You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Frank McCown <fm...@cs.odu.edu> on 2007/05/01 20:37:37 UTC
Help getting form-based authentication example working
Hello,
I'm having problems getting the form-based authentication example that
ships with Tomcat 6 to work properly.
I have followed all the instructions at
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html
to make the form authentication example using MemoryRealm to work for
http://myserver:9090/examples/jsp/security/protected/
but when I access this URL, I get the protected page that says:
You are logged in as remote user null in session BLAH...
No user principal could be identified.
I understand that this page should redirect me to the login.jsp page
instead where I can enter user1/test.
Here's what I did:
$CATALINA_HOME/conf/server.xml:
<Realm className="org.apache.catalina.realm.MemoryRealm" />
$CATALINA_HOME/conf/tomcat-users.xml:
<tomcat-users>
<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="user2" password="test" roles="role1"/>
<user username="user1" password="test" roles="tomcat"/>
</tomcat-users>
$CATALINA_HOME/webapps/examples/WEB-INF/web.xml:
<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/security/protected/*</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>tomcat</role-name>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>
<!-- Default login configuration uses form-based authentication -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/jsp/security/protected/login.jsp</form-login-page>
<form-error-page>/jsp/security/protected/error.jsp</form-error-page>
</form-login-config>
</login-config>
Any help would be much appreciated. I'm running Tomcat on a Solaris
workstation and accessing it from my Windows client with Firefox.
Regards,
Frank
--
Frank McCown
Old Dominion University
http://www.cs.odu.edu/~fmccown/
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Form-based authentication example broken in Tomcat 6.0
Posted by Frank McCown <fm...@cs.odu.edu>.
Rémy Maucherat wrote:
> On 5/2/07, Frank McCown <fm...@cs.odu.edu> wrote:
>> The default contents of the conf/tomcat-users.xml file *should* be
>>
>> <tomcat-users>
>> <user name="tomcat" password="tomcat" roles="tomcat" />
>> <user name="role1" password="tomcat" roles="role1" />
>> <user name="both" password="tomcat" roles="tomcat,role1" />
>> </tomcat-users>
>>
>> but the file that ships with 6.0 is missing all the <user> tags.
>
> No default users will be provided.
Do you mean you are leaving users out on purpose for security reasons?
So I guess you'll change the documentation to tell the reader to add the
users themselves.
> The rest has been fixed, thanks.
Thanks for updating the document, Rémy.
Frank
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Form-based authentication example broken in Tomcat 6.0
Posted by Rémy Maucherat <re...@gmail.com>.
On 5/2/07, Frank McCown <fm...@cs.odu.edu> wrote:
> The default contents of the conf/tomcat-users.xml file *should* be
>
> <tomcat-users>
> <user name="tomcat" password="tomcat" roles="tomcat" />
> <user name="role1" password="tomcat" roles="role1" />
> <user name="both" password="tomcat" roles="tomcat,role1" />
> </tomcat-users>
>
> but the file that ships with 6.0 is missing all the <user> tags.
No default users will be provided.
> And the server.xml file is missing the line:
>
> <Realm className="org.apache.catalina.realm.MemoryRealm" />
It has a functionally equivalent realm.
> Making these changes will fix the example. Hope someone working on
> Tomcat sees this post.
The rest has been fixed, thanks.
Rémy
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Form-based authentication example broken in Tomcat 6.0
Posted by Frank McCown <fm...@cs.odu.edu>.
I noticed the MemoryRealm / form-based authentication example in Tomcat
6.0 is broken. The example works just fine in Tomcat 5.5, but in the
migration to 6.0, it got broken. According to the doc at
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html
the app is supposed to be available at
http://localhost:8080/jsp-examples/security/protected/
but the URL is actually
http://localhost:8080/examples/jsp/security/protected/
The default contents of the conf/tomcat-users.xml file *should* be
<tomcat-users>
<user name="tomcat" password="tomcat" roles="tomcat" />
<user name="role1" password="tomcat" roles="role1" />
<user name="both" password="tomcat" roles="tomcat,role1" />
</tomcat-users>
but the file that ships with 6.0 is missing all the <user> tags.
And the server.xml file is missing the line:
<Realm className="org.apache.catalina.realm.MemoryRealm" />
Finally the web.xml file is using the wrong <url-pattern>. It is set to
<url-pattern>/security/protected/*</url-pattern>
but should be
<url-pattern>/jsp/security/protected/*</url-pattern>
Making these changes will fix the example. Hope someone working on
Tomcat sees this post.
Regards,
Frank
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org