You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mike Slinn <ms...@mslinn.com> on 2001/03/02 18:59:26 UTC
JDBC Realm not triggering
I feel like I sailed off the edge of the known universe, because there isn't
much documentation for form-based authentication using JDBC realms (at
least, none that I could find, beyond the short JDBCRealm.howto included in
the TomCat docs).
I am using Windows NT Server 4sp6 with JDK1.3 and Tomcat 3.2.1.
I made the following changes to server.xml:
<!-- <RequestInterceptor className="org.apache.tomcat.request.SimpleRealm"
debug="0" /> -->
<RequestInterceptor className="org.apache.tomcat.request.JDBCRealm"
debug="99"
driverName="org.gjt.mm.mysql.Driver"
connectionURL="jdbc:mysql://blahblah.com:3306/database"
connectionName="secret"
connectionPassword="secret"
userTable="Users" userNameCol="userId" userCredCol="userPassword"
userRoleTable="UserPriv" roleNameCol="privLevel" />
The database tables exist, exactly as shown in <RequestInterceptor>, since
mySql is case-sensitive w.r.t. table names.
Here is a piece of my web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>developer</web-resource-name>
<url-pattern>/pwAdmin/*</url-pattern>
<url-pattern>/pwModerator/*</url-pattern>
<url-pattern>/pwNormal/*</url-pattern>
<url-pattern>/pwPortal/*</url-pattern>
<url-pattern>/pwTest/*</url-pattern>
<http-method>get</http-method>
<http-method>post</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>developer</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>JDBC</realm-name>
<form-login-config>
<form-login-page>/index.html</form-login-page>
<form-error-page>/register.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>developer</role-name>
</security-role>
Here is the authentication form:
<form method="POST" action="j_security_check">
Login id: <input type="text" name="j_username" size="8"
class=formStyle><br>
Password: <input type="password" name="j_password" size="8"
class=formStyle><br>
<input type="submit" value=" Log In " name="LogIn"
class=formStyle>
</form>
When I press the submit button, I get the following error:
HTTP 404 - File not found
The url reported is http://localhost:8080/j_security_check
Somehow the form action is not being picked up by the TomCat security
mechanism. What have I missed?
A few more questions:
- If I omit <transport-guarantee>, does it default to NONE?
- Is it possible to use * for <http-method> to specify that all HTTP
methods are to be subject to security?
- I would like to use a numeric column in the database to store the user
authentication level, rather than a text string. Can the JDBC realm be set
up to work this way?
- I found very little documentation regarding form-based authentication
using JDBC realms. Can you point me to some more?
... thanks
Mike
Re: JDBC Realm not triggering
Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.
A couple of things to remember:
* Check the log files to ensure that the authenticator
has initialized itself correctly.
* You should set the <http-method> values to upper
case (GET and POST) instead of lower case.
* You should *not* be referencing the form login page
yourself in a request. Try referencing a URL inside
a protected subdirectory of your application, and Tomcat
will automatically display the form login page for you.
From a user experience point of view, this operates exactly
like BASIC authentication does, with the form login page
replacing the pop-up dialog.
* Because of the above rule, you do not want your login page
to be the welcome page for the app, as "/index.html" is
by default. Instead, you will want to either have an unprotected
welcome page, or redirect the welcome into a protected area.
* Due to a bug in Tomcat 3.2.1, the <form-login-page> and
<form-error-page> pages must *not* be within an area protected
by a security constraint.
Craig McClanahan
Mike Slinn wrote:
> I feel like I sailed off the edge of the known universe, because there isn't
> much documentation for form-based authentication using JDBC realms (at
> least, none that I could find, beyond the short JDBCRealm.howto included in
> the TomCat docs).
>
> I am using Windows NT Server 4sp6 with JDK1.3 and Tomcat 3.2.1.
>
> I made the following changes to server.xml:
>
> <!-- <RequestInterceptor className="org.apache.tomcat.request.SimpleRealm"
> debug="0" /> -->
> <RequestInterceptor className="org.apache.tomcat.request.JDBCRealm"
> debug="99"
> driverName="org.gjt.mm.mysql.Driver"
> connectionURL="jdbc:mysql://blahblah.com:3306/database"
> connectionName="secret"
> connectionPassword="secret"
> userTable="Users" userNameCol="userId" userCredCol="userPassword"
> userRoleTable="UserPriv" roleNameCol="privLevel" />
>
> The database tables exist, exactly as shown in <RequestInterceptor>, since
> mySql is case-sensitive w.r.t. table names.
>
> Here is a piece of my web.xml:
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>developer</web-resource-name>
> <url-pattern>/pwAdmin/*</url-pattern>
> <url-pattern>/pwModerator/*</url-pattern>
> <url-pattern>/pwNormal/*</url-pattern>
> <url-pattern>/pwPortal/*</url-pattern>
> <url-pattern>/pwTest/*</url-pattern>
> <http-method>get</http-method>
> <http-method>post</http-method>
> </web-resource-collection>
>
> <auth-constraint>
> <role-name>developer</role-name>
> </auth-constraint>
>
> <user-data-constraint>
> <transport-guarantee>NONE</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>JDBC</realm-name>
> <form-login-config>
> <form-login-page>/index.html</form-login-page>
> <form-error-page>/register.jsp</form-error-page>
> </form-login-config>
> </login-config>
>
> <security-role>
> <role-name>developer</role-name>
> </security-role>
>
> Here is the authentication form:
> <form method="POST" action="j_security_check">
> Login id: <input type="text" name="j_username" size="8"
> class=formStyle><br>
> Password: <input type="password" name="j_password" size="8"
> class=formStyle><br>
> <input type="submit" value=" Log In " name="LogIn"
> class=formStyle>
> </form>
>
> When I press the submit button, I get the following error:
> HTTP 404 - File not found
> The url reported is http://localhost:8080/j_security_check
>
> Somehow the form action is not being picked up by the TomCat security
> mechanism. What have I missed?
>
> A few more questions:
> - If I omit <transport-guarantee>, does it default to NONE?
> - Is it possible to use * for <http-method> to specify that all HTTP
> methods are to be subject to security?
> - I would like to use a numeric column in the database to store the user
> authentication level, rather than a text string. Can the JDBC realm be set
> up to work this way?
> - I found very little documentation regarding form-based authentication
> using JDBC realms. Can you point me to some more?
>
> ... thanks
> Mike
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, email: tomcat-user-help@jakarta.apache.org