You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Rob Abernethy IV <ab...@dynedge.com> on 2003/01/02 06:12:38 UTC
JDBCRealm
I'm trying to set up a JDBCRealm for use with the admin and manager webapps.
The problem is that I am unable to authenticate any users.
- Tomcat 4.1.18
- Postgresql 7.3.1
- JDBC driver is in $CATALINA_HOME/common/lib
- Tomcat starts up fine, I just can't authenticate
- I can directly connect to my database with the username and password
- I have created the 'admin' and 'manager' groups in the database
- I have added the users to both groups
Realm:
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="org.postgresql.Driver"
connectionURL="jdbc:postgresql://bilbo.dynedge.com/template1"
connectionName="tomcat" connectionPassword="tomcat"
userTable="pg_shadow" userNameCol="usename" userCredCol="passwd"
userRoleTable="pg_groupview" roleNameCol="groname"
digest="MD5" />
Log:
2003-01-02 12:34:34 JDBCRealm[Standalone]: Username tomcat NOT successfully
authenticated
Any ideas?
--
Robert Abernethy IV
Dynamic Edge, Inc.
734.975.0460
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: JDBCRealm
Posted by Rob Abernethy IV <ab...@dynedge.com>.
The connectionName and connectionPassword should be "tomcat" and "tomcat."
The other name/password is left over from my clear-text attempts.
--
Robert Abernethy IV
Dynamic Edge, Inc.
734.975.0460
> OK. I was able to get clear-text passwords to work, but I still
> can't get encrypted passwords to work. Using MD5 encryption, Tomcat
> is able to successfully open a connection to the database using the
> JDBCRealm set up in the server.xml, but it is unable to authenticate
> users for the admin web app. I am using the same username and
> password (username = "tomcat", password = "tomcat") for both the
> JDBCRealm and the admin web app.
>
> JDBCRealm:
> <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
> driverName="org.postgresql.Driver"
> connectionURL="jdbc:postgresql://bilbo.dynedge.com/template1"
> connectionName="abernethy" connectionPassword="gceIlu4DaR"
> userTable="pg_shadow" userNameCol="usename" userCredCol="passwd"
> userRoleTable="pg_groupview" roleNameCol="groname"
> digest="MD5" />
>
> pg_shadow:
> usename | passwd
> -------------------------
> tomcat | md5efcc1c51a80be13b59cdb96d758a0184
>
> pg_groupview:
> grosysid | groname | usesysid | usename
> ----------+---------+----------+-----------
> 101 | admin | 102 | tomcat
> 100 | manager | 102 | tomcat
>
> postgresql log (for Tomcat start up):
> Jan 7 16:41:17 bilbo tomcat4: dtomcat4 startup succeeded
> Jan 7 16:41:25 bilbo postgres[4329]: [1] LOG: connection received:
> host=24.208.224.236 port=33234
>
> Jan 7 16:41:25 bilbo postgres[4329]: [2] LOG: connection
> authorized: user=tomcat database=template1
> Jan 7 16:41:25 bilbo postgres[4329]: [3-1] LOG: query: set
> datestyle to 'ISO'; select version(), case when
> pg_encoding_to_char(1) = 'SQL_ASCII' then 'UNKNOWN' else
> Jan 7 16:41:25 bilbo postgres[4329]: [3-2] getdatabaseencoding() end;
>
> Jan 7 16:41:25 bilbo postgres[4329]: [4] LOG: duration: 0.028513 sec
> Jan 7 16:41:25 bilbo postgres[4329]: [5] LOG: query: set
> client_encoding = 'UNICODE'; show autocommit
> Jan 7 16:41:25 bilbo postgres[4329]: [6] LOG: duration: 0.000260 sec
> Jan 7 16:41:25 bilbo postgres[4329]: [7] LOG: query: set
> autocommit = off;
> Jan 7 16:41:25 bilbo postgres[4329]: [8] LOG: duration: 0.000198 sec
>
> postgresql log (for admin web app authentication):
>
> Jan 7 16:43:34 bilbo postgres[4329]: [9] LOG: query: SELECT passwd
> FROM pg_shadow WHERE usename = 'tomcat'
> Jan 7 16:43:34 bilbo postgres[4329]: [10] LOG: duration: 0.001636 sec
>
> catalina_log.2003-01-07.txt:
>
> 2003-01-07 16:43:34 JDBCRealm[Standalone]: Username tomcat NOT successfully
> authenticated
>
> Any more ideas?
>
> --
> Robert Abernethy IV
> Dynamic Edge, Inc.
> 734.975.0460
>
> > Hi Rob,
> >
> > You have two separate sets of usernames and passwords here. One
> > that the JDBC driver uses to open the database connection, and
> > another set that Tomcat reads from a database table and compares to
> > what you type in when prompted
> >
> > The realm stuff sets up when Tomcat starts, but it just sits there
> > until you try to get a JSP page that a webapp has designated in it's
> > web.xml to be restricted..
> >
> > When that happens, Tomcat will get your browser to generate a login dialog
> > box, or will run your login page if you use form based authentication.
> >
> > Tomcat will then take the username and password that it gets from
> > that and generate an SQL statement to select the password column of
> > the userTable
> > ("pg_shadow" in your case) in the row where the username is equal to
> > whatever you typed into the login box.
> >
> > It uses the connection opened to your user/password table when Tomcat
> > started and set up the realm using the driver, database name,
> > usernames and passwords that you supplied in the server.xml realm entry.
> >
> > Tomcat then takes the password string that is returned and compares
> > it to what you typed in as a password.
> >
> > If you have MD5 enabled it converts the password string you typed in
> > to it's MD5 form before comparing it to what it pulls from the
> > database. In this case you have to convert the password string to
> > its MD5 format before you store it in the Postgres database.
> >
> > It looks like you have stuff set up properly, it also looks like the
> > username "tomcat" and password "tomcat" are getting you into the database
> > OK.
> >
> > Since you are not able to log in to webapps that require no role, it
> > looks like the username or password that you are typing in when you
> > try to log in is not matching what tomcat it getting from Postgres
> > from the table "pg_shadow" in the "usename" and "passwd" fields, respectively.
> >
> > If there were some kindof error, with debug=99 your logs would have
> > a lot of error info, particularly if there were some SQL error.
> >
> > I don't know what kind of logging Postgres has but you should see a
> > successful SQL statement handled by Postgres in the log at the time
> > you try to authenticate, even if authentication fails.
> >
> > If so, what you are typing in for username/password just isn't matching
> > what's in the database, or more precisely what the JDBC driver is returning
> > from the database.
> >
> > This could be a character set or case sensitivity issue with the
> > JDBC driver you are using.
> >
> > This does work, believe it or not. I've been using it for months
> > with the Firebird open source SQL database and various versions of
> > Tomcat 4.1.X.
> >
> > Rick
> >
> > ----- Original Message -----
> >
> > > Does Tomcat process the JDBC Realm on start up, or only when a web app
> > asks
> > > for authentication? I seem to recall that I was unable to start Tomcat if
> > > the realm was not configured correctly. Also, I see a postgres process
> > (see
> > > below) which indicates a connection to the database. The process
> > > shows 'tomcat' because that is the *user name* I am using in the realm
> > > configuration.
> > >
> > > The column names are correct (postgres uses 'usename' not 'username').
> > >
> > > The "tomcat" user has the correct privilages on the necessary tables.
> > >
> > > I have written a simple Java program that is able to connect and display
> > data
> > > from pg_shadow and pg_groupview. This program uses the same JDBC driver,
> > > connection URL, user name ("tomcat"), and password.
> > >
> > > I have created my own web app (thinking the admin or manager web apps
> > might
> > > be the problem), but it is also unable to authenticate users.
> > >
> > > Any other ideas? I am using the JPackage RPM - could that have anything
> > to
> > > do with it? How about the JPackage RPM for xerces-J2? I know they have
> > had
> > > problems with xerces before (unable to view example web apps).
> > >
> > > --
> > > Robert Abernethy IV
> > > Dynamic Edge, Inc.
> > > 734.975.0460
> > >
> > > > Hi Rob,
> > > >
> > > > > Ok, I tried cleartext passwords, but I came up with the same result.
> > I
> > > > don't
> > > > > understand why tomcat is able to start up at all, if the
> > authentication is
> > > > > failing.
> > > >
> > > > Users are authenticated not Tomcat, so starting Tomcat has nothing
> > > > to do with authentication. Tomcat is just a Java program.
> > > >
> > > > When a user tries to access a web app Tomcat will authenticate that
> > > > user if that web app's web.xml file tells it to. The manager app is
> > > > set up to require authentication .
> > > >
> > > > The web.xml file for admin is in
> > > > CATALINA_HOME/server/webapps/admin/WEB-INF/web.xml, you can see how
> > > > it is set up there. If you want to authenticate users for your own
> > > > web apps, set up their web.xml security roles in a similar fashion.
> > > >
> > > > > When I run 'ps' after starting up tomcat, I see this process:
> > > > >
> > > > > 40 S postgres 2825 2758 0 75 0 - 2431 schedu 18:12 pts/0
> > > > 00:00:00
> > > > > postgres: tomcat template1 24.208.224.236 idle in transaction
> > > > >
> > > > > Seeing this makes me believe that Tomcat is correctlty connecting to
> > the
> > > > > database at startup. Is this true? If so, why can't the admin or
> > manager
> > > > > apps authenticate? They are using the same Realm (it's nested inside
> > the
> > > > > <Engine> tag) and I'm supplying the same username and password.
> > > >
> > > > A couple of other things you can check:
> > > >
> > > > Should userNameCol="usename" be userNameCol="username" ?
> > > >
> > > > Can you access Postgres data from that file in your web apps using that
> > > > driver and username/password? You should be able to write a simple
> > program
> > > > to read the role names from the database.
> > > >
> > > > Within Postgres have you granted select privleges to the database
> > > > table in template1 to the user tomcat in the tables pg_shadow and
> > > pg_groupview?
> > > >
> > > > Can you use a db browser tool to log in as tomcat and execute an SQL
> > > > command like: SELECT groname FROM TABLE pg_groupview WHERE usename
> > > > IS 'tomcat'?
> > > >
> > > > Rick
> > > >
> > > > >
> > > > > --
> > > > > Robert Abernethy IV
> > > > > Dynamic Edge, Inc.
> > > > > 734.975.0460
> > > > >
> > > > > > Hi Rob,
> > > > > >
> > > > > > Try it in clear text without the MD5 digest, to verify that your
> > > > > > password, username, role, etc are correct.
> > > > > >
> > > > > > I had a lot of problems with digesting.
> > > > > >
> > > > > > Also some databases return column names in upper case even if they
> > > > > > are in lower case so you may want to try all caps on your db column
> > > > > > names. I think you would get a different eror message if this was
> > > > > > the case, though.
> > > > > >
> > > > > > Rick
> > > > > >
> > > > > > ----- Original Message -----
> > > > > >
> > > > > > > I'm trying to set up a JDBCRealm for use with the admin and
> > manager
> > > > > > webapps.
> > > > > > > The problem is that I am unable to authenticate any users.
