You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Oki DZ <ok...@bdg.pindad.com> on 2001/05/12 08:31:40 UTC
JDBC Realm is gone
Hi,
I downloaded the b4 the other day. Now I can start Tomcat using a JDBC
Realm. Thanks for the World -class bug fix.
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="org.gjt.mm.mysql.Driver"
connectionURL="jdbc:mysql://myhost.com/James"
connectionName="guest"
connectionPassword=""
userTable="Users" userNameCol="username"
userCredCol="password"
userRoleTable="userroles" roleNameCol="rolename" />
Question is, how can one restricted or allowed to enter a realm? I
started Tomcat with the above setting, but yet, if I access
http://bdg:8080, I get the Tomcat main page. I expect to see some access
error. Well, I haven't read the manual on Tomcat Realms, but I think,
maybe some of you wouldn't mind to tell shortly how the realms work.
What I want to do is pretty simple, to have a web page for James users
who'd like to change their passwords. The passwords are stored in a
MySQL table in the form of MD5 digests. Actually, I'd like to use
Turbine (so that I don't have to tinker on implementing http sessions);
problem is, the latest Turbine won't run on Tomcat 4.0b4. So I think I
have to resort to Velocity and Tomcat, and having the access restricted
by the realms managed by Tomcat. So I guess my other question would be,
how can one change the "authenticator" used by Tomcat so that it
understands MD5? (Telling me the FQCN would be enough. Of course,
reading the manual would be sufficient; but if you have it now handy, I
think it would be faster than me skimming the manual.)
BTW, have you looked up on Velocity features and saw that the layouts
are done via templates now? I think it's _way_ cool. ("Now" compared to
the time when Turbine supports WebMacro only.)
TIA,
Oki
ps: FQCN: fully qualified class name
Re: JDBC Realm is gone
Posted by Oki DZ <ok...@bdg.pindad.com>.
Bip Thelin wrote:
> I suggest you read the JDBCRealm-howto.html which should be in the
> docs directory of you distribution. Basically what you need to do besides
> what you've already done is to setup the tables(If you haven't already)
> and also check in the bottom of web.xml howto invoke a realm.
There is an example of web.xml in
/path/to/tomcat/webapps/manager/WEB-INF on how to setup the realm. I
have mine like the following:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/j2ee/dtds/web-app_2_3.dtd">
<web-app>
<servlet>
<servlet-name>sample</servlet-name>
<servlet-class>SampleServlet</servlet-class>
<init-param>
<param-name>properties</param-name>
<param-value>WEB-INF/sample.properties</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>sample</servlet-name>
<url-pattern>/sample</url-pattern>
</servlet-mapping>
<!-- Define a Security Constraint on this Application -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- NOTE: This role is not present in the default users file
-->
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Tomcat Manager Application</realm-name>
</login-config>
</web-app>
BASIC auth-method means that the passwords are stored in plain-text.
If I want to have an MD5 auth-method, wich part of the source codes
should I look into?
TIA,
Oki
Re: JDBC Realm is gone
Posted by Oki DZ <ok...@bdg.pindad.com>.
"Peter B. West" wrote:
> Note that the references to `Digest' with a capital `D' in server.xml
> and the JDBCRealm class must be `digest' with a lower-case `d'. The
> usage of the public class (in 3.3 at least) is
I have tried it, still no login.
> java org.apache.tomcat.modules.aaa.JDBCRealm -a MD5 passwd1 [passwd2
> ...]
It seems that the feature has been removed in 4.0b4. It's a non-issue
though; I can digest the password using "md5sum" on my machine.
BTW, my test password was generated using md5sum; ie: I had a file
containing the pasword (cat > test.pwd; 12345<ctrl-d><ctrld>; makes me
wonder why it should be twice) and ran it through the md5sum (md5sum <
test.pwd). Then, I put it on the database. I already have a password
database setup for James using MD5; so that I'd like to use it for
Tomcat too.
> The `MD5' may be replaced by another supported algorithm (only MD2 or
> SHA, I think), and you may provide one or more plaintext passwords to be
> digested.
MD2? Would that mean going back through time?
Besides, there's no md2sum on my machine. Ouch.
Oki
Re: JDBC Realm is gone
Posted by Gerry Duhig <ge...@nectar.demon.co.uk>.
Oki,
I have tried to set this up but failed! I get an exception as soon as I try
to access the servlet.
I suspect I have some stuff missing.
Should I have a WEB-INF/sample.properties file and what should be in it?
Gerry
----- Original Message -----
From: "Oki DZ" <ok...@bdg.pindad.com>
To: <to...@jakarta.apache.org>
Sent: Tuesday, May 15, 2001 8:44 AM
Subject: Re: JDBC Realm is gone
> Hi,
>
> I can get the MD5 authentication working.
> In my server.xml:
> <Context path="/test" docBase="test" debug="9"
> reloadable="true">
> <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
> digest="MD5"
> driverName="org.gjt.mm.mysql.Driver"
> connectionURL="jdbc:mysql://myhost.com/James"
> connectionName="guest"
> connectionPassword=""
> userTable="Users" userNameCol="username" userCredCol="password"
> userRoleTable="userroles" roleNameCol="rolename" />
> </Context>
>
> I guess, it's the meaning of "attaching a realm to a context"; ie:
> inserting the realm element in the context element.
