You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Rian Brand <ri...@gmail.com> on 2006/05/20 15:01:33 UTC
JDBCRealm authentication failing with MD5
Hi all
I am trying to set up a security realm on Tomcat using JDBCRealm and MD5
encryption. It works perfectly when using plain text, but it fails the
moment I switch to a MD5 digest. I have been through the documentation,
forums and FAQ's but I am afraid I can not resolve this on my own, so help
would be appreciated.
When attempting to login, the logfile simply states:
JDBCRealm[/asdf]: Username username1 NOT successfully authenticated
I checked and when generating the MD5 with the command line it seems the
same. I have tried to play with the database character encoding, without
success. If this is the incorrect, please point it out.
The relevant section of the context file is:
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
digest="MD5"
driverName="org.gjt.mm.mysql.Driver"
connectionURL="jdbc:mysql://localhost:3306/mydb?user=myusername&password
=mypassword"
userTable="authuser" userNameCol="uname" userCredCol="passwd"
userRoleTable="user_roles" roleNameCol="role_name"/>
In the web.xml, the relevant section is:
<security-constraint>
<display-name> Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>*.htm</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>operations</role-name>
</auth-constraint>
</security-constraint>
<!-- Default login configuration uses form-based authentication -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>My Authentication Area</realm-name>
<form-login-config>
<form-login-page>/WEB-INF/jsp/login.jsp</form-login-page>
<form-error-page>/WEB-INF/jsp/error.jsp</form-error-page>
</form-login-config>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<role-name>operations</role-name>
</security-role>
The relevant part of the database schema is as follows:
CREATE TABLE authuser (
id int(4) UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
uname varchar(25) NOT NULL UNIQUE default ''
COMMENT 'Username',
passwd varchar(32) NOT NULL default ''
COMMENT 'Encrypted password',
INDEX FKIndexUserId (id)
) ENGINE=InnoDB DEFAULT CHARSET=latin1 COMMENT='Users table';
CREATE TABLE user_roles (
id int(4) UNSIGNED NOT NULL PRIMARY KEY AUTO_INCREMENT COMMENT 'Id',
uname varchar(15) not null
COMMENT 'name, same as in Authuser table',
role_name varchar(15) not null
COMMENT 'Role this user is allowed',
CONSTRAINT CSconstraint FOREIGN KEY (uname) REFERENCES authuser(uname)
);
ALTER TABLE user_roles ADD UNIQUE(uname, role_name);
Finally, at the risk of making the mail too long, here is the relevant parts
login.jsp:
<form method="POST" action='<%= response.encodeURL("j_security_check") %>' >
<table cellspacing="0" cellpadding="0" align="center" width="700">
<tr>
<td valign="top" class="main_table" colspan="2"><br>
<b class="blue"> Log into system </b>
<hr align="left">
<br>
<table cellspacing="0" cellpadding="0">
<tr>
<td>
<img src="Images/lock1.jpg" alt="">
</td>
<td>
<table>
<tr>
<td
align="right" class="input_table_td">Username:</td>
<td
class="input_table_td"><input type="text" name="j_username"></td>
</tr>
<tr>
<td
align="right" class="input_table_td2">Password:</td>
<td
class="input_table_td2"><input type="password" name="j_password"></td>
</tr>
<tr>
<td
align="right"><input type="submit" value="Log In"></td>
</tr>
</table>
</td>
</tr>
</table>
</form>
I am using:
Tomcat 5.0
MySql 4.1.7nt
JDK 1.4
Thank you in advance
Rian
Re: JDBCRealm authentication failing with MD5
Posted by Martin Gainty <mg...@hotmail.com>.
a most Instructive Tutorial is located here
http://www.unix.org.ua/orelly/java-ent/security/ch09_03.htm
Thanks,
Martin --
This email message and any files transmitted with it contain confidential
information intended only for the person(s) to whom this email message is
addressed. If you have received this email message in error, please notify
the sender immediately by telephone or email and destroy the original
message without making a copy. Thank you.