> > > > > > >
> > > > > > > - Tomcat 4.1.18
> > > > > > > - Postgresql 7.3.1
> > > > > > > - JDBC driver is in $CATALINA_HOME/common/lib
> > > > > > > - Tomcat starts up fine, I just can't authenticate
> > > > > > > - I can directly connect to my database with the username and
> > password
> > > > > > > - I have created the 'admin' and 'manager' groups in the database
> > > > > > > - I have added the users to both groups
> > > > > > >
> > > > > > > Realm:
> > > > > > > <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
> > > > > > > driverName="org.postgresql.Driver"
> > > > > > > connectionURL="jdbc:postgresql://bilbo.dynedge.com/template1"
> > > > > > > connectionName="tomcat" connectionPassword="tomcat"
> > > > > > > userTable="pg_shadow" userNameCol="usename"
> > > > userCredCol="passwd"
> > > > > > > userRoleTable="pg_groupview" roleNameCol="groname"
> > > > > > > digest="MD5" />
> > > > > > >
> > > > > > > Log:
> > > > > > > 2003-01-02 12:34:34 JDBCRealm[Standalone]: Username tomcat NOT
> > > > > > successfully
> > > > > > > authenticated
> > > > > > >
> > > > > > > Any ideas?
> > > > > > >
> > > > > > > --
> > > > > > > Robert Abernethy IV
> > > > > > > Dynamic Edge, Inc.
> > > > > > > 734.975.0460
> >
> > --
> > To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> > For additional commands, e-mail: <ma...@jakarta.apache.org>
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: JDBCRealm
Posted by Rasputin <ra...@idoru.mine.nu>.
* Rob Abernethy IV <ab...@dynedge.com> [0130 19:30]:
> Alright, I finally have my answer. Postgres prepends the username to the
> password before creating the digest. For example, if I wish to create a
> postgres account with the username 'tomcat' and password 'tomcat', postgres
> will prepend 'tomcat' to 'tomcat' to create 'tomcattomcat' and then make the
> digest. Unfortunately, I don't think there is any way to tell postgres
> *not* to use a salt when creating the encrypted version of the password.
I don't see this with my setup, so I guess it's specific to pgsql system passwords.
Have you tried asking on the postgresql mailing lists?
--
Rasputin :: Jack of All Trades - Master of Nuns
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Fw: Re: JDBCRealm
Posted by Rob Abernethy IV <ab...@dynedge.com>.
Is there a way to tell Tomcat to use a 'salt' when generating the MD5 digest
for JDBCRealm authentication? If not, I think this is a feature that should
be added in the future. For example,
<Realm className="org.apache.catalina.realm.JDBCRealm"
...
userTable="pg_shadow"
userNameCol="usename"
userCredCol="passwd"
digest="MD5"
salt="usename" />
--
Robert Abernethy IV
Dynamic Edge, Inc.
734.975.0460
---------- Forwarded Message -----------
From: "Rob Abernethy IV" <ab...@dynedge.com>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Sun, 12 Jan 2003 14:30:22 +0800
Subject: Re: JDBCRealm
Alright, I finally have my answer. Postgres prepends the username to the
password before creating the digest. For example, if I wish to create a
postgres account with the username 'tomcat' and password 'tomcat', postgres
will prepend 'tomcat' to 'tomcat' to create 'tomcattomcat' and then make the
digest. Unfortunately, I don't think there is any way to tell postgres
*not* to use a salt when creating the encrypted version of the password.
--
Robert Abernethy IV
Dynamic Edge, Inc.
734.975.0460
> Ok, I got Java and Perl to come up with the same digest. Postgres'
> is different. I think it has something to do with the 'salt'.
> Postgres uses the username as salt. I don't know much about MD5
> encryption, but it seems as though Java is using a different salt
> and, therefore, coming up with a different digest.
>
> --
> Robert Abernethy IV
> Dynamic Edge, Inc.
> 734.975.0460
>
> > Clear-text password: tomcat
> >
> > java org.apache.catalina.RealmBase -a MD5 tomcat
> > 1b359d8753858b55befa0441067aaed3
> >
> > select passwd from pg_shadow where usename='tomcat'
> > md5efcc1c51a80be13b59cdb96d758a0184
> >
> > md5sum -t < tomcat
> > 042d39e062dd4bf342e088dc832526f9
> >
> > String password = "tomcat";
> > byte[] md_password = password.getBytes();
> > MessageDigest md = MessageDigest.getInstance("MD5");
> > byte[] md_hash = md.digest(md_password);
> > System.out.println(md_hash);
> > [B@15f5897
> >
> > So obviously the authentication is failing because the MD5'd
> > passwords don't match. Tomcat is calculating the digest using the
> > RealmBase and the digest stored in the table was created by
> > Postgres. Is there a reason why these are all different?
> >
> > --
> > Robert Abernethy IV
> > Dynamic Edge, Inc.
> > 734.975.0460
> >
> > > ----- Original Message -----
> > >
> > > > The MD5'd password *is* in the pg_shadow.passwd column. I don't see
> what
> > > > I'm doing wrong.
> > >
> > > Is Postgres (or anything other than Java) generating the MD5'd
> > > passwords for the pg_shadow table? If so, have you manually
> > > generated the MD5's to see if they are the same?
> > >
> > > Even if they are you can run into problems with storage formats. If
> > > Postgres is using a different char set than the Java JVM for
manipulating
> > > the strings, you can have mismatches.
> > >
> > > Also, if you use CHAR instead of VARCHAR you may have extra spaces
> > > stuck on the end of the returned string to pad it out.
> > >
> > > The MD5 is longer than the string it is generated from so you need
> > > to make sure you have plenty of room for it.
> > >
> > > For example if Java is using UTF-8 and Postgres is using Win1251,
> > > the same character can be represented by different numbers. You
> > > usually see this with special or non-english characters. Your web
> > > app stores a string in the database, then you look at it with a
> > > database with a browsing tool and some characters are different or
> > > get returned as ???.
> > >
> > > This can play hell with MD5 calculations.
> > >
> > > > And, as far as confusing postgres users with tomcat users,
> > > > is there a problem with using the same user for both? I kind of
thought
> > > > that was the point. When I create a user, they can use the same
> username
> > > > and password to access tomcat web apps that they use to connect to
the
> > > > database.
> > >
> > > That only works if you wait to define connections inside your web
> > > app. This severely limits the effectiveness of connection pools.
> > >
> > > That chews up huge amounts of resources in a web app used by lots of
> > > users because building and tearing down connections uses a lot of
> > > cycles and memory.
> > >
> > > Even if you pool in your web app each user will have their own pool
> > > and at least one real connection will have to be opened for each user.
> > >
> > > You can get around this on some databases if they let you set the
> > > role or the user on an open connection. That is very non-standard
> > > and could cause problems if you switch databases.
> > >
> > > All users of a web app usually share the same database
> > > username/password in a connection pooled environment where you are
> > > using a dataSource. It gets locked in at the time the dataSource is
> > > set up. So all users of the web app have the same read, update,
> > > select privleges. If you want to restrict that on a per user basis
> > > you have to enforce that in your web app, usually using Tomcat Roles.
> > >
> > > A Tomcat Role differs from a database Role, so you have to be
> > > careful there. You may or may not have access to the databases user
> > > Role table depending on the database. The problem is that if your
> > > dataSource belongs to user "tomcat" and user "Joe" logs into the web
> > > app the database may not let tomcat look at Joe's database Roles for
> > > security reasons.
> > >
> > > >
> > > > Thanks for the pointers on security. Both Tomcat and Postgres are on
> the
> > > > same server. I'm also planning on using HTTPS, but apache will
handle
> > > that
> > > > part. I think it will work something like this:
> > > >
> > > > 1. user types username and password (clear-text) into form
> > > > 2. web browser encrypts everything and sends it to web server (https)
> > > > 3. apache decrypts everything and passes it onto tomcat
> > > > 4. tomcat makes a MD5 form of the given password
> > > > 5. tomcat compares this with the MD5 password taken from the database
> > > >
> > > > Does that sound right?
> > >
> > > Yes, with the caveats above. Good Luck!
> > >
> > > Rick
> > >
> > > >
> > > > --
> > > > Robert Abernethy IV
> > > > Dynamic Edge, Inc.
> > > > 734.975.0460
> > > >
> > > > > Yeah, looks like you almost have it. The MD5'd password should be
in
> > > > > pg_shadow in the userCredCol, passwd in this case.
> > > > >
> > > > > Be advised that you should either use only HTTPS for this, or run
> > > > > Tomcat on the same server as Postgres, or run them both on a secure
> > > > > net behind a firewall on separate machines to prevent your Postgres
> > > > > database from being compromised.
> > > > >
> > > > > MD5 really only prevents snoops on your server from being able to
> easily
> > > > > read the passwords in pg_shadow.
> > > > >
> > > > > Rick
> > > > >
> > > > > ----- Original Message -----
> > > > >
> > > > > > * Rob Abernethy IV <ab...@dynedge.com> [0154 21:54]:
> > > > > > > OK. I was able to get clear-text passwords to work, but I still
> > > can't
> > > > > get
> > > > > > > encrypted passwords to work. Using MD5 encryption, Tomcat is
able
> > > to
> > > > > > > successfully open a connection to the database using the
JDBCRealm
> > > set
> > > > > up in
> > > > > > > the server.xml, but it is unable to authenticate users for the
> admin
> > > > web
> > > > > app.
> > > > > > > I am using the same username and password (username
= "tomcat",
> > > > > password =
> > > > > > > "tomcat") for both the JDBCRealm and the admin web app.
> > > > > > >
> > > > > > > JDBCRealm:
> > > > > > > <Realm className="org.apache.catalina.realm.JDBCRealm"
debug="99"
> > > > > > > driverName="org.postgresql.Driver"
> > > > > > >
connectionURL="jdbc:postgresql://bilbo.dynedge.com/template1"
> > > > > > > connectionName="abernethy" connectionPassword="gceIlu4DaR"
> > > > > > > userTable="pg_shadow" userNameCol="usename"
> > > > userCredCol="passwd"
> > > > > > > userRoleTable="pg_groupview" roleNameCol="groname"
> > > > > > > digest="MD5" />
> > > > > > > pg_shadow:
> > > > > > > usename | passwd
> > > > > > > -------------------------
> > > > > > > tomcat | md5efcc1c51a80be13b59cdb96d758a0184
> > > > > >
> > > > > > You are confusing postgres usernames/passwords with the ones you
> want
> > > in
> > > > > the tables.
> > > > > > Tomcat connects to the database as user connectionName , password
> > > > > connectionPassword
> > > > > >
> > > > > > and looks up http authentication users and passwords in userTable
> and
> > > > > userRoleTable.
> > > > > >
> > > > > > It looks from your post like you have that backwards (pg_shadow
> holds
> > > > > postgres users, not users
> > > > > > for your apps).
