You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Padhu Vinirs <p....@verizon.net> on 2002/10/02 16:19:48 UTC
authorization using tomcat...
I am testing web resource form-based authentication. I have created a
dummy jsp page "Details.jsp" and have created the following nodes in
web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>SecurePages</web-resource-name>
<url-pattern>Details.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>EditUsers</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Users who can edit</description>
<role-name>EditUsers</role-name>
</security-role>
I have created a "EditUsers" role in tomcat-users.xml.
But when I access "Details.jsp", I am redirected to the Netscape search
page !!! I am able to access the login and error.jsp pages fine.
Any ideas ?
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: authorization using tomcat...
Posted by Rick Fincher <rn...@tbird.com>.
You have to call the invalidate method on the session. You can also use
setMaxInactiveInterval(int seconds) to kill the session after an inactive
period. I think the default in Tomcat is 30 minutes.
Rick
----- Original Message -----
From: "Padhu Vinirs" <p....@verizon.net>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Wednesday, October 02, 2002 2:19 PM
Subject: Re: authorization using tomcat...
>
> Now I am able to access the secure page through the login page. But even
> if I close the browser ( whcih i assume will close the session ), and
> restart it, I am able to access the secure page without going through
> the login page. Is there a place where I need to say that the login info
> should not be a permanent cookie but only session scope ???
>
> Thanks
>
> -- padhu
>
>
>
>
> Rick Fincher wrote:
>
> >Hi Padu,
> >
> >It looks like you have this set up OK. Do you have a memory realm set up
in
> >conf/web.xml as is required for this setup?
> >
> >Also, since your transport guarantee is set up as confidential it is
going
> >to use SSL so you either have to use an HTTPS:// url or you have to have
> >redirection turned on in port 80 (or whatever your HTTP port is) in
> >conf/web.xml.
> >
> >If your HTTPS port isn't 443 you'll have to have :8443 (if 8443 is the
HTTPS
> >port) in the url too.
> >
> >Rick
> >
> >----- Original Message -----
> >From: "Padhu Vinirs" <p....@verizon.net>
> >To: <to...@jakarta.apache.org>
> >Sent: Wednesday, October 02, 2002 10:19 AM
> >Subject: authorization using tomcat...
> >
> >
> >
> >
> >>I am testing web resource form-based authentication. I have created a
> >>dummy jsp page "Details.jsp" and have created the following nodes in
> >>web.xml:
> >>
> >><security-constraint>
> >> <web-resource-collection>
> >> <web-resource-name>SecurePages</web-resource-name>
> >> <url-pattern>Details.jsp</url-pattern>
> >> </web-resource-collection>
> >> <auth-constraint>
> >> <role-name>EditUsers</role-name>
> >> </auth-constraint>
> >> <user-data-constraint>
> >> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> >> </user-data-constraint>
> >> </security-constraint>
> >> <login-config>
> >> <auth-method>FORM</auth-method>
> >> <form-login-config>
> >> <form-login-page>/login.jsp</form-login-page>
> >> <form-error-page>/error.jsp</form-error-page>
> >> </form-login-config>
> >> </login-config>
> >> <security-role>
> >> <description>Users who can edit</description>
> >> <role-name>EditUsers</role-name>
> >> </security-role>
> >>
> >>
> >>I have created a "EditUsers" role in tomcat-users.xml.
> >>
> >>But when I access "Details.jsp", I am redirected to the Netscape search
> >>page !!! I am able to access the login and error.jsp pages fine.
> >>
> >>Any ideas ?
> >>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: authorization using tomcat...
Posted by Mubaraka Arif <ma...@alvin.stmarytx.edu>.
hi ,
I am trying to use the JDBC authentication using Informix database on
Debain Tomcat 4.1.
The snippet of the server.xml :
<!--
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
debug="0" resourceName="UserDatabase"/>
-->
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="com.informix.jdbc.IfxDriver"
connectionURL="jdbc:informix-sqli;user=kjmi;password=tomcat"
userTable="atroxlogin" userNameCol="username"
userCredCol="password"
userRoleTable="user_roles" roleNameCol="role_name" />
execution
---------
1. tomcat process started
2. tried to access the page login.jsp.
It throws an expection "connection refused".