----- Original Message -----
From: "Rian Brand" <ri...@gmail.com>
To: "'Tomcat Users List'" <us...@tomcat.apache.org>; "'Martin Gainty'"
<mg...@hotmail.com>
Sent: Sunday, May 21, 2006 6:45 AM
Subject: RE: JDBCRealm authentication failing with MD5
> Martin
>
> Thanks for the reply. I already went through a similar page, but with no
> success.
>
> Subsequent to your reply I kept trying and found that the reason was that
> I
> was not using org.apache.catalina.realm.RealmBase to create the digest,
> but
> rather java.security.MessageDigest. This seems to have caused some
> problem,
> since although the digest looked similar, it was not.
>
> Thanks for the help
>
> Regards,
>
> Rian
>
> -----Original Message-----
> From: Martin Gainty [mailto:mgainty@hotmail.com]
> Sent: 20 May 2006 15:56
> To: Tomcat Users List
> Subject: Re: JDBCRealm authentication failing with MD5
>
> Good Morning Rian-
>
> I would suggest having a look at and following all of the steps in the
> JDBC
> How to tutorial at
> http://tomcat.apache.org/tomcat-3.3-doc/JDBCRealm-howto.html
> the important item here is to exercise the basic functionality of
> generating
>
> a digested MD5 password which can be accomplished with command line
> java org.apache.tomcat.modules.aaa.RealmBase -a MD5 <password>
> where password is the plain text password to be digested
> Anyone else ??
> Martin --
>
> This email message and any files transmitted with it contain confidential
> information intended only for the person(s) to whom this email message is
> addressed. If you have received this email message in error, please
> notify
> the sender immediately by telephone or email and destroy the original
> message without making a copy. Thank you.
>
> ----- Original Message -----
> From: "Rian Brand" <ri...@gmail.com>
> To: <us...@tomcat.apache.org>
> Sent: Saturday, May 20, 2006 9:01 AM
> Subject: JDBCRealm authentication failing with MD5
>
>
>> Hi all
>>
>>
>>
>> I am trying to set up a security realm on Tomcat using JDBCRealm and MD5
>> encryption. It works perfectly when using plain text, but it fails the
>> moment I switch to a MD5 digest. I have been through the documentation,
>> forums and FAQ's but I am afraid I can not resolve this on my own, so
>> help
>> would be appreciated.
>>
>>
>>
>> When attempting to login, the logfile simply states:
>>
>> JDBCRealm[/asdf]: Username username1 NOT successfully authenticated
>>
>>
>>
>> I checked and when generating the MD5 with the command line it seems the
>> same. I have tried to play with the database character encoding, without
>> success. If this is the incorrect, please point it out.