> > > > > >
> > > > > > > postgresql log (for admin web app authentication):
> > > > > > > Jan 7 16:43:34 bilbo postgres[4329]: [9] LOG: query: SELECT
> passwd
> > > > > FROM
> > > > > > > pg_shadow WHERE usename = 'tomcat'
> > > > > > > Jan 7 16:43:34 bilbo postgres[4329]: [10] LOG: duration:
> 0.001636
> > > sec
> > > > > > >
> > > > > > > catalina_log.2003-01-07.txt:
> > > > > > > 2003-01-07 16:43:34 JDBCRealm[Standalone]: Username tomcat NOT
> > > > > successfully
> > > > > > > authenticated
> > > > > >
> > > > > > --
> > > > > > Rasputin :: Jack of All Trades - Master of Nuns
> > > > >
> > >
> > > --
> > > To unsubscribe, e-mail: <mailto:tomcat-user-
> unsubscribe@jakarta.apache.org>
> > > For additional commands, e-mail: <mailto:tomcat-user-
> help@jakarta.apache.org>
> >
> > --
> > To unsubscribe, e-mail: <mailto:tomcat-user-
> unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail: <mailto:tomcat-user-
> help@jakarta.apache.org>
>
> --
> To unsubscribe, e-mail: <mailto:tomcat-user-
unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-user-
help@jakarta.apache.org>
------- End of Forwarded Message -------
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: JDBCRealm
Posted by Rob Abernethy IV <ab...@dynedge.com>.
Alright, I finally have my answer. Postgres prepends the username to the
password before creating the digest. For example, if I wish to create a
postgres account with the username 'tomcat' and password 'tomcat', postgres
will prepend 'tomcat' to 'tomcat' to create 'tomcattomcat' and then make the
digest. Unfortunately, I don't think there is any way to tell postgres
*not* to use a salt when creating the encrypted version of the password.
--
Robert Abernethy IV
Dynamic Edge, Inc.
734.975.0460
> Ok, I got Java and Perl to come up with the same digest. Postgres'
> is different. I think it has something to do with the 'salt'.
> Postgres uses the username as salt. I don't know much about MD5
> encryption, but it seems as though Java is using a different salt
> and, therefore, coming up with a different digest.
>
> --
> Robert Abernethy IV
> Dynamic Edge, Inc.
> 734.975.0460
>
> > Clear-text password: tomcat
> >
> > java org.apache.catalina.RealmBase -a MD5 tomcat
> > 1b359d8753858b55befa0441067aaed3
> >
> > select passwd from pg_shadow where usename='tomcat'
> > md5efcc1c51a80be13b59cdb96d758a0184
> >
> > md5sum -t < tomcat
> > 042d39e062dd4bf342e088dc832526f9
> >
> > String password = "tomcat";
> > byte[] md_password = password.getBytes();
> > MessageDigest md = MessageDigest.getInstance("MD5");
> > byte[] md_hash = md.digest(md_password);
> > System.out.println(md_hash);
> > [B@15f5897
> >
> > So obviously the authentication is failing because the MD5'd
> > passwords don't match. Tomcat is calculating the digest using the
> > RealmBase and the digest stored in the table was created by
> > Postgres. Is there a reason why these are all different?
> >
> > --
> > Robert Abernethy IV
> > Dynamic Edge, Inc.
> > 734.975.0460
> >
> > > ----- Original Message -----
> > >
> > > > The MD5'd password *is* in the pg_shadow.passwd column. I don't see
> what
> > > > I'm doing wrong.
> > >
> > > Is Postgres (or anything other than Java) generating the MD5'd
> > > passwords for the pg_shadow table? If so, have you manually
> > > generated the MD5's to see if they are the same?
> > >
> > > Even if they are you can run into problems with storage formats. If
> > > Postgres is using a different char set than the Java JVM for
manipulating
> > > the strings, you can have mismatches.
> > >
> > > Also, if you use CHAR instead of VARCHAR you may have extra spaces
> > > stuck on the end of the returned string to pad it out.
> > >
> > > The MD5 is longer than the string it is generated from so you need
> > > to make sure you have plenty of room for it.
> > >
> > > For example if Java is using UTF-8 and Postgres is using Win1251,
> > > the same character can be represented by different numbers. You
> > > usually see this with special or non-english characters. Your web
> > > app stores a string in the database, then you look at it with a
> > > database with a browsing tool and some characters are different or
> > > get returned as ???.
> > >
> > > This can play hell with MD5 calculations.
> > >
> > > > And, as far as confusing postgres users with tomcat users,
> > > > is there a problem with using the same user for both? I kind of
thought
> > > > that was the point. When I create a user, they can use the same
> username
> > > > and password to access tomcat web apps that they use to connect to
the
> > > > database.
> > >
> > > That only works if you wait to define connections inside your web
> > > app. This severely limits the effectiveness of connection pools.
> > >
> > > That chews up huge amounts of resources in a web app used by lots of
> > > users because building and tearing down connections uses a lot of
> > > cycles and memory.
> > >
> > > Even if you pool in your web app each user will have their own pool
> > > and at least one real connection will have to be opened for each user.
> > >
> > > You can get around this on some databases if they let you set the
> > > role or the user on an open connection. That is very non-standard
> > > and could cause problems if you switch databases.
> > >
> > > All users of a web app usually share the same database
> > > username/password in a connection pooled environment where you are
> > > using a dataSource. It gets locked in at the time the dataSource is
> > > set up. So all users of the web app have the same read, update,
> > > select privleges. If you want to restrict that on a per user basis
> > > you have to enforce that in your web app, usually using Tomcat Roles.
> > >
> > > A Tomcat Role differs from a database Role, so you have to be
> > > careful there. You may or may not have access to the databases user
> > > Role table depending on the database. The problem is that if your
> > > dataSource belongs to user "tomcat" and user "Joe" logs into the web
> > > app the database may not let tomcat look at Joe's database Roles for
> > > security reasons.
> > >
> > > >
> > > > Thanks for the pointers on security. Both Tomcat and Postgres are on
> the
> > > > same server. I'm also planning on using HTTPS, but apache will
handle
> > > that
> > > > part. I think it will work something like this:
> > > >
> > > > 1. user types username and password (clear-text) into form
> > > > 2. web browser encrypts everything and sends it to web server (https)
> > > > 3. apache decrypts everything and passes it onto tomcat
> > > > 4. tomcat makes a MD5 form of the given password
> > > > 5. tomcat compares this with the MD5 password taken from the database
> > > >
> > > > Does that sound right?
> > >
> > > Yes, with the caveats above. Good Luck!
> > >
> > > Rick
> > >
> > > >
> > > > --
> > > > Robert Abernethy IV
> > > > Dynamic Edge, Inc.
> > > > 734.975.0460
> > > >
> > > > > Yeah, looks like you almost have it. The MD5'd password should be
in
> > > > > pg_shadow in the userCredCol, passwd in this case.
> > > > >
> > > > > Be advised that you should either use only HTTPS for this, or run
> > > > > Tomcat on the same server as Postgres, or run them both on a secure
> > > > > net behind a firewall on separate machines to prevent your Postgres
> > > > > database from being compromised.
> > > > >
> > > > > MD5 really only prevents snoops on your server from being able to
> easily
> > > > > read the passwords in pg_shadow.
> > > > >
> > > > > Rick
> > > > >
> > > > > ----- Original Message -----
> > > > >
> > > > > > * Rob Abernethy IV <ab...@dynedge.com> [0154 21:54]:
> > > > > > > OK. I was able to get clear-text passwords to work, but I still
> > > can't
> > > > > get
> > > > > > > encrypted passwords to work. Using MD5 encryption, Tomcat is
able
> > > to
> > > > > > > successfully open a connection to the database using the
JDBCRealm
> > > set
> > > > > up in
> > > > > > > the server.xml, but it is unable to authenticate users for the
> admin
> > > > web
> > > > > app.
> > > > > > > I am using the same username and password (username
= "tomcat",
> > > > > password =
> > > > > > > "tomcat") for both the JDBCRealm and the admin web app.
> > > > > > >
> > > > > > > JDBCRealm:
> > > > > > > <Realm className="org.apache.catalina.realm.JDBCRealm"
debug="99"
> > > > > > > driverName="org.postgresql.Driver"
> > > > > > >
connectionURL="jdbc:postgresql://bilbo.dynedge.com/template1"
> > > > > > > connectionName="abernethy" connectionPassword="gceIlu4DaR"
> > > > > > > userTable="pg_shadow" userNameCol="usename"
> > > > userCredCol="passwd"
> > > > > > > userRoleTable="pg_groupview" roleNameCol="groname"
> > > > > > > digest="MD5" />
> > > > > > > pg_shadow:
> > > > > > > usename | passwd
> > > > > > > -------------------------
> > > > > > > tomcat | md5efcc1c51a80be13b59cdb96d758a0184
> > > > > >
> > > > > > You are confusing postgres usernames/passwords with the ones you
> want
> > > in
> > > > > the tables.
> > > > > > Tomcat connects to the database as user connectionName , password
> > > > > connectionPassword
> > > > > >
> > > > > > and looks up http authentication users and passwords in userTable
> and
> > > > > userRoleTable.
> > > > > >
> > > > > > It looks from your post like you have that backwards (pg_shadow
> holds
> > > > > postgres users, not users
> > > > > > for your apps).
> > > > > >
> > > > > > > postgresql log (for admin web app authentication):
> > > > > > > Jan 7 16:43:34 bilbo postgres[4329]: [9] LOG: query: SELECT
> passwd
> > > > > FROM
> > > > > > > pg_shadow WHERE usename = 'tomcat'
> > > > > > > Jan 7 16:43:34 bilbo postgres[4329]: [10] LOG: duration:
> 0.001636
> > > sec
> > > > > > >
> > > > > > > catalina_log.2003-01-07.txt:
> > > > > > > 2003-01-07 16:43:34 JDBCRealm[Standalone]: Username tomcat NOT
> > > > > successfully
> > > > > > > authenticated
> > > > > >
> > > > > > --
> > > > > > Rasputin :: Jack of All Trades - Master of Nuns
> > > > >
> > >
> > > --
> > > To unsubscribe, e-mail: <mailto:tomcat-user-
> unsubscribe@jakarta.apache.org>
> > > For additional commands, e-mail: <mailto:tomcat-user-
> help@jakarta.apache.org>
> >
> > --
> > To unsubscribe, e-mail: <mailto:tomcat-user-
> unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail: <mailto:tomcat-user-
> help@jakarta.apache.org>
>
> --
> To unsubscribe, e-mail: <mailto:tomcat-user-
unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-user-
help@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: JDBCRealm
Posted by Rob Abernethy IV <ab...@dynedge.com>.
Ok, I got Java and Perl to come up with the same digest. Postgres' is
different. I think it has something to do with the 'salt'. Postgres uses
the username as salt. I don't know much about MD5 encryption, but it seems
as though Java is using a different salt and, therefore, coming up with a
different digest.
--
Robert Abernethy IV
Dynamic Edge, Inc.
734.975.0460
> Clear-text password: tomcat
>
> java org.apache.catalina.RealmBase -a MD5 tomcat
> 1b359d8753858b55befa0441067aaed3
>
> select passwd from pg_shadow where usename='tomcat'
> md5efcc1c51a80be13b59cdb96d758a0184
>
> md5sum -t < tomcat
> 042d39e062dd4bf342e088dc832526f9
>
> String password = "tomcat";
> byte[] md_password = password.getBytes();
> MessageDigest md = MessageDigest.getInstance("MD5");
> byte[] md_hash = md.digest(md_password);
> System.out.println(md_hash);
> [B@15f5897
>
> So obviously the authentication is failing because the MD5'd
> passwords don't match. Tomcat is calculating the digest using the
> RealmBase and the digest stored in the table was created by
> Postgres. Is there a reason why these are all different?
>
> --
> Robert Abernethy IV
> Dynamic Edge, Inc.
> 734.975.0460
>
> > ----- Original Message -----
> >
> > > The MD5'd password *is* in the pg_shadow.passwd column. I don't see
what
> > > I'm doing wrong.
