You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Andrew Kolchoogin <ga...@avalon-island.ru> on 2011/04/04 07:09:00 UTC
Tomcat 7.0 Manager/Host Manager authentication via Tomcat Realms --
is it possible at all?
Dear colleagues,
I'm trying to use Tomcat Realms as authentication source
_specifically for Tomcat Manager and Host Manager_.
Short problem description: it doesn't work.
Long problem description: Tomcat even _doesn't try to initialise
MySQL connection_ -- I removed MySQL Connector/J for testing purposes,
and Tomcat hasn't given _ever any warning_ to me, besides of existence
of JDBC Realm in server.xml.
1. Yes, I do have fresh installation of Tomcat.
2. Yes, I do have Sun Java 2 EE v1.6.0.3 pl4 -- the latest one.
3. Yes, I have read Tomcat docs and have searched Google.
Nothing helps: all Google search results refers me either to
UserDatabase Realm and conf/tomcat-users.xml (that is obviously works
well -- I've tested it) or to realm authentication for THIRD-PARTY
applications, that I'm not interested in.
Resource definitions:
=== conf/server.xml ===
<Server port="8005" shutdown="SHUTDOWN">
[ . . . . . . . . ]
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users
-->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
<Resource name="jdbc/auth" auth="Container"
type="javax.sql.DataSource"
driverClassName="com.mysql.jdbc.Driver"
url="jdbc:mysql://host.domain.tld/database_name"
username="db_username"
password="db_password"
maxActive="8"
maxIdle="4" />
</GlobalNamingResources>
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">
[ . . . . . . . . ]
<Engine name="Catalina" defaultHost="localhost">
[ . . . . . . . . ]
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase" />
<Realm className="org.apache.catalina.realm.DataSourceRealm"
dataSourceName="jdbc/auth"
userTable="users" userNameCol="user" userCredCol="password"
userRoleTable="roles" roleNameCol="role" />
</Realm>
[ . . . . . . . . ]
</Engine>
</Service>
</Server>
===
Once more: there're no log errors and even there're no log _warnings_
after Tomcat is started by me and I'm making an attempt to use Tomcat
Manager. Tomcat gives me HTTP Basic Authentication window in my Web
browser, I'm entering login and password in it, and authentication
fails. No log errors/warnings given. Not even in a case I have removed
(!) mysql-connector-java.jar.
So, what am I doing wrong?
--
Yours
Andrew Kolchoogin.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 7.0 Manager/Host Manager authentication via Tomcat Realms
-- is it possible at all?
Posted by Mark Thomas <ma...@apache.org>.
On 04/04/2011 15:13, Andrew Kolchoogin wrote:
>> You won't see any error messages from DataSourceRealm until you try and
>> use it and it fails.
> Trying to login is an usage attempt?
It is gets as far as the DataSourceRealm, yes.
>> Enabling debug logging for org.apache.catalina.realm should show you
>> what is going on.
> I'm not a Tomcat Guru -- what should I do with server.xml?
Nothing :)
Take a look at the comments at the end of
CATALINA_BASE/conf/logging.properties
org.apache.catalina.realm.level = FINE
should be what you need.
Also, make sure you check all the log files.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 7.0 Manager/Host Manager authentication via Tomcat Realms
-- is it possible at all?
Posted by Andrew Kolchoogin <ga...@avalon-island.ru>.
Mark,
hi there!
2011/4/4 Mark Thomas <ma...@apache.org>:
> This also looks OK, altough if you aren't interested in using the
> UserDatabaseRealm, why is it still configured?
Just to test CombinedRealm functionality, althougth I've tried to
deconfigure UserDatabase entirely -- it doesn't help, too.
>> So, what am I doing wrong?
> Telling us which Tomcat 7 version you are using would be a start,
> although I'm not aware of any issues with any of them.
{177} root@staff:~ # pkg_info | grep tomcat
tomcat-7.0.6 Open-source Java web server by Apache, 7.x branch
tomcat-native-1.1.20_2 Tomcat native library
> You won't see any error messages from DataSourceRealm until you try and
> use it and it fails.
Trying to login is an usage attempt?
> Enabling debug logging for org.apache.catalina.realm should show you
> what is going on.
I'm not a Tomcat Guru -- what should I do with server.xml?
--
Yours
Andrew Kolchoogin.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 7.0 Manager/Host Manager authentication via Tomcat Realms
-- is it possible at all?
Posted by Mark Thomas <ma...@apache.org>.
On 04/04/2011 06:09, Andrew Kolchoogin wrote:
> Nothing helps: all Google search results refers me either to
> UserDatabase Realm and conf/tomcat-users.xml (that is obviously works
> well -- I've tested it) or to realm authentication for THIRD-PARTY
> applications, that I'm not interested in.
> <Resource name="jdbc/auth" auth="Container"
> type="javax.sql.DataSource"
> driverClassName="com.mysql.jdbc.Driver"
> url="jdbc:mysql://host.domain.tld/database_name"
> username="db_username"
> password="db_password"
> maxActive="8"
> maxIdle="4" />
That looks OK.
> <Realm className="org.apache.catalina.realm.LockOutRealm">
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
> resourceName="UserDatabase" />
> <Realm className="org.apache.catalina.realm.DataSourceRealm"
> dataSourceName="jdbc/auth"
> userTable="users" userNameCol="user" userCredCol="password"
> userRoleTable="roles" roleNameCol="role" />
> </Realm>
This also looks OK, altough if you aren't interested in using the
UserDatabaseRealm, why is it still configured?
> Once more: there're no log errors and even there're no log _warnings_
> after Tomcat is started by me and I'm making an attempt to use Tomcat
> Manager. Tomcat gives me HTTP Basic Authentication window in my Web
> browser, I'm entering login and password in it, and authentication
> fails. No log errors/warnings given. Not even in a case I have removed
> (!) mysql-connector-java.jar.
>
> So, what am I doing wrong?
Telling us which Tomcat 7 version you are using would be a start,
although I'm not aware of any issues with any of them.
You won't see any error messages from DataSourceRealm until you try and
use it and it fails.
Enabling debug logging for org.apache.catalina.realm should show you
what is going on.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org