You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Mike Slinn <ms...@mslinn.com> on 2001/03/02 18:59:26 UTC

JDBC Realm not triggering

I feel like I sailed off the edge of the known universe, because there isn't
much documentation for form-based authentication using JDBC realms (at
least, none that I could find, beyond the short JDBCRealm.howto included in
the TomCat docs).

I am using Windows NT Server 4sp6 with JDK1.3 and Tomcat 3.2.1.

I made the following changes to server.xml:

<!-- <RequestInterceptor className="org.apache.tomcat.request.SimpleRealm"
debug="0" /> -->
<RequestInterceptor className="org.apache.tomcat.request.JDBCRealm"
     debug="99"
     driverName="org.gjt.mm.mysql.Driver"
     connectionURL="jdbc:mysql://blahblah.com:3306/database"
     connectionName="secret"
     connectionPassword="secret"
     userTable="Users" userNameCol="userId" userCredCol="userPassword"
     userRoleTable="UserPriv" roleNameCol="privLevel" />

The database tables exist, exactly as shown in <RequestInterceptor>, since
mySql is case-sensitive w.r.t. table names.

Here is a piece of my web.xml:

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>developer</web-resource-name>
      <url-pattern>/pwAdmin/*</url-pattern>
      <url-pattern>/pwModerator/*</url-pattern>
      <url-pattern>/pwNormal/*</url-pattern>
      <url-pattern>/pwPortal/*</url-pattern>
      <url-pattern>/pwTest/*</url-pattern>
      <http-method>get</http-method>
      <http-method>post</http-method>
    </web-resource-collection>

    <auth-constraint>
      <role-name>developer</role-name>
    </auth-constraint>

    <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

  <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>JDBC</realm-name>
    <form-login-config>
      <form-login-page>/index.html</form-login-page>
      <form-error-page>/register.jsp</form-error-page>
    </form-login-config>
  </login-config>

  <security-role>
    <role-name>developer</role-name>
  </security-role>


Here is the authentication form:
<form method="POST" action="j_security_check">
   Login id: <input type="text" name="j_username" size="8"
class=formStyle><br>
   Password: <input type="password" name="j_password" size="8"
class=formStyle><br>
             <input type="submit" value="  Log In  " name="LogIn"
class=formStyle>
</form>


When I press the submit button, I get the following error:
HTTP 404 - File not found
The url reported is http://localhost:8080/j_security_check

Somehow the form action is not being picked up by the TomCat security
mechanism.  What have I missed?

A few more questions:
 - If I omit <transport-guarantee>, does it default to NONE?
 - Is it possible to use * for <http-method> to specify that all HTTP
methods are to be subject to security?
 - I would like to use a numeric column in the database to store the user
authentication level, rather than a text string.  Can the JDBC realm be set
up to work this way?
 - I found very little documentation regarding form-based authentication
using JDBC realms. Can you point me to some more?

... thanks
Mike

Re: JDBC Realm not triggering

Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.

A couple of things to remember:

* Check the log files to ensure that the authenticator
  has initialized itself correctly.

* You should set the <http-method> values to upper
  case (GET and POST) instead of lower case.

* You should *not* be referencing the form login page
  yourself in a request.  Try referencing a URL inside
  a protected subdirectory of your application, and Tomcat
  will automatically display the form login page for you.
  From a user experience point of view, this operates exactly
  like BASIC authentication does, with the form login page
  replacing the pop-up dialog.

* Because of the above rule, you do not want your login page
  to be the welcome page for the app, as "/index.html" is
  by default.  Instead, you will want to either have an unprotected
  welcome page, or redirect the welcome into a protected area.

* Due to a bug in Tomcat 3.2.1, the <form-login-page> and
  <form-error-page> pages must *not* be within an area protected
  by a security constraint.

Craig McClanahan


Mike Slinn wrote:

> I feel like I sailed off the edge of the known universe, because there isn't
> much documentation for form-based authentication using JDBC realms (at
> least, none that I could find, beyond the short JDBCRealm.howto included in
> the TomCat docs).
>
> I am using Windows NT Server 4sp6 with JDK1.3 and Tomcat 3.2.1.
>
> I made the following changes to server.xml:
>
> <!-- <RequestInterceptor className="org.apache.tomcat.request.SimpleRealm"
> debug="0" /> -->
> <RequestInterceptor className="org.apache.tomcat.request.JDBCRealm"
>      debug="99"
>      driverName="org.gjt.mm.mysql.Driver"
>      connectionURL="jdbc:mysql://blahblah.com:3306/database"
>      connectionName="secret"
>      connectionPassword="secret"
>      userTable="Users" userNameCol="userId" userCredCol="userPassword"
>      userRoleTable="UserPriv" roleNameCol="privLevel" />
>
> The database tables exist, exactly as shown in <RequestInterceptor>, since
> mySql is case-sensitive w.r.t. table names.
>
> Here is a piece of my web.xml:
>
>   <security-constraint>
>     <web-resource-collection>
>       <web-resource-name>developer</web-resource-name>
>       <url-pattern>/pwAdmin/*</url-pattern>
>       <url-pattern>/pwModerator/*</url-pattern>
>       <url-pattern>/pwNormal/*</url-pattern>
>       <url-pattern>/pwPortal/*</url-pattern>
>       <url-pattern>/pwTest/*</url-pattern>
>       <http-method>get</http-method>
>       <http-method>post</http-method>
>     </web-resource-collection>
>
>     <auth-constraint>
>       <role-name>developer</role-name>
>     </auth-constraint>
>
>     <user-data-constraint>
>       <transport-guarantee>NONE</transport-guarantee>
>     </user-data-constraint>
>   </security-constraint>
>
>   <login-config>
>     <auth-method>FORM</auth-method>
>     <realm-name>JDBC</realm-name>
>     <form-login-config>
>       <form-login-page>/index.html</form-login-page>
>       <form-error-page>/register.jsp</form-error-page>
>     </form-login-config>
>   </login-config>
>
>   <security-role>
>     <role-name>developer</role-name>
>   </security-role>
>
> Here is the authentication form:
> <form method="POST" action="j_security_check">
>    Login id: <input type="text" name="j_username" size="8"
> class=formStyle><br>
>    Password: <input type="password" name="j_password" size="8"
> class=formStyle><br>
>              <input type="submit" value="  Log In  " name="LogIn"
> class=formStyle>
> </form>
>
> When I press the submit button, I get the following error:
> HTTP 404 - File not found
> The url reported is http://localhost:8080/j_security_check
>
> Somehow the form action is not being picked up by the TomCat security
> mechanism.  What have I missed?
>
> A few more questions:
>  - If I omit <transport-guarantee>, does it default to NONE?
>  - Is it possible to use * for <http-method> to specify that all HTTP
> methods are to be subject to security?
>  - I would like to use a numeric column in the database to store the user
> authentication level, rather than a text string.  Can the JDBC realm be set
> up to work this way?
>  - I found very little documentation regarding form-based authentication
> using JDBC realms. Can you point me to some more?
>
> ... thanks
> Mike
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, email: tomcat-user-help@jakarta.apache.org