> >
> > Is Postgres (or anything other than Java) generating the MD5'd
> > passwords for the pg_shadow table? If so, have you manually
> > generated the MD5's to see if they are the same?
> >
> > Even if they are you can run into problems with storage formats. If
> > Postgres is using a different char set than the Java JVM for manipulating
> > the strings, you can have mismatches.
> >
> > Also, if you use CHAR instead of VARCHAR you may have extra spaces
> > stuck on the end of the returned string to pad it out.
> >
> > The MD5 is longer than the string it is generated from so you need
> > to make sure you have plenty of room for it.
> >
> > For example if Java is using UTF-8 and Postgres is using Win1251,
> > the same character can be represented by different numbers. You
> > usually see this with special or non-english characters. Your web
> > app stores a string in the database, then you look at it with a
> > database with a browsing tool and some characters are different or
> > get returned as ???.
> >
> > This can play hell with MD5 calculations.
> >
> > > And, as far as confusing postgres users with tomcat users,
> > > is there a problem with using the same user for both? I kind of thought
> > > that was the point. When I create a user, they can use the same
username
> > > and password to access tomcat web apps that they use to connect to the
> > > database.
> >
> > That only works if you wait to define connections inside your web
> > app. This severely limits the effectiveness of connection pools.
> >
> > That chews up huge amounts of resources in a web app used by lots of
> > users because building and tearing down connections uses a lot of
> > cycles and memory.
> >
> > Even if you pool in your web app each user will have their own pool
> > and at least one real connection will have to be opened for each user.
> >
> > You can get around this on some databases if they let you set the
> > role or the user on an open connection. That is very non-standard
> > and could cause problems if you switch databases.
> >
> > All users of a web app usually share the same database
> > username/password in a connection pooled environment where you are
> > using a dataSource. It gets locked in at the time the dataSource is
> > set up. So all users of the web app have the same read, update,
> > select privleges. If you want to restrict that on a per user basis
> > you have to enforce that in your web app, usually using Tomcat Roles.
> >
> > A Tomcat Role differs from a database Role, so you have to be
> > careful there. You may or may not have access to the databases user
> > Role table depending on the database. The problem is that if your
> > dataSource belongs to user "tomcat" and user "Joe" logs into the web
> > app the database may not let tomcat look at Joe's database Roles for
> > security reasons.
> >
> > >
> > > Thanks for the pointers on security. Both Tomcat and Postgres are on
the
> > > same server. I'm also planning on using HTTPS, but apache will handle
> > that
> > > part. I think it will work something like this:
> > >
> > > 1. user types username and password (clear-text) into form
> > > 2. web browser encrypts everything and sends it to web server (https)
> > > 3. apache decrypts everything and passes it onto tomcat
> > > 4. tomcat makes a MD5 form of the given password
> > > 5. tomcat compares this with the MD5 password taken from the database
> > >
> > > Does that sound right?
> >
> > Yes, with the caveats above. Good Luck!
> >
> > Rick
> >
> > >
> > > --
> > > Robert Abernethy IV
> > > Dynamic Edge, Inc.
> > > 734.975.0460
> > >
> > > > Yeah, looks like you almost have it. The MD5'd password should be in
> > > > pg_shadow in the userCredCol, passwd in this case.
> > > >
> > > > Be advised that you should either use only HTTPS for this, or run
> > > > Tomcat on the same server as Postgres, or run them both on a secure
> > > > net behind a firewall on separate machines to prevent your Postgres
> > > > database from being compromised.
> > > >
> > > > MD5 really only prevents snoops on your server from being able to
easily
> > > > read the passwords in pg_shadow.
> > > >
> > > > Rick
> > > >
> > > > ----- Original Message -----
> > > >
> > > > > * Rob Abernethy IV <ab...@dynedge.com> [0154 21:54]:
> > > > > > OK. I was able to get clear-text passwords to work, but I still
> > can't
> > > > get
> > > > > > encrypted passwords to work. Using MD5 encryption, Tomcat is able
> > to
> > > > > > successfully open a connection to the database using the JDBCRealm
> > set
> > > > up in
> > > > > > the server.xml, but it is unable to authenticate users for the
admin
> > > web
> > > > app.
> > > > > > I am using the same username and password (username = "tomcat",
> > > > password =
> > > > > > "tomcat") for both the JDBCRealm and the admin web app.
> > > > > >
> > > > > > JDBCRealm:
> > > > > > <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
> > > > > > driverName="org.postgresql.Driver"
> > > > > > connectionURL="jdbc:postgresql://bilbo.dynedge.com/template1"
> > > > > > connectionName="abernethy" connectionPassword="gceIlu4DaR"
> > > > > > userTable="pg_shadow" userNameCol="usename"
> > > userCredCol="passwd"
> > > > > > userRoleTable="pg_groupview" roleNameCol="groname"
> > > > > > digest="MD5" />
> > > > > > pg_shadow:
> > > > > > usename | passwd
> > > > > > -------------------------
> > > > > > tomcat | md5efcc1c51a80be13b59cdb96d758a0184
> > > > >
> > > > > You are confusing postgres usernames/passwords with the ones you
want
> > in
> > > > the tables.
> > > > > Tomcat connects to the database as user connectionName , password
> > > > connectionPassword
> > > > >
> > > > > and looks up http authentication users and passwords in userTable
and
> > > > userRoleTable.
> > > > >
> > > > > It looks from your post like you have that backwards (pg_shadow
holds
> > > > postgres users, not users
> > > > > for your apps).
> > > > >
> > > > > > postgresql log (for admin web app authentication):
> > > > > > Jan 7 16:43:34 bilbo postgres[4329]: [9] LOG: query: SELECT
passwd
> > > > FROM
> > > > > > pg_shadow WHERE usename = 'tomcat'
> > > > > > Jan 7 16:43:34 bilbo postgres[4329]: [10] LOG: duration:
0.001636
> > sec
> > > > > >
> > > > > > catalina_log.2003-01-07.txt:
> > > > > > 2003-01-07 16:43:34 JDBCRealm[Standalone]: Username tomcat NOT
> > > > successfully
> > > > > > authenticated
> > > > >
> > > > > --
> > > > > Rasputin :: Jack of All Trades - Master of Nuns
> > > >
> >
> > --
> > To unsubscribe, e-mail: <mailto:tomcat-user-
unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail: <mailto:tomcat-user-
help@jakarta.apache.org>
>
> --
> To unsubscribe, e-mail: <mailto:tomcat-user-
unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-user-
help@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: JDBCRealm
Posted by Rob Abernethy IV <ab...@dynedge.com>.
Clear-text password: tomcat
java org.apache.catalina.RealmBase -a MD5 tomcat
1b359d8753858b55befa0441067aaed3
select passwd from pg_shadow where usename='tomcat'
md5efcc1c51a80be13b59cdb96d758a0184
md5sum -t < tomcat
042d39e062dd4bf342e088dc832526f9
String password = "tomcat";
byte[] md_password = password.getBytes();
MessageDigest md = MessageDigest.getInstance("MD5");
byte[] md_hash = md.digest(md_password);
System.out.println(md_hash);
[B@15f5897
So obviously the authentication is failing because the MD5'd passwords don't
match. Tomcat is calculating the digest using the RealmBase and the digest
stored in the table was created by Postgres. Is there a reason why these are
all different?
--
Robert Abernethy IV
Dynamic Edge, Inc.
734.975.0460
> ----- Original Message -----
>
> > The MD5'd password *is* in the pg_shadow.passwd column. I don't see what
> > I'm doing wrong.
>
> Is Postgres (or anything other than Java) generating the MD5'd
> passwords for the pg_shadow table? If so, have you manually
> generated the MD5's to see if they are the same?
>
> Even if they are you can run into problems with storage formats. If
> Postgres is using a different char set than the Java JVM for manipulating
> the strings, you can have mismatches.
>
> Also, if you use CHAR instead of VARCHAR you may have extra spaces
> stuck on the end of the returned string to pad it out.
>
> The MD5 is longer than the string it is generated from so you need
> to make sure you have plenty of room for it.
>
> For example if Java is using UTF-8 and Postgres is using Win1251,
> the same character can be represented by different numbers. You
> usually see this with special or non-english characters. Your web
> app stores a string in the database, then you look at it with a
> database with a browsing tool and some characters are different or
> get returned as ???.
>
> This can play hell with MD5 calculations.
>
> > And, as far as confusing postgres users with tomcat users,
> > is there a problem with using the same user for both? I kind of thought
> > that was the point. When I create a user, they can use the same username
> > and password to access tomcat web apps that they use to connect to the
> > database.
>
> That only works if you wait to define connections inside your web
> app. This severely limits the effectiveness of connection pools.
>
> That chews up huge amounts of resources in a web app used by lots of
> users because building and tearing down connections uses a lot of
> cycles and memory.
>
> Even if you pool in your web app each user will have their own pool
> and at least one real connection will have to be opened for each user.
>
> You can get around this on some databases if they let you set the
> role or the user on an open connection. That is very non-standard
> and could cause problems if you switch databases.
>
> All users of a web app usually share the same database
> username/password in a connection pooled environment where you are
> using a dataSource. It gets locked in at the time the dataSource is
> set up. So all users of the web app have the same read, update,
> select privleges. If you want to restrict that on a per user basis
> you have to enforce that in your web app, usually using Tomcat Roles.
>
> A Tomcat Role differs from a database Role, so you have to be
> careful there. You may or may not have access to the databases user
> Role table depending on the database. The problem is that if your
> dataSource belongs to user "tomcat" and user "Joe" logs into the web
> app the database may not let tomcat look at Joe's database Roles for
> security reasons.
>
> >
> > Thanks for the pointers on security. Both Tomcat and Postgres are on the
> > same server. I'm also planning on using HTTPS, but apache will handle
> that
> > part. I think it will work something like this:
> >
> > 1. user types username and password (clear-text) into form
> > 2. web browser encrypts everything and sends it to web server (https)
> > 3. apache decrypts everything and passes it onto tomcat
> > 4. tomcat makes a MD5 form of the given password
> > 5. tomcat compares this with the MD5 password taken from the database
> >
> > Does that sound right?
>
> Yes, with the caveats above. Good Luck!
>
> Rick
>
> >
> > --
> > Robert Abernethy IV
> > Dynamic Edge, Inc.
> > 734.975.0460
> >
> > > Yeah, looks like you almost have it. The MD5'd password should be in
> > > pg_shadow in the userCredCol, passwd in this case.
> > >
> > > Be advised that you should either use only HTTPS for this, or run
> > > Tomcat on the same server as Postgres, or run them both on a secure
> > > net behind a firewall on separate machines to prevent your Postgres
> > > database from being compromised.
> > >
> > > MD5 really only prevents snoops on your server from being able to easily
> > > read the passwords in pg_shadow.
> > >
> > > Rick
> > >
> > > ----- Original Message -----
> > >
> > > > * Rob Abernethy IV <ab...@dynedge.com> [0154 21:54]:
> > > > > OK. I was able to get clear-text passwords to work, but I still
> can't
> > > get
> > > > > encrypted passwords to work. Using MD5 encryption, Tomcat is able
> to
> > > > > successfully open a connection to the database using the JDBCRealm
> set
> > > up in
> > > > > the server.xml, but it is unable to authenticate users for the admin
> > web
> > > app.