3. When tomcat process is stopped.
schroeder:/etc/init.d# tomcat4 stop Using CATALINA_BASE:
/usr/share/tomcat4
Using CATALINA_HOME: /usr/share/tomcat4
Using CATALINA_TMPDIR: /usr/share/tomcat4/temp
Using JAVA_HOME: /usr/lib/j2sdk1.3
Catalina.stop: java.net.ConnectException: Connection refused
java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:320)
at
java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:133)
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:120)
at java.net.Socket.<init>(Socket.java:273)
at java.net.Socket.<init>(Socket.java:100)
at org.apache.catalina.startup.Catalina.stop(Catalina.java:579)
at
org.apache.catalina.startup.Catalina.execute(Catalina.java:402)
at
org.apache.catalina.startup.Catalina.process(Catalina.java:180)
at java.lang.reflect.Method.invoke(Native Method)
at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:203)
I went the documentation of Tomcat explaining the JDBCRealm - how to.
But , if you can explain me the steps to go through I would greatly
appreciate.
Thanks,
Mubaraka Arif
DataManagement Software Developer
St Mary's University
On 2002.10.02 13:19 Padhu Vinirs wrote:
>
> Now I am able to access the secure page through the login page. But
> even if I close the browser ( whcih i assume will close the session
> ), and restart it, I am able to access the secure page without going
> through the login page. Is there a place where I need to say that the
> login info should not be a permanent cookie but only session scope ???
>
> Thanks
>
> -- padhu
>
>
>
>
> Rick Fincher wrote:
>
>> Hi Padu,
>>
>> It looks like you have this set up OK. Do you have a memory realm
>> set up in
>> conf/web.xml as is required for this setup?
>>
>> Also, since your transport guarantee is set up as confidential it is
>> going
>> to use SSL so you either have to use an HTTPS:// url or you have to
>> have
>> redirection turned on in port 80 (or whatever your HTTP port is) in
>> conf/web.xml.
>>
>> If your HTTPS port isn't 443 you'll have to have :8443 (if 8443 is
>> the HTTPS
>> port) in the url too.
>>
>> Rick
>>
>> ----- Original Message -----
>> From: "Padhu Vinirs" <p....@verizon.net>
>> To: <to...@jakarta.apache.org>
>> Sent: Wednesday, October 02, 2002 10:19 AM
>> Subject: authorization using tomcat...
>>
>>
>>
>>> I am testing web resource form-based authentication. I have created
>>> a
>>> dummy jsp page "Details.jsp" and have created the following nodes in
>>> web.xml:
>>>
>>> <security-constraint>
>>> <web-resource-collection>
>>> <web-resource-name>SecurePages</web-resource-name>
>>> <url-pattern>Details.jsp</url-pattern>
>>> </web-resource-collection>
>>> <auth-constraint>
>>> <role-name>EditUsers</role-name>
>>> </auth-constraint>
>>> <user-data-constraint>
>>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>>> </user-data-constraint>
>>> </security-constraint>
>>> <login-config>
>>> <auth-method>FORM</auth-method>
>>> <form-login-config>
>>> <form-login-page>/login.jsp</form-login-page>
>>> <form-error-page>/error.jsp</form-error-page>
>>> </form-login-config>
>>> </login-config>
>>> <security-role>
>>> <description>Users who can edit</description>
>>> <role-name>EditUsers</role-name>
>>> </security-role>
>>>
>>>
>>> I have created a "EditUsers" role in tomcat-users.xml.
>>>
>>> But when I access "Details.jsp", I am redirected to the Netscape
>>> search
>>> page !!! I am able to access the login and error.jsp pages fine.
>>>
>>> Any ideas ?
>>>
>>
>>
>>
>> --
>> To unsubscribe, e-mail:
>> <ma...@jakarta.apache.org>
>> For additional commands, e-mail:
>> <ma...@jakarta.apache.org>
>>
>>
>>
>
>
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: authorization using tomcat...
Posted by Padhu Vinirs <p....@verizon.net>.
Now I am able to access the secure page through the login page. But even
if I close the browser ( whcih i assume will close the session ), and
restart it, I am able to access the secure page without going through
the login page. Is there a place where I need to say that the login info
should not be a permanent cookie but only session scope ???