>
> My webapp's web.xml:
> <?xml version="1.0" encoding="ISO-8859-1"?>
>
> <!DOCTYPE web-app
> PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
> "http://java.sun.com/j2ee/dtds/web-app_2_3.dtd">
>
> <web-app>
> <servlet>
> <servlet-name>sample</servlet-name>
> <servlet-class>SampleServlet</servlet-class>
> <init-param>
> <param-name>properties</param-name>
> <param-value>WEB-INF/sample.properties</param-value>
> </init-param>
> <security-role-ref>
> <role-name>test</role-name>
> <!-- ^^^^ this could be arbitrary it seems. Tomcat
> doesn't use it;
> ie: the servlets don't have hard-wired "internal
> roles" -->
> <role-link>tomcat</role-link>
> <!-- ^^^^^^ this "link", links to the role-name in the
> auth-constraint below -->
> </security-role-ref>
> </servlet>
> <servlet-mapping>
> <servlet-name>sample</servlet-name>
> <url-pattern>/sample</url-pattern>
> </servlet-mapping>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Entire Application</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
>
> <auth-constraint>
> <role-name>tomcat</role-name>
> </auth-constraint>
> </security-constraint>
> <!-- Define the Login Configuration for this Application -->
>
> <login-config>
> <auth-method>BASIC</auth-method>
> <!-- ^^^^^ this has to be BASIC (no "DIGEST," to be exact
> :-)
> meaning: using the browser login box -->
> <realm-name>Test Application</realm-name>
> </login-config>
> </web-app>
>
> BTW, if I don't want to use any role for the authentication, how should
> I proceed? I mean, username-password pairs in the users' database should
> be sufficient. (With the roles set up, I have to maintain another table;
> ie: userroles.)
>
> BTW2, useful references:
> * Tomcat docs in the source directories.
> * http://e-docs.bea.com/wls/docs60/programming/web_xml.html
>
> Oki
Re: JDBC Realm is gone
Posted by Oki DZ <ok...@bdg.pindad.com>.
Hi,
I can get the MD5 authentication working.
In my server.xml:
<Context path="/test" docBase="test" debug="9"
reloadable="true">
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
digest="MD5"
driverName="org.gjt.mm.mysql.Driver"
connectionURL="jdbc:mysql://myhost.com/James"
connectionName="guest"
connectionPassword=""
userTable="Users" userNameCol="username" userCredCol="password"
userRoleTable="userroles" roleNameCol="rolename" />
</Context>
I guess, it's the meaning of "attaching a realm to a context"; ie:
inserting the realm element in the context element.
My webapp's web.xml:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/j2ee/dtds/web-app_2_3.dtd">
<web-app>
<servlet>
<servlet-name>sample</servlet-name>
<servlet-class>SampleServlet</servlet-class>
<init-param>
<param-name>properties</param-name>
<param-value>WEB-INF/sample.properties</param-value>
</init-param>
<security-role-ref>
<role-name>test</role-name>
<!-- ^^^^ this could be arbitrary it seems. Tomcat
doesn't use it;
ie: the servlets don't have hard-wired "internal
roles" -->
<role-link>tomcat</role-link>
<!-- ^^^^^^ this "link", links to the role-name in the
auth-constraint below -->
</security-role-ref>
</servlet>
<servlet-mapping>
<servlet-name>sample</servlet-name>
<url-pattern>/sample</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>tomcat</role-name>
</auth-constraint>
</security-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>BASIC</auth-method>
<!-- ^^^^^ this has to be BASIC (no "DIGEST," to be exact
:-)
meaning: using the browser login box -->
<realm-name>Test Application</realm-name>
</login-config>
</web-app>
BTW, if I don't want to use any role for the authentication, how should
I proceed? I mean, username-password pairs in the users' database should
be sufficient. (With the roles set up, I have to maintain another table;
ie: userroles.)
BTW2, useful references:
* Tomcat docs in the source directories.
* http://e-docs.bea.com/wls/docs60/programming/web_xml.html
Oki
Re: JDBC Realm is gone
Posted by "Peter B. West" <pb...@powerup.com.au>.
Bip Thelin wrote:
>
> On Mon, 14 May 2001, Oki DZ wrote:
> >
> > I already have the JDBC connection and the tables set up. I also looked
> > up in the bottom of the Tomcat Manager's web.xml. Problem is, the
> > auth-method attribute (?) declared as BASIC; what does that mean? In
> > Apache web server parlance, AFAIK, it means clear text authentication
> > using Unix crypt encryption. I'm not so clear. Last week I tried to put
> > a plain text and also crypt()-ed test password on the users' table, but
> > didn't get it working. I don't know what the problem was. What I did was
> > to encrypt a test password using perl -e 'print crypt("", "test");' and
> > then stored it on the database.
>
> If you wanna use encrypted password you have to turn on digest on the realm.