> > > > > I am using the same username and password (username = "tomcat",
> > > password =
> > > > > "tomcat") for both the JDBCRealm and the admin web app.
> > > > >
> > > > > JDBCRealm:
> > > > > <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
> > > > > driverName="org.postgresql.Driver"
> > > > > connectionURL="jdbc:postgresql://bilbo.dynedge.com/template1"
> > > > > connectionName="abernethy" connectionPassword="gceIlu4DaR"
> > > > > userTable="pg_shadow" userNameCol="usename"
> > userCredCol="passwd"
> > > > > userRoleTable="pg_groupview" roleNameCol="groname"
> > > > > digest="MD5" />
> > > > > pg_shadow:
> > > > > usename | passwd
> > > > > -------------------------
> > > > > tomcat | md5efcc1c51a80be13b59cdb96d758a0184
> > > >
> > > > You are confusing postgres usernames/passwords with the ones you want
> in
> > > the tables.
> > > > Tomcat connects to the database as user connectionName , password
> > > connectionPassword
> > > >
> > > > and looks up http authentication users and passwords in userTable and
> > > userRoleTable.
> > > >
> > > > It looks from your post like you have that backwards (pg_shadow holds
> > > postgres users, not users
> > > > for your apps).
> > > >
> > > > > postgresql log (for admin web app authentication):
> > > > > Jan 7 16:43:34 bilbo postgres[4329]: [9] LOG: query: SELECT passwd
> > > FROM
> > > > > pg_shadow WHERE usename = 'tomcat'
> > > > > Jan 7 16:43:34 bilbo postgres[4329]: [10] LOG: duration: 0.001636
> sec
> > > > >
> > > > > catalina_log.2003-01-07.txt:
> > > > > 2003-01-07 16:43:34 JDBCRealm[Standalone]: Username tomcat NOT
> > > successfully
> > > > > authenticated
> > > >
> > > > --
> > > > Rasputin :: Jack of All Trades - Master of Nuns
> > >
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: JDBCRealm
Posted by Rick Fincher <rn...@tbird.com>.
----- Original Message -----
> The MD5'd password *is* in the pg_shadow.passwd column. I don't see what
> I'm doing wrong.
Is Postgres (or anything other than Java) generating the MD5'd passwords for
the pg_shadow table? If so, have you manually generated the MD5's to see if
they are the same?
Even if they are you can run into problems with storage formats. If
Postgres is using a different char set than the Java JVM for manipulating
the strings, you can have mismatches.
Also, if you use CHAR instead of VARCHAR you may have extra spaces stuck on
the end of the returned string to pad it out.
The MD5 is longer than the string it is generated from so you need to make
sure you have plenty of room for it.
For example if Java is using UTF-8 and Postgres is using Win1251, the same
character can be represented by different numbers. You usually see this
with special or non-english characters. Your web app stores a string in the
database, then you look at it with a database with a browsing tool and some
characters are different or get returned as ???.
This can play hell with MD5 calculations.
> And, as far as confusing postgres users with tomcat users,
> is there a problem with using the same user for both? I kind of thought
> that was the point. When I create a user, they can use the same username
> and password to access tomcat web apps that they use to connect to the
> database.
That only works if you wait to define connections inside your web app. This
severely limits the effectiveness of connection pools.
That chews up huge amounts of resources in a web app used by lots of users
because building and tearing down connections uses a lot of cycles and
memory.
Even if you pool in your web app each user will have their own pool and at
least one real connection will have to be opened for each user.
You can get around this on some databases if they let you set the role or
the user on an open connection. That is very non-standard and could cause
problems if you switch databases.
All users of a web app usually share the same database username/password in
a connection pooled environment where you are using a dataSource. It gets
locked in at the time the dataSource is set up. So all users of the web app
have the same read, update, select privleges. If you want to restrict that
on a per user basis you have to enforce that in your web app, usually using
Tomcat Roles.
A Tomcat Role differs from a database Role, so you have to be careful there.
You may or may not have access to the databases user Role table depending on
the database. The problem is that if your dataSource belongs to user
"tomcat" and user "Joe" logs into the web app the database may not let
tomcat look at Joe's database Roles for security reasons.
>
> Thanks for the pointers on security. Both Tomcat and Postgres are on the
> same server. I'm also planning on using HTTPS, but apache will handle
that
> part. I think it will work something like this:
>
> 1. user types username and password (clear-text) into form
> 2. web browser encrypts everything and sends it to web server (https)
> 3. apache decrypts everything and passes it onto tomcat
> 4. tomcat makes a MD5 form of the given password
> 5. tomcat compares this with the MD5 password taken from the database
>
> Does that sound right?
Yes, with the caveats above. Good Luck!
Rick
>
> --
> Robert Abernethy IV
> Dynamic Edge, Inc.
> 734.975.0460
>
> > Yeah, looks like you almost have it. The MD5'd password should be in
> > pg_shadow in the userCredCol, passwd in this case.
> >
> > Be advised that you should either use only HTTPS for this, or run
> > Tomcat on the same server as Postgres, or run them both on a secure
> > net behind a firewall on separate machines to prevent your Postgres
> > database from being compromised.
> >
> > MD5 really only prevents snoops on your server from being able to easily
> > read the passwords in pg_shadow.
> >
> > Rick
> >
> > ----- Original Message -----
> >
> > > * Rob Abernethy IV <ab...@dynedge.com> [0154 21:54]:
> > > > OK. I was able to get clear-text passwords to work, but I still
can't
> > get
> > > > encrypted passwords to work. Using MD5 encryption, Tomcat is able
to
> > > > successfully open a connection to the database using the JDBCRealm
set
> > up in
> > > > the server.xml, but it is unable to authenticate users for the admin
> web
> > app.
> > > > I am using the same username and password (username = "tomcat",
> > password =
> > > > "tomcat") for both the JDBCRealm and the admin web app.
> > > >
> > > > JDBCRealm:
> > > > <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
> > > > driverName="org.postgresql.Driver"
> > > > connectionURL="jdbc:postgresql://bilbo.dynedge.com/template1"
> > > > connectionName="abernethy" connectionPassword="gceIlu4DaR"
> > > > userTable="pg_shadow" userNameCol="usename"
> userCredCol="passwd"
> > > > userRoleTable="pg_groupview" roleNameCol="groname"
> > > > digest="MD5" />
> > > > pg_shadow:
> > > > usename | passwd
> > > > -------------------------
> > > > tomcat | md5efcc1c51a80be13b59cdb96d758a0184
> > >
> > > You are confusing postgres usernames/passwords with the ones you want
in
> > the tables.
> > > Tomcat connects to the database as user connectionName , password
> > connectionPassword
> > >
> > > and looks up http authentication users and passwords in userTable and
> > userRoleTable.
> > >
> > > It looks from your post like you have that backwards (pg_shadow holds
> > postgres users, not users
> > > for your apps).
> > >
> > > > postgresql log (for admin web app authentication):
> > > > Jan 7 16:43:34 bilbo postgres[4329]: [9] LOG: query: SELECT passwd
> > FROM
> > > > pg_shadow WHERE usename = 'tomcat'
> > > > Jan 7 16:43:34 bilbo postgres[4329]: [10] LOG: duration: 0.001636
sec
> > > >
> > > > catalina_log.2003-01-07.txt:
> > > > 2003-01-07 16:43:34 JDBCRealm[Standalone]: Username tomcat NOT
> > successfully
> > > > authenticated
> > >
> > > --
> > > Rasputin :: Jack of All Trades - Master of Nuns
> >
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: JDBCRealm
Posted by Rob Abernethy IV <ab...@dynedge.com>.
The MD5'd password *is* in the pg_shadow.passwd column. I don't see what
I'm doing wrong. And, as far as confusing postgres users with tomcat users,
is there a problem with using the same user for both? I kind of thought
that was the point. When I create a user, they can use the same username
and password to access tomcat web apps that they use to connect to the
database.
Thanks for the pointers on security. Both Tomcat and Postgres are on the
same server. I'm also planning on using HTTPS, but apache will handle that
part. I think it will work something like this:
1. user types username and password (clear-text) into form
2. web browser encrypts everything and sends it to web server (https)
3. apache decrypts everything and passes it onto tomcat
4. tomcat makes a MD5 form of the given password
5. tomcat compares this with the MD5 password taken from the database
Does that sound right?
--
Robert Abernethy IV
Dynamic Edge, Inc.
734.975.0460
> Yeah, looks like you almost have it. The MD5'd password should be in
> pg_shadow in the userCredCol, passwd in this case.
>
> Be advised that you should either use only HTTPS for this, or run
> Tomcat on the same server as Postgres, or run them both on a secure
> net behind a firewall on separate machines to prevent your Postgres
> database from being compromised.
>
> MD5 really only prevents snoops on your server from being able to easily
> read the passwords in pg_shadow.
>
> Rick
>
> ----- Original Message -----
>
> > * Rob Abernethy IV <ab...@dynedge.com> [0154 21:54]:
> > > OK. I was able to get clear-text passwords to work, but I still can't
> get
> > > encrypted passwords to work. Using MD5 encryption, Tomcat is able to
> > > successfully open a connection to the database using the JDBCRealm set
> up in
> > > the server.xml, but it is unable to authenticate users for the admin
web
> app.
> > > I am using the same username and password (username = "tomcat",
> password =
> > > "tomcat") for both the JDBCRealm and the admin web app.
> > >
> > > JDBCRealm:
> > > <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
> > > driverName="org.postgresql.Driver"
> > > connectionURL="jdbc:postgresql://bilbo.dynedge.com/template1"
> > > connectionName="abernethy" connectionPassword="gceIlu4DaR"
> > > userTable="pg_shadow" userNameCol="usename"
userCredCol="passwd"
> > > userRoleTable="pg_groupview" roleNameCol="groname"
> > > digest="MD5" />
> > > pg_shadow:
> > > usename | passwd
> > > -------------------------
> > > tomcat | md5efcc1c51a80be13b59cdb96d758a0184
> >
> > You are confusing postgres usernames/passwords with the ones you want in
> the tables.
> > Tomcat connects to the database as user connectionName , password
> connectionPassword
> >
> > and looks up http authentication users and passwords in userTable and
> userRoleTable.
> >
> > It looks from your post like you have that backwards (pg_shadow holds
> postgres users, not users
> > for your apps).
> >
> > > postgresql log (for admin web app authentication):
> > > Jan 7 16:43:34 bilbo postgres[4329]: [9] LOG: query: SELECT passwd
> FROM
> > > pg_shadow WHERE usename = 'tomcat'
> > > Jan 7 16:43:34 bilbo postgres[4329]: [10] LOG: duration: 0.001636 sec
> > >
> > > catalina_log.2003-01-07.txt:
> > > 2003-01-07 16:43:34 JDBCRealm[Standalone]: Username tomcat NOT
> successfully
> > > authenticated
> >
> > --
> > Rasputin :: Jack of All Trades - Master of Nuns
>
> --
> To unsubscribe, e-mail: <mailto:tomcat-user-
unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-user-
help@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: JDBCRealm
Posted by Rick Fincher <rn...@tbird.com>.
Yeah, looks like you almost have it. The MD5'd password should be in
pg_shadow in the userCredCol, passwd in this case.