>>
>>
>>
>> The relevant section of the context file is:
>>
>> <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
>>
>> digest="MD5"
>>
>> driverName="org.gjt.mm.mysql.Driver"
>>
>>
>>
> connectionURL="jdbc:mysql://localhost:3306/mydb?user=myusername&password
>> =mypassword"
>>
>> userTable="authuser" userNameCol="uname" userCredCol="passwd"
>>
>> userRoleTable="user_roles" roleNameCol="role_name"/>
>>
>>
>>
>> In the web.xml, the relevant section is:
>>
>> <security-constraint>
>>
>> <display-name> Security Constraint</display-name>
>>
>> <web-resource-collection>
>>
>> <web-resource-name>Protected Area</web-resource-name>
>>
>> <!-- Define the context-relative URL(s) to be protected -->
>>
>> <url-pattern>*.htm</url-pattern>
>>
>> </web-resource-collection>
>>
>> <auth-constraint>
>>
>> <!-- Anyone with one of the listed roles may access this area -->
>>
>> <role-name>operations</role-name>
>>
>> </auth-constraint>
>>
>> </security-constraint>
>>
>>
>>
>> <!-- Default login configuration uses form-based authentication -->
>>
>> <login-config>
>>
>> <auth-method>FORM</auth-method>
>>
>> <realm-name>My Authentication Area</realm-name>
>>
>> <form-login-config>
>>
>> <form-login-page>/WEB-INF/jsp/login.jsp</form-login-page>
>>
>> <form-error-page>/WEB-INF/jsp/error.jsp</form-error-page>
>>
>> </form-login-config>
>>
>> </login-config>
>>
>>
>>
>> <!-- Security roles referenced by this web application -->
>>
>> <security-role>
>>
>> <role-name>operations</role-name>
>>
>> </security-role>
>>
>>
>>
>> The relevant part of the database schema is as follows:
>>
>> CREATE TABLE authuser (
>>
>> id int(4) UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
>>
>> uname varchar(25) NOT NULL UNIQUE default ''
>> COMMENT 'Username',
>>
>> passwd varchar(32) NOT NULL default ''
>> COMMENT 'Encrypted password',
>>
>> INDEX FKIndexUserId (id)
>>
>> ) ENGINE=InnoDB DEFAULT CHARSET=latin1 COMMENT='Users table';
>>
>>
>>
>> CREATE TABLE user_roles (
>>
>> id int(4) UNSIGNED NOT NULL PRIMARY KEY AUTO_INCREMENT COMMENT
>> 'Id',
>>
>> uname varchar(15) not null
>> COMMENT 'name, same as in Authuser table',
>>
>> role_name varchar(15) not null
>> COMMENT 'Role this user is allowed',
>>
>> CONSTRAINT CSconstraint FOREIGN KEY (uname) REFERENCES authuser(uname)
>>
>> );
>>
>> ALTER TABLE user_roles ADD UNIQUE(uname, role_name);
>>
>>
>>
>> Finally, at the risk of making the mail too long, here is the relevant
>> parts
>> login.jsp:
>>
>> <form method="POST" action='<%= response.encodeURL("j_security_check")
>> %>'
>
>> >
>>
>> <table cellspacing="0" cellpadding="0" align="center" width="700">
>>
>> <tr>
>>
>> <td valign="top" class="main_table"
>> colspan="2"><br>
>>
>> <b class="blue"> Log into system </b>
>>
>> <hr align="left">
>>
>> <br>
>>
>> <table cellspacing="0" cellpadding="0">
>>
>> <tr>
>>
>>
>> <td>
>> <img src="Images/lock1.jpg" alt="">
>>
>>
>> </td>
>>
>> <td>
>>
>> <table>
>>
>> <tr>
>>
>>
>> <td
>> align="right" class="input_table_td">Username:</td>
>>
>>
>> <td
>> class="input_table_td"><input type="text" name="j_username"></td>
>>
>> </tr>
>>
>> <tr>
>>
>>
>> <td
>> align="right" class="input_table_td2">Password:</td>
>>
>>
>> <td
>> class="input_table_td2"><input type="password" name="j_password"></td>
>>
>> </tr>
>>
>> <tr>
>>
>> <td
>> align="right"><input type="submit" value="Log In"></td>
>>
>> </tr>
>>
>> </table>
>>
>> </td>
>>
>> </tr>
>>
>> </table>
>>
>> </form>
>>
>>
>>
>> I am using:
>>
>> Tomcat 5.0
>>
>> MySql 4.1.7nt
>>
>> JDK 1.4
>>
>>
>>
>> Thank you in advance
>>
>>
>>
>> Rian
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: JDBCRealm authentication failing with MD5
Posted by Rian Brand <ri...@gmail.com>.
Martin
Thanks for the reply. I already went through a similar page, but with no
success.
Subsequent to your reply I kept trying and found that the reason was that I
was not using org.apache.catalina.realm.RealmBase to create the digest, but
rather java.security.MessageDigest. This seems to have caused some problem,
since although the digest looked similar, it was not.