Thanks
-- padhu
Rick Fincher wrote:
>Hi Padu,
>
>It looks like you have this set up OK. Do you have a memory realm set up in
>conf/web.xml as is required for this setup?
>
>Also, since your transport guarantee is set up as confidential it is going
>to use SSL so you either have to use an HTTPS:// url or you have to have
>redirection turned on in port 80 (or whatever your HTTP port is) in
>conf/web.xml.
>
>If your HTTPS port isn't 443 you'll have to have :8443 (if 8443 is the HTTPS
>port) in the url too.
>
>Rick
>
>----- Original Message -----
>From: "Padhu Vinirs" <p....@verizon.net>
>To: <to...@jakarta.apache.org>
>Sent: Wednesday, October 02, 2002 10:19 AM
>Subject: authorization using tomcat...
>
>
>
>
>>I am testing web resource form-based authentication. I have created a
>>dummy jsp page "Details.jsp" and have created the following nodes in
>>web.xml:
>>
>><security-constraint>
>> <web-resource-collection>
>> <web-resource-name>SecurePages</web-resource-name>
>> <url-pattern>Details.jsp</url-pattern>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name>EditUsers</role-name>
>> </auth-constraint>
>> <user-data-constraint>
>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>> </user-data-constraint>
>> </security-constraint>
>> <login-config>
>> <auth-method>FORM</auth-method>
>> <form-login-config>
>> <form-login-page>/login.jsp</form-login-page>
>> <form-error-page>/error.jsp</form-error-page>
>> </form-login-config>
>> </login-config>
>> <security-role>
>> <description>Users who can edit</description>
>> <role-name>EditUsers</role-name>
>> </security-role>
>>
>>
>>I have created a "EditUsers" role in tomcat-users.xml.
>>
>>But when I access "Details.jsp", I am redirected to the Netscape search
>>page !!! I am able to access the login and error.jsp pages fine.
>>
>>Any ideas ?
>>
>>
>
>
>
>--
>To unsubscribe, e-mail: <ma...@jakarta.apache.org>
>For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: authorization using tomcat...
Posted by Rick Fincher <rn...@tbird.com>.
Hi Padu,
It looks like you have this set up OK. Do you have a memory realm set up in
conf/web.xml as is required for this setup?
Also, since your transport guarantee is set up as confidential it is going
to use SSL so you either have to use an HTTPS:// url or you have to have
redirection turned on in port 80 (or whatever your HTTP port is) in
conf/web.xml.
If your HTTPS port isn't 443 you'll have to have :8443 (if 8443 is the HTTPS
port) in the url too.
Rick
----- Original Message -----
From: "Padhu Vinirs" <p....@verizon.net>
To: <to...@jakarta.apache.org>
Sent: Wednesday, October 02, 2002 10:19 AM
Subject: authorization using tomcat...
>
> I am testing web resource form-based authentication. I have created a
> dummy jsp page "Details.jsp" and have created the following nodes in
> web.xml:
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>SecurePages</web-resource-name>
> <url-pattern>Details.jsp</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>EditUsers</role-name>
> </auth-constraint>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> <login-config>
> <auth-method>FORM</auth-method>
> <form-login-config>
> <form-login-page>/login.jsp</form-login-page>
> <form-error-page>/error.jsp</form-error-page>
> </form-login-config>
> </login-config>
> <security-role>
> <description>Users who can edit</description>
> <role-name>EditUsers</role-name>
> </security-role>
>
>
> I have created a "EditUsers" role in tomcat-users.xml.
>
> But when I access "Details.jsp", I am redirected to the Netscape search
> page !!! I am able to access the login and error.jsp pages fine.
>
> Any ideas ?
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: authorization using tomcat...
Posted by Rick Fincher <rn...@tbird.com>.
Sounds like you are close now. It is working but it is rejecting your
username, password or role.
The name and role in WEB-INF/web.xml have to match the name and role in
conf/tomcat-users.xml. The password is verified at login and must match the
password in conf/tomcat-users.xml.
You can add a debug statement to the realm configuration in conf/server.xml
to give you some debug output on this to help narrow down the problem, but
I think it is a mis-match in the password-username-role somewhere.