Be advised that you should either use only HTTPS for this, or run Tomcat on
the same server as Postgres, or run them both on a secure net behind a
firewall on separate machines to prevent your Postgres database from being
compromised.
MD5 really only prevents snoops on your server from being able to easily
read the passwords in pg_shadow.
Rick
----- Original Message -----
> * Rob Abernethy IV <ab...@dynedge.com> [0154 21:54]:
> > OK. I was able to get clear-text passwords to work, but I still can't
get
> > encrypted passwords to work. Using MD5 encryption, Tomcat is able to
> > successfully open a connection to the database using the JDBCRealm set
up in
> > the server.xml, but it is unable to authenticate users for the admin web
app.
> > I am using the same username and password (username = "tomcat",
password =
> > "tomcat") for both the JDBCRealm and the admin web app.
> >
> > JDBCRealm:
> > <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
> > driverName="org.postgresql.Driver"
> > connectionURL="jdbc:postgresql://bilbo.dynedge.com/template1"
> > connectionName="abernethy" connectionPassword="gceIlu4DaR"
> > userTable="pg_shadow" userNameCol="usename" userCredCol="passwd"
> > userRoleTable="pg_groupview" roleNameCol="groname"
> > digest="MD5" />
> > pg_shadow:
> > usename | passwd
> > -------------------------
> > tomcat | md5efcc1c51a80be13b59cdb96d758a0184
>
> You are confusing postgres usernames/passwords with the ones you want in
the tables.
> Tomcat connects to the database as user connectionName , password
connectionPassword
>
> and looks up http authentication users and passwords in userTable and
userRoleTable.
>
> It looks from your post like you have that backwards (pg_shadow holds
postgres users, not users
> for your apps).
>
> > postgresql log (for admin web app authentication):
> > Jan 7 16:43:34 bilbo postgres[4329]: [9] LOG: query: SELECT passwd
FROM
> > pg_shadow WHERE usename = 'tomcat'
> > Jan 7 16:43:34 bilbo postgres[4329]: [10] LOG: duration: 0.001636 sec
> >
> > catalina_log.2003-01-07.txt:
> > 2003-01-07 16:43:34 JDBCRealm[Standalone]: Username tomcat NOT
successfully
> > authenticated
>
> --
> Rasputin :: Jack of All Trades - Master of Nuns
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: JDBCRealm
Posted by Rasputin <ra...@idoru.mine.nu>.
* Rob Abernethy IV <ab...@dynedge.com> [0154 21:54]:
> OK. I was able to get clear-text passwords to work, but I still can't get
> encrypted passwords to work. Using MD5 encryption, Tomcat is able to
> successfully open a connection to the database using the JDBCRealm set up in
> the server.xml, but it is unable to authenticate users for the admin web app.
> I am using the same username and password (username = "tomcat", password =
> "tomcat") for both the JDBCRealm and the admin web app.
>
> JDBCRealm:
> <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
> driverName="org.postgresql.Driver"
> connectionURL="jdbc:postgresql://bilbo.dynedge.com/template1"
> connectionName="abernethy" connectionPassword="gceIlu4DaR"
> userTable="pg_shadow" userNameCol="usename" userCredCol="passwd"
> userRoleTable="pg_groupview" roleNameCol="groname"
> digest="MD5" />
> pg_shadow:
> usename | passwd
> -------------------------
> tomcat | md5efcc1c51a80be13b59cdb96d758a0184
You are confusing postgres usernames/passwords with the ones you want in the tables.
Tomcat connects to the database as user connectionName , password connectionPassword
and looks up http authentication users and passwords in userTable and userRoleTable.
It looks from your post like you have that backwards (pg_shadow holds postgres users, not users
for your apps).
> postgresql log (for admin web app authentication):
> Jan 7 16:43:34 bilbo postgres[4329]: [9] LOG: query: SELECT passwd FROM
> pg_shadow WHERE usename = 'tomcat'
> Jan 7 16:43:34 bilbo postgres[4329]: [10] LOG: duration: 0.001636 sec
>
> catalina_log.2003-01-07.txt:
> 2003-01-07 16:43:34 JDBCRealm[Standalone]: Username tomcat NOT successfully
> authenticated
--
Rasputin :: Jack of All Trades - Master of Nuns
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: JDBCRealm
Posted by Rob Abernethy IV <ab...@dynedge.com>.
OK. I was able to get clear-text passwords to work, but I still can't get
encrypted passwords to work. Using MD5 encryption, Tomcat is able to
successfully open a connection to the database using the JDBCRealm set up in
the server.xml, but it is unable to authenticate users for the admin web app.
I am using the same username and password (username = "tomcat", password =
"tomcat") for both the JDBCRealm and the admin web app.
JDBCRealm:
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="org.postgresql.Driver"
connectionURL="jdbc:postgresql://bilbo.dynedge.com/template1"
connectionName="abernethy" connectionPassword="gceIlu4DaR"
userTable="pg_shadow" userNameCol="usename" userCredCol="passwd"
userRoleTable="pg_groupview" roleNameCol="groname"
digest="MD5" />
pg_shadow:
usename | passwd
-------------------------
tomcat | md5efcc1c51a80be13b59cdb96d758a0184
pg_groupview:
grosysid | groname | usesysid | usename
----------+---------+----------+-----------
101 | admin | 102 | tomcat
100 | manager | 102 | tomcat
postgresql log (for Tomcat start up):
Jan 7 16:41:17 bilbo tomcat4: dtomcat4 startup succeeded
Jan 7 16:41:25 bilbo postgres[4329]: [1] LOG: connection received:
host=24.208.224.236 port=33234
Jan 7 16:41:25 bilbo postgres[4329]: [2] LOG: connection authorized:
user=tomcat database=template1
Jan 7 16:41:25 bilbo postgres[4329]: [3-1] LOG: query: set datestyle to
'ISO'; select version(), case when pg_encoding_to_char(1) = 'SQL_ASCII' then
'UNKNOWN' else
Jan 7 16:41:25 bilbo postgres[4329]: [3-2] getdatabaseencoding() end;
Jan 7 16:41:25 bilbo postgres[4329]: [4] LOG: duration: 0.028513 sec
Jan 7 16:41:25 bilbo postgres[4329]: [5] LOG: query: set client_encoding =
'UNICODE'; show autocommit
Jan 7 16:41:25 bilbo postgres[4329]: [6] LOG: duration: 0.000260 sec
Jan 7 16:41:25 bilbo postgres[4329]: [7] LOG: query: set autocommit = off;
Jan 7 16:41:25 bilbo postgres[4329]: [8] LOG: duration: 0.000198 sec
postgresql log (for admin web app authentication):
Jan 7 16:43:34 bilbo postgres[4329]: [9] LOG: query: SELECT passwd FROM
pg_shadow WHERE usename = 'tomcat'
Jan 7 16:43:34 bilbo postgres[4329]: [10] LOG: duration: 0.001636 sec
catalina_log.2003-01-07.txt:
2003-01-07 16:43:34 JDBCRealm[Standalone]: Username tomcat NOT successfully
authenticated
Any more ideas?
--
Robert Abernethy IV
Dynamic Edge, Inc.
734.975.0460
> Hi Rob,
>
> You have two separate sets of usernames and passwords here. One
> that the JDBC driver uses to open the database connection, and
> another set that Tomcat reads from a database table and compares to
> what you type in when prompted
>
> The realm stuff sets up when Tomcat starts, but it just sits there
> until you try to get a JSP page that a webapp has designated in it's
> web.xml to be restricted..
>
> When that happens, Tomcat will get your browser to generate a login dialog
> box, or will run your login page if you use form based authentication.
>
> Tomcat will then take the username and password that it gets from
> that and generate an SQL statement to select the password column of
> the userTable
> ("pg_shadow" in your case) in the row where the username is equal to
> whatever you typed into the login box.
>
> It uses the connection opened to your user/password table when Tomcat
> started and set up the realm using the driver, database name,
> usernames and passwords that you supplied in the server.xml realm entry.
>
> Tomcat then takes the password string that is returned and compares
> it to what you typed in as a password.
>
> If you have MD5 enabled it converts the password string you typed in
> to it's MD5 form before comparing it to what it pulls from the
> database. In this case you have to convert the password string to
> its MD5 format before you store it in the Postgres database.
>
> It looks like you have stuff set up properly, it also looks like the
> username "tomcat" and password "tomcat" are getting you into the database
> OK.
>
> Since you are not able to log in to webapps that require no role, it
> looks like the username or password that you are typing in when you
> try to log in is not matching what tomcat it getting from Postgres
> from the table "pg_shadow" in the "usename" and "passwd" fields, respectively.
>
> If there were some kindof error, with debug=99 your logs would have
> a lot of error info, particularly if there were some SQL error.
>
> I don't know what kind of logging Postgres has but you should see a
> successful SQL statement handled by Postgres in the log at the time
> you try to authenticate, even if authentication fails.
>
> If so, what you are typing in for username/password just isn't matching
> what's in the database, or more precisely what the JDBC driver is returning
> from the database.
>
> This could be a character set or case sensitivity issue with the
> JDBC driver you are using.
>
> This does work, believe it or not. I've been using it for months
> with the Firebird open source SQL database and various versions of
> Tomcat 4.1.X.
>
> Rick
>
> ----- Original Message -----
>
> > Does Tomcat process the JDBC Realm on start up, or only when a web app
> asks
> > for authentication? I seem to recall that I was unable to start Tomcat if
> > the realm was not configured correctly. Also, I see a postgres process
> (see
> > below) which indicates a connection to the database. The process
> > shows 'tomcat' because that is the *user name* I am using in the realm
> > configuration.
> >
> > The column names are correct (postgres uses 'usename' not 'username').
> >
> > The "tomcat" user has the correct privilages on the necessary tables.
> >
> > I have written a simple Java program that is able to connect and display
> data
> > from pg_shadow and pg_groupview. This program uses the same JDBC driver,
> > connection URL, user name ("tomcat"), and password.
> >
> > I have created my own web app (thinking the admin or manager web apps
> might
> > be the problem), but it is also unable to authenticate users.
> >
> > Any other ideas? I am using the JPackage RPM - could that have anything
> to
> > do with it? How about the JPackage RPM for xerces-J2? I know they have
> had
> > problems with xerces before (unable to view example web apps).
> >
> > --
> > Robert Abernethy IV
> > Dynamic Edge, Inc.
> > 734.975.0460
> >
> > > Hi Rob,
> > >
> > > > Ok, I tried cleartext passwords, but I came up with the same result.
> I
> > > don't
> > > > understand why tomcat is able to start up at all, if the
> authentication is
> > > > failing.
> > >
> > > Users are authenticated not Tomcat, so starting Tomcat has nothing
> > > to do with authentication. Tomcat is just a Java program.
> > >
> > > When a user tries to access a web app Tomcat will authenticate that
> > > user if that web app's web.xml file tells it to. The manager app is
> > > set up to require authentication .
> > >
> > > The web.xml file for admin is in
> > > CATALINA_HOME/server/webapps/admin/WEB-INF/web.xml, you can see how
> > > it is set up there. If you want to authenticate users for your own
> > > web apps, set up their web.xml security roles in a similar fashion.
