Home > Archive > Java Security > April 2005 > tomcat ignoring JDBC realm?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
tomcat ignoring JDBC realm?
|
|
|
| I added a Realm tag to my tomcat server.xml file. Shouldn't that cause a
dialog box to appear when I try to access the application? I don't have
to do anything to my jsp code do I?
Here is my server.xml:
<Server port="8005" shutdown="shutdown" debug="0">
<Service name="Tomcat-Apache">
<Connector className="org.apache.ajp.tomcat4.Ajp13Connector"
address="127.0.0.1" port="8009" minProcessors="5"
maxProcessors="75"
enableLookups="false" acceptCount="10" debug="0"/>
<Engine name="lightning" debug="0" defaultHost="localhost">
<Logger
className="org.apache.catalina.logger.FileLogger"
prefix="catalina_log." suffix=".txt"
timestamp="true"/>
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="oracle.jdbc.driver.OracleDriver"
connectionURL="jdbc:Oracle:thin:@sec-
authdb.doit.wisc.edu:1531:secauthd"
connectionName="bogus"
connectionPassword="boguser"
userTable="users" userNameCol="user_name"
userCredCol="user_pass"
userRoleTable="user_roles" roleNameCol="role_name"/>
<Host name="localhost" debug="0" unpackWARs="true">
<Context path=""
docBase="/home/tomcat/your_application"
debug="0" reloadable="true" />
</Host>
</Engine>
</Service>
</Server>
| |
| Juha Laiho 2005-03-25, 4:00 pm |
| JGH <johnheim@nospam.tds.net> said:
>I added a Realm tag to my tomcat server.xml file. Shouldn't that cause a
>dialog box to appear when I try to access the application? I don't have
>to do anything to my jsp code do I?
Just introducing a realm isn't enough -- you'll need to declare the
protected pages in the application-specific web.xml. So, within
a single webapp you may have public resources and resources
requiring authentication.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)
| |
|
| Juha Laiho <Juha.Laiho@iki.fi> wrote in news:d21n0u$eee$4@ichaos.ichaos-
int:
> JGH <johnheim@nospam.tds.net> said:
a[color=darkred]
have[color=darkred]
>
> Just introducing a realm isn't enough -- you'll need to declare the
> protected pages in the application-specific web.xml. So, within
> a single webapp you may have public resources and resources
> requiring authentication.
Thanks. The documentation on the apache web site just ended after
explaining how to create a realm. Actually, I think it's wrong in that
it says you have to modify the server.xml file and that's not true in
tomcat 5+. There's an xml file for each context and you can add it
there.
Anyway, now I've created login.jsp and error.jsp pages and configured
the web.xml file within my application to display it for any doc
requested in the app. But when I try to log in, an empty document is
returned. Not the page I requested, not the error page, not an error
message.
If there was some trouble shooting guide I'd search that. But the
problem here is that there are so many steps, you can't do a partial
implementation and get ome of it working. Arrgh!
Below is my web.xml and my login.jsp
web.xml:
<!-- Define a security constraint on this application -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>tpusers</role-name>
</auth-constraint>
</security-constraint>
<!-- Default login configuration uses form-based authentication -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>TPUsers</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
login.jsp:
<html>
<head>
<title>TPUsers Login</title>
<body>
<form method="POST" action="j_security_check" >
<table border="0" cellspacing="5">
<tr>
<th align="right">Username:</th>
<td align="left"><input type="text" name="j_username"></td>
</tr>
<tr>
<th align="right">Password:</th>
<td align="left"><input type="password" name="j_password"></td>
</tr>
<tr>
<td align="right"><input type="submit" value="Log In"></td>
<td align="left"><input type="reset"></td>
</tr>
</table>
</form>
</body>
</html>
| |
| Juha Laiho 2005-03-28, 4:00 pm |
| JGH <johnheim@nospam.tds.net> said:
>Juha Laiho <Juha.Laiho@iki.fi> wrote in news:d21n0u$eee$4@ichaos.ichaos-int:
>
>
>Thanks. The documentation on the apache web site just ended after
>explaining how to create a realm.
This problem appears to be common across J2EE app.servers; (some days
ago I helped a friend to pick together pieces of the J2EE login process
for BEA WebLogic).
I think this comes from the multiplicity of different developer roles
Sun has assigned for J2EE development process. Creating the realm is
one part of the game -- and this is documented in the server
administration guides (and is different for each type of server).
The other part is writing the application to utilise the realm
(and this is independent of the server).
>Actually, I think it's wrong in that it says you have to modify the
>server.xml file and that's not true in tomcat 5+. There's an xml file
>for each context and you can add it there.
You're right.
>Below is my web.xml and my login.jsp
>
>web.xml:
><!-- Define a security constraint on this application -->
><security-constraint>
> <web-resource-collection>
> <web-resource-name>Entire Application</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>tpusers</role-name>
> </auth-constraint>
></security-constraint>
>
><!-- Default login configuration uses form-based authentication -->
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>TPUsers</realm-name>
> <form-login-config>
> <form-login-page>/login.jsp</form-login-page>
> <form-error-page>/error.jsp</form-error-page>
> </form-login-config>
> </login-config>
Ok, I think there's one piece missing here. You should also have:
<!-- Security roles referenced by this web application -->
<security-role>
<description>
Blabla
</description>
<role-name>tpusers</role-name>
</security-role>
.... to declare all the security roles that your application uses.
Other than that, I don't see a problem. Note that the ordering of elements
within web.xml makes a difference; the order for the above three
elements must be security-constraint,login-config,security-role .
Crosscheck what you have with either Tomcat admin webapp, or
the authentication example from the Tomcat example webapp.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)
| |
| techguy_chicago@yahoo.com 2005-04-20, 4:00 am |
| why does Tomcat need to know what the roles are, anyways? is that a
J2EE spec or something? having to hardcode those values into a web.xml
file seems to defeat part of the purpose of using a database in the
first place - flexibility. but since most of the Tomcat devs are
smarter than me, I want to know why, b/c apparently more than a few
people thought it was a good idea...
|
|
|
|
|