You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Craig R. McClanahan" <cr...@apache.org> on 2002/08/27 17:59:32 UTC
Re: JDBCRealm + Form Based Auth. How do I tell it were to go if
login is ok?
On 27 Aug 2002, Alexander Wallace wrote:
> Date: 27 Aug 2002 09:17:58 +0100
> From: Alexander Wallace <to...@rwsoft-online.com>
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: Tomcat Users List <to...@jakarta.apache.org>
> Subject: JDBCRealm + Form Based Auth. How do I tell it were to go if
> login is ok?
>
> Hello there. Very new to realms and java, so sorry if this is too
> stupid.
>
> I have set up a JDBCRealm using PostgreSQL and it all seems to work, It
> does connect and load the roles, and when I try to access protected
> resources, it does go to the Form based login I specigy in web.xml and
> the error page for that works too.
>
> My question is, since the form action in the login page points to <%=
> response.encodeURL("j_security_check") %>, how, or where do I specify
> where my app goes after a succesful login?
>
Short answer - your application should *never* reference the URL of the
login page, or the "j_security_check" page directly.
Longer answer - the basic philosohpy of form-based login is to mimic BASIC
login. The formal definition of the algorithm is in the servlet spec:
http://java.sun.com/products/servlet/download.html
in Chapter 12. Essentially, it goes like this on each request:
* Client submits a request for a particular URI
* Server determines of there is a security constraint
covering that URI
--> If none, allow the request to proceed
* Server determins if the user is already logged on
--> If so, check roles and allow or disallow access
* Server SAVES the original request and sends back
the form login page
* User submits the login credentials
* Server checks the credentials
--> If incorrect, send back the form error page
--> If correct, RESTORES the original request and proceeds
So, the answer to the question "where do I go after logging in" is "the
page you originally asked for that triggered the authentication dialog."
If the flow is still confusing, temporarily switch your application to use
BASIC authentication instead (where the browser pops up a
username/password dialog box). There is no way to address that dialog
box, right? Or to say where it should go afterwards? That's because the
browser (in the case of BASIC) is doing the same thing -- it will resubmit
your original request for you along with the username/password.
> Thanks in advance!
>
Craig
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: JDBCRealm + Form Based Auth. How do I tell it were to go if
login is ok?
Posted by Alexander Wallace <to...@rwsoft-online.com>.
Cool! I get it, thank you very much.
Now I have another problem. Wheny my app redirects to the login page, no
matter what I enter, (an existing or inexisting user in the database), I
am taken to the login error page. The user is null. How can I make sure
the users are being pulled from the db? Thank you in advance. Following
are my realm def in my context and then web.xml:
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="org.postgresql.Driver"
connectionURL="jdbc:postgresql://10.100.101.1/awallace?user=awallace;password=pass"
userTable="tbl_users" userNameCol="user_name" userCredCol="password"
userRoleTable="user_roles" roleNameCol="role_name"
digest="MD5"/>
And my web.xml goes:
<web-app>
<!-- PostgreSQL resource for Connection Pooling -->
<resource-ref>
<description>postgreSQL Datasource</description>
<res-ref-name>jdbc/postgres</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>
<!-- For the login -->
<servlet>
<servlet-name>Login</servlet-name>
<servlet-class>com.lto.servlets.Login</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>
Login
</servlet-name>
<url-pattern>
/login
</url-pattern>
</servlet-mapping>
<!-- Security Realm -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Java Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Java Application</realm-name>
<form-login-config>
<form-login-page>/login</form-login-page>
<form-error-page>/loginError.jsp</form-error-page>
</form-login-config>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<role-name>Admin</role-name>
</security-role>
<security-role>
<role-name>GM</role-name>
</security-role>
<security-role>
<role-name>Sales</role-name>
</security-role>
<welcome-file-list>
<welcome-file>/servlet/TestPGPool</welcome-file>
</welcome-file-list>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
</web-app>
Thanks again!
On Tue, 2002-08-27 at 16:59, Craig R. McClanahan wrote:
>
>
> On 27 Aug 2002, Alexander Wallace wrote:
>
> > Date: 27 Aug 2002 09:17:58 +0100
> > From: Alexander Wallace <to...@rwsoft-online.com>
> > Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> > To: Tomcat Users List <to...@jakarta.apache.org>
> > Subject: JDBCRealm + Form Based Auth. How do I tell it were to go if
> > login is ok?
> >
> > Hello there. Very new to realms and java, so sorry if this is too
> > stupid.
> >
> > I have set up a JDBCRealm using PostgreSQL and it all seems to work, It
> > does connect and load the roles, and when I try to access protected
> > resources, it does go to the Form based login I specigy in web.xml and
> > the error page for that works too.
> >
> > My question is, since the form action in the login page points to <%=
> > response.encodeURL("j_security_check") %>, how, or where do I specify
> > where my app goes after a succesful login?
> >
>
> Short answer - your application should *never* reference the URL of the
> login page, or the "j_security_check" page directly.
>
> Longer answer - the basic philosohpy of form-based login is to mimic BASIC
> login. The formal definition of the algorithm is in the servlet spec:
>
> http://java.sun.com/products/servlet/download.html
>
> in Chapter 12. Essentially, it goes like this on each request:
>
> * Client submits a request for a particular URI
>
> * Server determines of there is a security constraint
> covering that URI
> --> If none, allow the request to proceed
>
> * Server determins if the user is already logged on
> --> If so, check roles and allow or disallow access
>
> * Server SAVES the original request and sends back
> the form login page
>
> * User submits the login credentials
>
> * Server checks the credentials
> --> If incorrect, send back the form error page
> --> If correct, RESTORES the original request and proceeds
>
> So, the answer to the question "where do I go after logging in" is "the
> page you originally asked for that triggered the authentication dialog."
>
> If the flow is still confusing, temporarily switch your application to use
> BASIC authentication instead (where the browser pops up a
> username/password dialog box). There is no way to address that dialog
> box, right? Or to say where it should go afterwards? That's because the
> browser (in the case of BASIC) is doing the same thing -- it will resubmit
> your original request for you along with the username/password.
>
>
> > Thanks in advance!
> >
>
> Craig
>
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>