> > >
> > > > When I run 'ps' after starting up tomcat, I see this process:
> > > >
> > > > 40 S postgres 2825 2758 0 75 0 - 2431 schedu 18:12 pts/0
> > > 00:00:00
> > > > postgres: tomcat template1 24.208.224.236 idle in transaction
> > > >
> > > > Seeing this makes me believe that Tomcat is correctlty connecting to
> the
> > > > database at startup. Is this true? If so, why can't the admin or
> manager
> > > > apps authenticate? They are using the same Realm (it's nested inside
> the
> > > > <Engine> tag) and I'm supplying the same username and password.
> > >
> > > A couple of other things you can check:
> > >
> > > Should userNameCol="usename" be userNameCol="username" ?
> > >
> > > Can you access Postgres data from that file in your web apps using that
> > > driver and username/password? You should be able to write a simple
> program
> > > to read the role names from the database.
> > >
> > > Within Postgres have you granted select privleges to the database
> > > table in template1 to the user tomcat in the tables pg_shadow and
> > pg_groupview?
> > >
> > > Can you use a db browser tool to log in as tomcat and execute an SQL
> > > command like: SELECT groname FROM TABLE pg_groupview WHERE usename
> > > IS 'tomcat'?
> > >
> > > Rick
> > >
> > > >
> > > > --
> > > > Robert Abernethy IV
> > > > Dynamic Edge, Inc.
> > > > 734.975.0460
> > > >
> > > > > Hi Rob,
> > > > >
> > > > > Try it in clear text without the MD5 digest, to verify that your
> > > > > password, username, role, etc are correct.
> > > > >
> > > > > I had a lot of problems with digesting.
> > > > >
> > > > > Also some databases return column names in upper case even if they
> > > > > are in lower case so you may want to try all caps on your db column
> > > > > names. I think you would get a different eror message if this was
> > > > > the case, though.
> > > > >
> > > > > Rick
> > > > >
> > > > > ----- Original Message -----
> > > > >
> > > > > > I'm trying to set up a JDBCRealm for use with the admin and
> manager
> > > > > webapps.
> > > > > > The problem is that I am unable to authenticate any users.
> > > > > >
> > > > > > - Tomcat 4.1.18
> > > > > > - Postgresql 7.3.1
> > > > > > - JDBC driver is in $CATALINA_HOME/common/lib
> > > > > > - Tomcat starts up fine, I just can't authenticate
> > > > > > - I can directly connect to my database with the username and
> password
> > > > > > - I have created the 'admin' and 'manager' groups in the database
> > > > > > - I have added the users to both groups
> > > > > >
> > > > > > Realm:
> > > > > > <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
> > > > > > driverName="org.postgresql.Driver"
> > > > > > connectionURL="jdbc:postgresql://bilbo.dynedge.com/template1"
> > > > > > connectionName="tomcat" connectionPassword="tomcat"
> > > > > > userTable="pg_shadow" userNameCol="usename"
> > > userCredCol="passwd"
> > > > > > userRoleTable="pg_groupview" roleNameCol="groname"
> > > > > > digest="MD5" />
> > > > > >
> > > > > > Log:
> > > > > > 2003-01-02 12:34:34 JDBCRealm[Standalone]: Username tomcat NOT
> > > > > successfully
> > > > > > authenticated
> > > > > >
> > > > > > Any ideas?
> > > > > >
> > > > > > --
> > > > > > Robert Abernethy IV
> > > > > > Dynamic Edge, Inc.
> > > > > > 734.975.0460
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: JDBCRealm
Posted by Rick Fincher <rn...@tbird.com>.
Hi Rob,
You have two separate sets of usernames and passwords here. One that the
JDBC driver uses to open the database connection, and another set that
Tomcat reads from a database table and compares to what you type in when
prompted
The realm stuff sets up when Tomcat starts, but it just sits there until you
try to get a JSP page that a webapp has designated in it's web.xml to be
restricted..
When that happens, Tomcat will get your browser to generate a login dialog
box, or will run your login page if you use form based authentication.
Tomcat will then take the username and password that it gets from that and
generate an SQL statement to select the password column of the userTable
("pg_shadow" in your case) in the row where the username is equal to
whatever you typed into the login box.
It uses the connection opened to your user/password table when Tomcat
started and set up the realm using the driver, database name, usernames and
passwords that you supplied in the server.xml realm entry.
Tomcat then takes the password string that is returned and compares it to
what you typed in as a password.
If you have MD5 enabled it converts the password string you typed in to it's
MD5 form before comparing it to what it pulls from the database. In this
case you have to convert the password string to its MD5 format before you
store it in the Postgres database.
It looks like you have stuff set up properly, it also looks like the
username "tomcat" and password "tomcat" are getting you into the database
OK.
Since you are not able to log in to webapps that require no role, it looks
like the username or password that you are typing in when you try to log in
is not matching what tomcat it getting from Postgres from the table
"pg_shadow" in the "usename" and "passwd" fields, respectively.
If there were some kindof error, with debug=99 your logs would have a lot of
error info, particularly if there were some SQL error.
I don't know what kind of logging Postgres has but you should see a
successful SQL statement handled by Postgres in the log at the time you try
to authenticate, even if authentication fails.
If so, what you are typing in for username/password just isn't matching
what's in the database, or more precisely what the JDBC driver is returning
from the database.
This could be a character set or case sensitivity issue with the JDBC driver
you are using.
This does work, believe it or not. I've been using it for months with the
Firebird open source SQL database and various versions of Tomcat 4.1.X.
Rick
----- Original Message -----
> Does Tomcat process the JDBC Realm on start up, or only when a web app
asks
> for authentication? I seem to recall that I was unable to start Tomcat if
> the realm was not configured correctly. Also, I see a postgres process
(see
> below) which indicates a connection to the database. The process
> shows 'tomcat' because that is the *user name* I am using in the realm
> configuration.
>
> The column names are correct (postgres uses 'usename' not 'username').
>
> The "tomcat" user has the correct privilages on the necessary tables.
>
> I have written a simple Java program that is able to connect and display
data
> from pg_shadow and pg_groupview. This program uses the same JDBC driver,
> connection URL, user name ("tomcat"), and password.
>
> I have created my own web app (thinking the admin or manager web apps
might
> be the problem), but it is also unable to authenticate users.
>
> Any other ideas? I am using the JPackage RPM - could that have anything
to
> do with it? How about the JPackage RPM for xerces-J2? I know they have
had
> problems with xerces before (unable to view example web apps).
>
> --
> Robert Abernethy IV
> Dynamic Edge, Inc.
> 734.975.0460
>
> > Hi Rob,
> >
> > > Ok, I tried cleartext passwords, but I came up with the same result.
I
> > don't
> > > understand why tomcat is able to start up at all, if the
authentication is
> > > failing.
> >
> > Users are authenticated not Tomcat, so starting Tomcat has nothing
> > to do with authentication. Tomcat is just a Java program.
> >
> > When a user tries to access a web app Tomcat will authenticate that
> > user if that web app's web.xml file tells it to. The manager app is
> > set up to require authentication .
> >
> > The web.xml file for admin is in
> > CATALINA_HOME/server/webapps/admin/WEB-INF/web.xml, you can see how
> > it is set up there. If you want to authenticate users for your own
> > web apps, set up their web.xml security roles in a similar fashion.
> >
> > > When I run 'ps' after starting up tomcat, I see this process:
> > >
> > > 40 S postgres 2825 2758 0 75 0 - 2431 schedu 18:12 pts/0
> > 00:00:00
> > > postgres: tomcat template1 24.208.224.236 idle in transaction
> > >
> > > Seeing this makes me believe that Tomcat is correctlty connecting to
the
> > > database at startup. Is this true? If so, why can't the admin or
manager
> > > apps authenticate? They are using the same Realm (it's nested inside
the
> > > <Engine> tag) and I'm supplying the same username and password.
> >
> > A couple of other things you can check:
> >
> > Should userNameCol="usename" be userNameCol="username" ?
> >
> > Can you access Postgres data from that file in your web apps using that
> > driver and username/password? You should be able to write a simple
program
> > to read the role names from the database.
> >
> > Within Postgres have you granted select privleges to the database
> > table in template1 to the user tomcat in the tables pg_shadow and
> pg_groupview?
> >
> > Can you use a db browser tool to log in as tomcat and execute an SQL
> > command like: SELECT groname FROM TABLE pg_groupview WHERE usename
> > IS 'tomcat'?
> >
> > Rick
> >
> > >
> > > --
> > > Robert Abernethy IV
> > > Dynamic Edge, Inc.
> > > 734.975.0460
> > >
> > > > Hi Rob,
> > > >
> > > > Try it in clear text without the MD5 digest, to verify that your
> > > > password, username, role, etc are correct.
> > > >
> > > > I had a lot of problems with digesting.
> > > >
> > > > Also some databases return column names in upper case even if they
> > > > are in lower case so you may want to try all caps on your db column
> > > > names. I think you would get a different eror message if this was
> > > > the case, though.
> > > >
> > > > Rick
> > > >
> > > > ----- Original Message -----
> > > >
> > > > > I'm trying to set up a JDBCRealm for use with the admin and
manager
> > > > webapps.
> > > > > The problem is that I am unable to authenticate any users.
> > > > >
> > > > > - Tomcat 4.1.18
> > > > > - Postgresql 7.3.1
> > > > > - JDBC driver is in $CATALINA_HOME/common/lib
> > > > > - Tomcat starts up fine, I just can't authenticate
> > > > > - I can directly connect to my database with the username and
password
> > > > > - I have created the 'admin' and 'manager' groups in the database
> > > > > - I have added the users to both groups
> > > > >
> > > > > Realm:
> > > > > <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
> > > > > driverName="org.postgresql.Driver"
> > > > > connectionURL="jdbc:postgresql://bilbo.dynedge.com/template1"
> > > > > connectionName="tomcat" connectionPassword="tomcat"
> > > > > userTable="pg_shadow" userNameCol="usename"
> > userCredCol="passwd"
> > > > > userRoleTable="pg_groupview" roleNameCol="groname"
> > > > > digest="MD5" />
> > > > >
> > > > > Log:
> > > > > 2003-01-02 12:34:34 JDBCRealm[Standalone]: Username tomcat NOT
> > > > successfully
> > > > > authenticated
> > > > >
> > > > > Any ideas?
> > > > >
> > > > > --
> > > > > Robert Abernethy IV
> > > > > Dynamic Edge, Inc.
> > > > > 734.975.0460
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: JDBCRealm
Posted by Rob Abernethy IV <ab...@dynedge.com>.
Does Tomcat process the JDBC Realm on start up, or only when a web app asks
for authentication? I seem to recall that I was unable to start Tomcat if
the realm was not configured correctly. Also, I see a postgres process (see
below) which indicates a connection to the database. The process
shows 'tomcat' because that is the *user name* I am using in the realm
configuration.
The column names are correct (postgres uses 'usename' not 'username').
The "tomcat" user has the correct privilages on the necessary tables.
I have written a simple Java program that is able to connect and display data
from pg_shadow and pg_groupview. This program uses the same JDBC driver,
connection URL, user name ("tomcat"), and password.
I have created my own web app (thinking the admin or manager web apps might
be the problem), but it is also unable to authenticate users.
Any other ideas? I am using the JPackage RPM - could that have anything to
do with it? How about the JPackage RPM for xerces-J2? I know they have had
problems with xerces before (unable to view example web apps).
--
Robert Abernethy IV
Dynamic Edge, Inc.