Thanks for the help
Regards,
Rian
-----Original Message-----
From: Martin Gainty [mailto:mgainty@hotmail.com]
Sent: 20 May 2006 15:56
To: Tomcat Users List
Subject: Re: JDBCRealm authentication failing with MD5
Good Morning Rian-
I would suggest having a look at and following all of the steps in the JDBC
How to tutorial at
http://tomcat.apache.org/tomcat-3.3-doc/JDBCRealm-howto.html
the important item here is to exercise the basic functionality of generating
a digested MD5 password which can be accomplished with command line
java org.apache.tomcat.modules.aaa.RealmBase -a MD5 <password>
where password is the plain text password to be digested
Anyone else ??
Martin --
This email message and any files transmitted with it contain confidential
information intended only for the person(s) to whom this email message is
addressed. If you have received this email message in error, please notify
the sender immediately by telephone or email and destroy the original
message without making a copy. Thank you.
----- Original Message -----
From: "Rian Brand" <ri...@gmail.com>
To: <us...@tomcat.apache.org>
Sent: Saturday, May 20, 2006 9:01 AM
Subject: JDBCRealm authentication failing with MD5
> Hi all
>
>
>
> I am trying to set up a security realm on Tomcat using JDBCRealm and MD5
> encryption. It works perfectly when using plain text, but it fails the
> moment I switch to a MD5 digest. I have been through the documentation,
> forums and FAQ's but I am afraid I can not resolve this on my own, so help
> would be appreciated.
>
>
>
> When attempting to login, the logfile simply states:
>
> JDBCRealm[/asdf]: Username username1 NOT successfully authenticated
>
>
>
> I checked and when generating the MD5 with the command line it seems the
> same. I have tried to play with the database character encoding, without
> success. If this is the incorrect, please point it out.
>
>
>
> The relevant section of the context file is:
>
> <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
>
> digest="MD5"
>
> driverName="org.gjt.mm.mysql.Driver"
>
>
>
connectionURL="jdbc:mysql://localhost:3306/mydb?user=myusername&password
> =mypassword"
>
> userTable="authuser" userNameCol="uname" userCredCol="passwd"
>
> userRoleTable="user_roles" roleNameCol="role_name"/>
>
>
>
> In the web.xml, the relevant section is:
>
> <security-constraint>
>
> <display-name> Security Constraint</display-name>
>
> <web-resource-collection>
>
> <web-resource-name>Protected Area</web-resource-name>
>
> <!-- Define the context-relative URL(s) to be protected -->
>
> <url-pattern>*.htm</url-pattern>
>
> </web-resource-collection>
>
> <auth-constraint>
>
> <!-- Anyone with one of the listed roles may access this area -->
>
> <role-name>operations</role-name>
>
> </auth-constraint>
>
> </security-constraint>
>
>
>
> <!-- Default login configuration uses form-based authentication -->
>
> <login-config>
>
> <auth-method>FORM</auth-method>
>
> <realm-name>My Authentication Area</realm-name>
>
> <form-login-config>
>
> <form-login-page>/WEB-INF/jsp/login.jsp</form-login-page>
>
> <form-error-page>/WEB-INF/jsp/error.jsp</form-error-page>
>
> </form-login-config>
>
> </login-config>
>
>
>
> <!-- Security roles referenced by this web application -->
>
> <security-role>
>
> <role-name>operations</role-name>
>
> </security-role>
>
>
>
> The relevant part of the database schema is as follows:
>
> CREATE TABLE authuser (
>
> id int(4) UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
>
> uname varchar(25) NOT NULL UNIQUE default ''