> Look in JDBCRealm-howto, basically you turn on digest and choose the algorithm
> you want to use, then you have to generate your password with the same algoritm.
>
> i.e.
> <Realm ... Digest="MD5">
>
> For convenience there's a public class in JDBCRealm that generates the
> password for you, again this is outlined in the JDBCRealm-howto.
Note that the references to `Digest' with a capital `D' in server.xml
and the JDBCRealm class must be `digest' with a lower-case `d'. The
usage of the public class (in 3.3 at least) is
java org.apache.tomcat.modules.aaa.JDBCRealm -a MD5 passwd1 [passwd2
...]
The `MD5' may be replaced by another supported algorithm (only MD2 or
SHA, I think), and you may provide one or more plaintext passwords to be
digested.
Peter
--
Peter B. West pbwest@powerup.com.au http://powerup.com.au/~pbwest
"Lord, to whom shall we go?"
Re: JDBC Realm is gone
Posted by Oki DZ <ok...@bdg.pindad.com>.
Bip Thelin wrote:
> If you wanna use encrypted password you have to turn on digest on the realm.
> Look in JDBCRealm-howto, basically you turn on digest and choose the algorithm
> you want to use, then you have to generate your password with the same algoritm.
>
> i.e.
> <Realm ... Digest="MD5">
And where... this would be?
I have visited www.apache.org/tomcat/src/doc/JDBCRealm.howto, yet
there's no mention about Digest realms. (I use Tomcat 4.0b4).
Yes, I have stored the password using MD5 and added 'Digest="MD5"' on
the server.xml. Now I still can't login. It's getting better, though.
Yesterday, I only had "HTTP status 401," without the login panel.
> For convenience there's a public class in JDBCRealm that generates the
> password for you, again this is outlined in the JDBCRealm-howto.
It seems that you have access to a newer JDBCRealm-howto; where did you
get it?
BTW, I have the following in my webapp's web.xml:
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>Test Application</realm-name>
</login-config>
Interestingly, if I misspelled the "DIGEST" above, then the webapp would
run without any authentication. I think it should be the other way
around; if Tomcat is not so clear about the authentication methods, then
block the access.
Oki
Re: JDBC Realm is gone
Posted by Bip Thelin <bi...@apache.org>.
On Mon, 14 May 2001, Oki DZ wrote:
>
> I already have the JDBC connection and the tables set up. I also looked
> up in the bottom of the Tomcat Manager's web.xml. Problem is, the
> auth-method attribute (?) declared as BASIC; what does that mean? In
> Apache web server parlance, AFAIK, it means clear text authentication
> using Unix crypt encryption. I'm not so clear. Last week I tried to put
> a plain text and also crypt()-ed test password on the users' table, but
> didn't get it working. I don't know what the problem was. What I did was
> to encrypt a test password using perl -e 'print crypt("", "test");' and
> then stored it on the database.
If you wanna use encrypted password you have to turn on digest on the realm.
Look in JDBCRealm-howto, basically you turn on digest and choose the algorithm
you want to use, then you have to generate your password with the same algoritm.
i.e.
<Realm ... Digest="MD5">
For convenience there's a public class in JDBCRealm that generates the
password for you, again this is outlined in the JDBCRealm-howto.
Hope you get it to work.
..bip
Re: JDBC Realm is gone
Posted by Oki DZ <ok...@bdg.pindad.com>.
Bip Thelin wrote:
> I suggest you read the JDBCRealm-howto.html which should be in the
> docs directory of you distribution. Basically what you need to do besides
> what you've already done is to setup the tables(If you haven't already)
> and also check in the bottom of web.xml howto invoke a realm.
I already have the JDBC connection and the tables set up. I also looked
up in the bottom of the Tomcat Manager's web.xml. Problem is, the
auth-method attribute (?) declared as BASIC; what does that mean? In
Apache web server parlance, AFAIK, it means clear text authentication
using Unix crypt encryption. I'm not so clear. Last week I tried to put
a plain text and also crypt()-ed test password on the users' table, but
didn't get it working. I don't know what the problem was. What I did was
to encrypt a test password using perl -e 'print crypt("", "test");' and
then stored it on the database.
Oki
Re: JDBC Realm is gone
Posted by Bip Thelin <bi...@apache.org>.
On Sat, 12 May 2001, Oki DZ wrote:
>
> Hi,
>
> I downloaded the b4 the other day. Now I can start Tomcat using a JDBC
> Realm. Thanks for the World -class bug fix.
>
> [...]
>
> Question is, how can one restricted or allowed to enter a realm? I
> started Tomcat with the above setting, but yet, if I access
> http://bdg:8080, I get the Tomcat main page. I expect to see some access
> error. Well, I haven't read the manual on Tomcat Realms, but I think,
> maybe some of you wouldn't mind to tell shortly how the realms work.
I suggest you read the JDBCRealm-howto.html which should be in the
docs directory of you distribution. Basically what you need to do besides
what you've already done is to setup the tables(If you haven't already)
and also check in the bottom of web.xml howto invoke a realm.
..bip