734.975.0460
> Hi Rob,
>
> > Ok, I tried cleartext passwords, but I came up with the same result. I
> don't
> > understand why tomcat is able to start up at all, if the authentication is
> > failing.
>
> Users are authenticated not Tomcat, so starting Tomcat has nothing
> to do with authentication. Tomcat is just a Java program.
>
> When a user tries to access a web app Tomcat will authenticate that
> user if that web app's web.xml file tells it to. The manager app is
> set up to require authentication .
>
> The web.xml file for admin is in
> CATALINA_HOME/server/webapps/admin/WEB-INF/web.xml, you can see how
> it is set up there. If you want to authenticate users for your own
> web apps, set up their web.xml security roles in a similar fashion.
>
> > When I run 'ps' after starting up tomcat, I see this process:
> >
> > 40 S postgres 2825 2758 0 75 0 - 2431 schedu 18:12 pts/0
> 00:00:00
> > postgres: tomcat template1 24.208.224.236 idle in transaction
> >
> > Seeing this makes me believe that Tomcat is correctlty connecting to the
> > database at startup. Is this true? If so, why can't the admin or manager
> > apps authenticate? They are using the same Realm (it's nested inside the
> > <Engine> tag) and I'm supplying the same username and password.
>
> A couple of other things you can check:
>
> Should userNameCol="usename" be userNameCol="username" ?
>
> Can you access Postgres data from that file in your web apps using that
> driver and username/password? You should be able to write a simple program
> to read the role names from the database.
>
> Within Postgres have you granted select privleges to the database
> table in template1 to the user tomcat in the tables pg_shadow and
pg_groupview?
>
> Can you use a db browser tool to log in as tomcat and execute an SQL
> command like: SELECT groname FROM TABLE pg_groupview WHERE usename
> IS 'tomcat'?
>
> Rick
>
> >
> > --
> > Robert Abernethy IV
> > Dynamic Edge, Inc.
> > 734.975.0460
> >
> > > Hi Rob,
> > >
> > > Try it in clear text without the MD5 digest, to verify that your
> > > password, username, role, etc are correct.
> > >
> > > I had a lot of problems with digesting.
> > >
> > > Also some databases return column names in upper case even if they
> > > are in lower case so you may want to try all caps on your db column
> > > names. I think you would get a different eror message if this was
> > > the case, though.
> > >
> > > Rick
> > >
> > > ----- Original Message -----
> > >
> > > > I'm trying to set up a JDBCRealm for use with the admin and manager
> > > webapps.
> > > > The problem is that I am unable to authenticate any users.
> > > >
> > > > - Tomcat 4.1.18
> > > > - Postgresql 7.3.1
> > > > - JDBC driver is in $CATALINA_HOME/common/lib
> > > > - Tomcat starts up fine, I just can't authenticate
> > > > - I can directly connect to my database with the username and password
> > > > - I have created the 'admin' and 'manager' groups in the database
> > > > - I have added the users to both groups
> > > >
> > > > Realm:
> > > > <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
> > > > driverName="org.postgresql.Driver"
> > > > connectionURL="jdbc:postgresql://bilbo.dynedge.com/template1"
> > > > connectionName="tomcat" connectionPassword="tomcat"
> > > > userTable="pg_shadow" userNameCol="usename"
> userCredCol="passwd"
> > > > userRoleTable="pg_groupview" roleNameCol="groname"
> > > > digest="MD5" />
> > > >
> > > > Log:
> > > > 2003-01-02 12:34:34 JDBCRealm[Standalone]: Username tomcat NOT
> > > successfully
> > > > authenticated
> > > >
> > > > Any ideas?
> > > >
> > > > --
> > > > Robert Abernethy IV
> > > > Dynamic Edge, Inc.
> > > > 734.975.0460
> > >
> > > --
> > > To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> > > For additional commands, e-mail:
> <ma...@jakarta.apache.org>
> >
> >
> >
> > --
> > To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> > For additional commands, e-mail:
> <ma...@jakarta.apache.org>
> >
> >
>
> --
> To unsubscribe, e-mail: <mailto:tomcat-user-
unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-user-
help@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: JDBCRealm
Posted by Rick Fincher <rn...@tbird.com>.
Hi Rob,
> Ok, I tried cleartext passwords, but I came up with the same result. I
don't
> understand why tomcat is able to start up at all, if the authentication is
> failing.
Users are authenticated not Tomcat, so starting Tomcat has nothing to do
with authentication. Tomcat is just a Java program.
When a user tries to access a web app Tomcat will authenticate that user if
that web app's web.xml file tells it to. The manager app is set up to
require authentication .
The web.xml file for admin is in
CATALINA_HOME/server/webapps/admin/WEB-INF/web.xml, you can see how it is
set up there. If you want to authenticate users for your own web apps, set
up their web.xml security roles in a similar fashion.
> When I run 'ps' after starting up tomcat, I see this process:
>
> 40 S postgres 2825 2758 0 75 0 - 2431 schedu 18:12 pts/0
00:00:00
> postgres: tomcat template1 24.208.224.236 idle in transaction
>
> Seeing this makes me believe that Tomcat is correctlty connecting to the
> database at startup. Is this true? If so, why can't the admin or manager
> apps authenticate? They are using the same Realm (it's nested inside the
> <Engine> tag) and I'm supplying the same username and password.
A couple of other things you can check:
Should userNameCol="usename" be userNameCol="username" ?
Can you access Postgres data from that file in your web apps using that
driver and username/password? You should be able to write a simple program
to read the role names from the database.
Within Postgres have you granted select privleges to the database table in
template1 to the user tomcat in the tables pg_shadow and pg_groupview?
Can you use a db browser tool to log in as tomcat and execute an SQL command
like: SELECT groname FROM TABLE pg_groupview WHERE usename IS 'tomcat'?
Rick
>
> --
> Robert Abernethy IV
> Dynamic Edge, Inc.
> 734.975.0460
>
> > Hi Rob,
> >
> > Try it in clear text without the MD5 digest, to verify that your
> > password, username, role, etc are correct.
> >
> > I had a lot of problems with digesting.
> >
> > Also some databases return column names in upper case even if they
> > are in lower case so you may want to try all caps on your db column
> > names. I think you would get a different eror message if this was
> > the case, though.
> >
> > Rick
> >
> > ----- Original Message -----
> >
> > > I'm trying to set up a JDBCRealm for use with the admin and manager
> > webapps.
> > > The problem is that I am unable to authenticate any users.
> > >
> > > - Tomcat 4.1.18
> > > - Postgresql 7.3.1
> > > - JDBC driver is in $CATALINA_HOME/common/lib
> > > - Tomcat starts up fine, I just can't authenticate
> > > - I can directly connect to my database with the username and password
> > > - I have created the 'admin' and 'manager' groups in the database
> > > - I have added the users to both groups
> > >
> > > Realm:
> > > <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
> > > driverName="org.postgresql.Driver"
> > > connectionURL="jdbc:postgresql://bilbo.dynedge.com/template1"
> > > connectionName="tomcat" connectionPassword="tomcat"
> > > userTable="pg_shadow" userNameCol="usename"
userCredCol="passwd"
> > > userRoleTable="pg_groupview" roleNameCol="groname"
> > > digest="MD5" />
> > >
> > > Log:
> > > 2003-01-02 12:34:34 JDBCRealm[Standalone]: Username tomcat NOT
> > successfully
> > > authenticated
> > >
> > > Any ideas?
> > >
> > > --
> > > Robert Abernethy IV
> > > Dynamic Edge, Inc.
> > > 734.975.0460
> >
> > --
> > To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> > For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: JDBCRealm
Posted by Rob Abernethy IV <ab...@dynedge.com>.
Ok, I tried cleartext passwords, but I came up with the same result. I don't
understand why tomcat is able to start up at all, if the authentication is
failing. When I run 'ps' after starting up tomcat, I see this process:
40 S postgres 2825 2758 0 75 0 - 2431 schedu 18:12 pts/0 00:00:00
postgres: tomcat template1 24.208.224.236 idle in transaction
Seeing this makes me believe that Tomcat is correctlty connecting to the
database at startup. Is this true? If so, why can't the admin or manager
apps authenticate? They are using the same Realm (it's nested inside the
<Engine> tag) and I'm supplying the same username and password.
--
Robert Abernethy IV
Dynamic Edge, Inc.
734.975.0460
> Hi Rob,
>
> Try it in clear text without the MD5 digest, to verify that your
> password, username, role, etc are correct.
>
> I had a lot of problems with digesting.
>
> Also some databases return column names in upper case even if they
> are in lower case so you may want to try all caps on your db column
> names. I think you would get a different eror message if this was
> the case, though.
>
> Rick
>
> ----- Original Message -----
>
> > I'm trying to set up a JDBCRealm for use with the admin and manager
> webapps.
> > The problem is that I am unable to authenticate any users.
> >
> > - Tomcat 4.1.18
> > - Postgresql 7.3.1
> > - JDBC driver is in $CATALINA_HOME/common/lib
> > - Tomcat starts up fine, I just can't authenticate
> > - I can directly connect to my database with the username and password
> > - I have created the 'admin' and 'manager' groups in the database
> > - I have added the users to both groups
> >
> > Realm:
> > <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
> > driverName="org.postgresql.Driver"
> > connectionURL="jdbc:postgresql://bilbo.dynedge.com/template1"
> > connectionName="tomcat" connectionPassword="tomcat"
> > userTable="pg_shadow" userNameCol="usename" userCredCol="passwd"
> > userRoleTable="pg_groupview" roleNameCol="groname"
> > digest="MD5" />
> >
> > Log:
> > 2003-01-02 12:34:34 JDBCRealm[Standalone]: Username tomcat NOT
> successfully
> > authenticated
> >
> > Any ideas?
> >
> > --
> > Robert Abernethy IV
> > Dynamic Edge, Inc.
> > 734.975.0460
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: JDBCRealm
Posted by Rick Fincher <rn...@tbird.com>.
Hi Rob,
Try it in clear text without the MD5 digest, to verify that your password,
username, role, etc are correct.
I had a lot of problems with digesting.
Also some databases return column names in upper case even if they are in
lower case so you may want to try all caps on your db column names. I think
you would get a different eror message if this was the case, though.
Rick
----- Original Message -----
> I'm trying to set up a JDBCRealm for use with the admin and manager
webapps.
> The problem is that I am unable to authenticate any users.
>
> - Tomcat 4.1.18
> - Postgresql 7.3.1
> - JDBC driver is in $CATALINA_HOME/common/lib
> - Tomcat starts up fine, I just can't authenticate
> - I can directly connect to my database with the username and password
> - I have created the 'admin' and 'manager' groups in the database
> - I have added the users to both groups
>
> Realm:
> <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
> driverName="org.postgresql.Driver"
> connectionURL="jdbc:postgresql://bilbo.dynedge.com/template1"
> connectionName="tomcat" connectionPassword="tomcat"
> userTable="pg_shadow" userNameCol="usename" userCredCol="passwd"
> userRoleTable="pg_groupview" roleNameCol="groname"
> digest="MD5" />
>
> Log:
> 2003-01-02 12:34:34 JDBCRealm[Standalone]: Username tomcat NOT
successfully
> authenticated
>
> Any ideas?
>
> --
> Robert Abernethy IV
> Dynamic Edge, Inc.
> 734.975.0460
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>