> COMMENT 'Username',
>
> passwd varchar(32) NOT NULL default ''
> COMMENT 'Encrypted password',
>
> INDEX FKIndexUserId (id)
>
> ) ENGINE=InnoDB DEFAULT CHARSET=latin1 COMMENT='Users table';
>
>
>
> CREATE TABLE user_roles (
>
> id int(4) UNSIGNED NOT NULL PRIMARY KEY AUTO_INCREMENT COMMENT
> 'Id',
>
> uname varchar(15) not null
> COMMENT 'name, same as in Authuser table',
>
> role_name varchar(15) not null
> COMMENT 'Role this user is allowed',
>
> CONSTRAINT CSconstraint FOREIGN KEY (uname) REFERENCES authuser(uname)
>
> );
>
> ALTER TABLE user_roles ADD UNIQUE(uname, role_name);
>
>
>
> Finally, at the risk of making the mail too long, here is the relevant
> parts
> login.jsp:
>
> <form method="POST" action='<%= response.encodeURL("j_security_check") %>'
> >
>
> <table cellspacing="0" cellpadding="0" align="center" width="700">
>
> <tr>
>
> <td valign="top" class="main_table"
> colspan="2"><br>
>
> <b class="blue"> Log into system </b>
>
> <hr align="left">
>
> <br>
>
> <table cellspacing="0" cellpadding="0">
>
> <tr>
>
>
> <td>
> <img src="Images/lock1.jpg" alt="">
>
>
> </td>
>
> <td>
>
> <table>
>
> <tr>
>
> <td
> align="right" class="input_table_td">Username:</td>
>
> <td
> class="input_table_td"><input type="text" name="j_username"></td>
>
> </tr>
>
> <tr>
>
> <td
> align="right" class="input_table_td2">Password:</td>
>
> <td
> class="input_table_td2"><input type="password" name="j_password"></td>
>
> </tr>
>
> <tr>
>
> <td
> align="right"><input type="submit" value="Log In"></td>
>
> </tr>
>
> </table>
>
> </td>
>
> </tr>
>
> </table>
>
> </form>
>
>
>
> I am using:
>
> Tomcat 5.0
>
> MySql 4.1.7nt
>
> JDK 1.4
>
>
>
> Thank you in advance
>
>
>
> Rian
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JDBCRealm authentication failing with MD5
Posted by Martin Gainty <mg...@hotmail.com>.
Good Morning Rian-
I would suggest having a look at and following all of the steps in the JDBC
How to tutorial at
http://tomcat.apache.org/tomcat-3.3-doc/JDBCRealm-howto.html
the important item here is to exercise the basic functionality of generating
a digested MD5 password which can be accomplished with command line
java org.apache.tomcat.modules.aaa.RealmBase -a MD5 <password>
where password is the plain text password to be digested
Anyone else ??
Martin --
This email message and any files transmitted with it contain confidential
information intended only for the person(s) to whom this email message is
addressed. If you have received this email message in error, please notify
the sender immediately by telephone or email and destroy the original
message without making a copy. Thank you.
----- Original Message -----
From: "Rian Brand" <ri...@gmail.com>
To: <us...@tomcat.apache.org>
Sent: Saturday, May 20, 2006 9:01 AM
Subject: JDBCRealm authentication failing with MD5
> Hi all
>
>
>
> I am trying to set up a security realm on Tomcat using JDBCRealm and MD5
> encryption. It works perfectly when using plain text, but it fails the
> moment I switch to a MD5 digest. I have been through the documentation,
> forums and FAQ's but I am afraid I can not resolve this on my own, so help
> would be appreciated.
>
>
>
> When attempting to login, the logfile simply states:
>
> JDBCRealm[/asdf]: Username username1 NOT successfully authenticated
>
>
>
> I checked and when generating the MD5 with the command line it seems the
> same. I have tried to play with the database character encoding, without
> success. If this is the incorrect, please point it out.
