/servlet/download.html
>
> in Chapter 12. Essentially, it goes like this on each request:
>
> * Client submits a request for a particular URI
>
> * Server determines of there is a security constraint
> covering that URI
> --> If none, allow the request to proceed
>
> * Server determins if the user is already logged on
> --> If so, check roles and allow or disallow access
>
> * Server SAVES the original request and sends back
> the form login page
>
> * User submits the login credentials
>
> * Server checks the credentials
> --> If incorrect, send back the form error page
> --> If correct, RESTORES the original request and proceeds
>
> So, the answer to the question "where do I go after logging in" is "the
> page you originally asked for that triggered the authentication dialog."
>
> If the flow is still confusing, temporarily switch your application to use
> BASIC authentication instead (where the browser pops up a
> username/password dialog box). There is no way to address that dialog
> box, right? Or to say where it should go afterwards? That's because the
> browser (in the case of BASIC) is doing the same thing -- it will resubmit
> your original request for you along with the username/password.
>
>
> > Thanks in advance!
> >
>
> Craig
>
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>