See Realm How-To memory realm in the docs for details.
Rick
----- Original Message -----
From: "Padhu Vinirs" <p....@verizon.net>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Wednesday, October 02, 2002 1:58 PM
Subject: Re: authorization using tomcat...
>
> I did make that change and uncommented the MemoryRealm in servers.xml,
> restarted the server. Now I dont see any error in the logs files, but I
> get a error
>
> The server encountered an internal error (/ExamBuilder/Details.jsp) that
> prevented it from fulfilling this request.
>
> My servers.xml entry is:
>
> <Realm className="org.apache.catalina.realm.MemoryRealm" />
>
>
> Any ideas ?
>
>
> Thanks
>
>
> -- padhu
>
>
>
>
>
> Craig R. McClanahan wrote:
>
> >On Wed, 2 Oct 2002, Padhu Vinirs wrote:
> >
> >
> >
> >> <url-pattern>Details.jsp</url-pattern>
> >>
> >>
> >
> >URL patterns need to start with a "/" character. Change this to:
> >
> > <url-pattern>/Details.jsp</url-pattern>
> >
> >and you will have much better luck.
> >
> >Craig
> >
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: authorization using tomcat...
Posted by Padhu Vinirs <p....@verizon.net>.
I did make that change and uncommented the MemoryRealm in servers.xml,
restarted the server. Now I dont see any error in the logs files, but I
get a error
The server encountered an internal error (/ExamBuilder/Details.jsp) that
prevented it from fulfilling this request.
My servers.xml entry is:
<Realm className="org.apache.catalina.realm.MemoryRealm" />
Any ideas ?
Thanks
-- padhu
Craig R. McClanahan wrote:
>On Wed, 2 Oct 2002, Padhu Vinirs wrote:
>
>
>
>> <url-pattern>Details.jsp</url-pattern>
>>
>>
>
>URL patterns need to start with a "/" character. Change this to:
>
> <url-pattern>/Details.jsp</url-pattern>
>
>and you will have much better luck.
>
>Craig
>
>
>--
>To unsubscribe, e-mail: <ma...@jakarta.apache.org>
>For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: authorization using tomcat...
Posted by Rick Fincher <rn...@tbird.com>.
Ah Ha. That means you didn't have HTTPS set up properly in the Connector
for SSL Coyote HTTP 1.1, in the conf/server.xml file.
Rick
----- Original Message -----
From: "Padhu Vinirs" <p....@verizon.net>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Wednesday, October 02, 2002 2:07 PM
Subject: Re: authorization using tomcat...
>
> When I commented out the data constraint CONFIDENTIAL the code worked.
>
> Thanks everybody,
>
> -- padhu
>
>
>
> Craig R. McClanahan wrote:
>
> >On Wed, 2 Oct 2002, Padhu Vinirs wrote:
> >
> >
> >
> >> <url-pattern>Details.jsp</url-pattern>
> >>
> >>
> >
> >URL patterns need to start with a "/" character. Change this to:
> >
> > <url-pattern>/Details.jsp</url-pattern>
> >
> >and you will have much better luck.
> >
> >Craig
> >
> >
> >--
> >To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> >For additional commands, e-mail:
<ma...@jakarta.apache.org>
> >
> >
> >
> >
>
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: authorization using tomcat...
Posted by Padhu Vinirs <p....@verizon.net>.
When I commented out the data constraint CONFIDENTIAL the code worked.
Thanks everybody,
-- padhu
Craig R. McClanahan wrote:
>On Wed, 2 Oct 2002, Padhu Vinirs wrote:
>
>
>
>> <url-pattern>Details.jsp</url-pattern>
>>
>>
>
>URL patterns need to start with a "/" character. Change this to:
>
> <url-pattern>/Details.jsp</url-pattern>
>
>and you will have much better luck.
>
>Craig
>
>
>--
>To unsubscribe, e-mail: <ma...@jakarta.apache.org>
>For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: authorization using tomcat...
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Wed, 2 Oct 2002, Padhu Vinirs wrote:
> <url-pattern>Details.jsp</url-pattern>
URL patterns need to start with a "/" character. Change this to:
<url-pattern>/Details.jsp</url-pattern>
and you will have much better luck.
Craig
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>