>
>
>
> The relevant section of the context file is:
>
> <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
>
> digest="MD5"
>
> driverName="org.gjt.mm.mysql.Driver"
>
>
> connectionURL="jdbc:mysql://localhost:3306/mydb?user=myusername&password
> =mypassword"
>
> userTable="authuser" userNameCol="uname" userCredCol="passwd"
>
> userRoleTable="user_roles" roleNameCol="role_name"/>
>
>
>
> In the web.xml, the relevant section is:
>
> <security-constraint>
>
> <display-name> Security Constraint</display-name>
>
> <web-resource-collection>
>
> <web-resource-name>Protected Area</web-resource-name>
>
> <!-- Define the context-relative URL(s) to be protected -->
>
> <url-pattern>*.htm</url-pattern>
>
> </web-resource-collection>
>
> <auth-constraint>
>
> <!-- Anyone with one of the listed roles may access this area -->
>
> <role-name>operations</role-name>
>
> </auth-constraint>
>
> </security-constraint>
>
>
>
> <!-- Default login configuration uses form-based authentication -->
>
> <login-config>
>
> <auth-method>FORM</auth-method>
>
> <realm-name>My Authentication Area</realm-name>
>
> <form-login-config>
>
> <form-login-page>/WEB-INF/jsp/login.jsp</form-login-page>
>
> <form-error-page>/WEB-INF/jsp/error.jsp</form-error-page>
>
> </form-login-config>
>
> </login-config>
>
>
>
> <!-- Security roles referenced by this web application -->
>
> <security-role>
>
> <role-name>operations</role-name>
>
> </security-role>
>
>
>
> The relevant part of the database schema is as follows:
>
> CREATE TABLE authuser (
>
> id int(4) UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
>
> uname varchar(25) NOT NULL UNIQUE default ''
> COMMENT 'Username',
>
> passwd varchar(32) NOT NULL default ''
> COMMENT 'Encrypted password',
>
> INDEX FKIndexUserId (id)
>
> ) ENGINE=InnoDB DEFAULT CHARSET=latin1 COMMENT='Users table';
>
>
>
> CREATE TABLE user_roles (
>
> id int(4) UNSIGNED NOT NULL PRIMARY KEY AUTO_INCREMENT COMMENT
> 'Id',
>
> uname varchar(15) not null
> COMMENT 'name, same as in Authuser table',
>
> role_name varchar(15) not null
> COMMENT 'Role this user is allowed',
>
> CONSTRAINT CSconstraint FOREIGN KEY (uname) REFERENCES authuser(uname)
>
> );
>
> ALTER TABLE user_roles ADD UNIQUE(uname, role_name);
>
>
>
> Finally, at the risk of making the mail too long, here is the relevant
> parts
> login.jsp:
>
> <form method="POST" action='<%= response.encodeURL("j_security_check") %>'
> >
>
> <table cellspacing="0" cellpadding="0" align="center" width="700">
>
> <tr>
>
> <td valign="top" class="main_table"
> colspan="2"><br>
>
> <b class="blue"> Log into system </b>
>
> <hr align="left">
>
> <br>
>
> <table cellspacing="0" cellpadding="0">
>
> <tr>
>
>
> <td>
> <img src="Images/lock1.jpg" alt="">
>
>
> </td>
>
> <td>
>
> <table>
>
> <tr>
>
> <td
> align="right" class="input_table_td">Username:</td>
>
> <td
> class="input_table_td"><input type="text" name="j_username"></td>
>
> </tr>
>
> <tr>
>
> <td
> align="right" class="input_table_td2">Password:</td>
>
> <td
> class="input_table_td2"><input type="password" name="j_password"></td>
>
> </tr>
>
> <tr>
>
> <td
> align="right"><input type="submit" value="Log In"></td>
>
> </tr>
>
> </table>
>
> </td>
>
> </tr>
>
> </table>
>
> </form>
>
>
>
> I am using:
>
> Tomcat 5.0
>
> MySql 4.1.7nt
>
> JDK 1.4
>
>
>
> Thank you in advance
>
>
>
> Rian
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org