tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rick Fincher" <...@tbird.com>
Subject Re: JDBCRealm
Date Mon, 06 Jan 2003 21:02:28 GMT
Hi Rob,

You have two separate sets of usernames and passwords here.  One that the
JDBC driver uses to open the database connection, and another set that
Tomcat reads from a database table and compares to what you type in when
prompted

The realm stuff sets up when Tomcat starts, but it just sits there until you
try to get a JSP page that a webapp has designated in it's web.xml to be
restricted..

When that happens, Tomcat will get your browser to generate a login dialog
box, or will run your login page if you use form based authentication.

Tomcat will then take the username and password that it gets from that and
generate an SQL statement to select the password column of the userTable
("pg_shadow" in your case) in the row where the username is equal to
whatever you typed into the login box.

It uses the connection opened to your user/password table when Tomcat
started and set up the realm using the driver, database name, usernames and
passwords that you supplied in the server.xml realm entry.

Tomcat then takes the password string that is returned and compares it to
what you typed in as a password.

If you have MD5 enabled it converts the password string you typed in to it's
MD5 form before comparing it to what it pulls from the database.  In this
case you have to convert the password string to its MD5 format before you
store it in the Postgres database.

It looks like you have stuff set up properly, it also looks like the
username "tomcat" and password "tomcat" are getting you into the database
OK.

Since you are not able to log in to webapps that require no role, it looks
like the username or password that you are typing in when you try to log in
is not matching what tomcat it getting from Postgres from the table
"pg_shadow" in the "usename" and "passwd" fields, respectively.

If there were some kindof error, with debug=99 your logs would have a lot of
error info, particularly if there were some SQL error.

I don't know what kind of logging Postgres has but you should see a
successful SQL statement handled by Postgres in the log at the time you try
to authenticate, even if authentication fails.

If so, what you are typing in for username/password just isn't matching
what's in the database, or more precisely what the JDBC driver is returning
from the database.

This could be a character set or case sensitivity issue with the JDBC driver
you are using.

This does work, believe it or not.  I've been using it for months with the
Firebird open source SQL database and various versions of Tomcat 4.1.X.

Rick

----- Original Message -----

> Does Tomcat process the JDBC Realm on start up, or only when a web app
asks
> for authentication?  I seem to recall that I was unable to start Tomcat if
> the realm was not configured correctly.  Also, I see a postgres process
(see
> below) which indicates a connection to the database.  The process
> shows 'tomcat' because that is the *user name* I am using in the realm
> configuration.
>
> The column names are correct (postgres uses 'usename' not 'username').
>
> The "tomcat" user has the correct privilages on the necessary tables.
>
> I have written a simple Java program that is able to connect and display
data
> from pg_shadow and pg_groupview.  This program uses the same JDBC driver,
> connection URL, user name ("tomcat"), and password.
>
> I have created my own web app (thinking the admin or manager web apps
might
> be the problem), but it is also unable to authenticate users.
>
> Any other ideas?  I am using the JPackage RPM - could that have anything
to
> do with it?  How about the JPackage RPM for xerces-J2?  I know they have
had
> problems with xerces before (unable to view example web apps).
>
> --
> Robert Abernethy IV
> Dynamic Edge, Inc.
> 734.975.0460
>
> > Hi Rob,
> >
> > > Ok, I tried cleartext passwords, but I came up with the same result.
I
> > don't
> > > understand why tomcat is able to start up at all, if the
authentication is
> > > failing.
> >
> > Users are authenticated not Tomcat, so starting Tomcat has nothing
> > to do with authentication.  Tomcat is just a Java program.
> >
> > When a user tries to access a web app Tomcat will authenticate that
> > user if that web app's web.xml file tells it to. The manager app is
> > set up to require authentication .
> >
> > The web.xml file for admin is in
> > CATALINA_HOME/server/webapps/admin/WEB-INF/web.xml, you can see how
> > it is set up there.  If you want to authenticate users for your own
> > web apps, set up their web.xml security roles in a similar fashion.
> >
> > > When I run 'ps' after starting up tomcat, I see this process:
> > >
> > > 40 S postgres  2825  2758  0  75   0    -  2431 schedu 18:12 pts/0
> > 00:00:00
> > > postgres: tomcat template1 24.208.224.236 idle in transaction
> > >
> > > Seeing this makes me believe that Tomcat is correctlty connecting to
the
> > > database at startup.  Is this true?  If so, why can't the admin or
manager
> > > apps authenticate?  They are using the same Realm (it's nested inside
the
> > > <Engine> tag) and I'm supplying the same username and password.
> >
> > A couple of other things you can check:
> >
> > Should  userNameCol="usename" be userNameCol="username" ?
> >
> > Can you access Postgres data from that file in your web apps using that
> > driver and username/password?  You should be able to write a simple
program
> > to read the role names from the database.
> >
> > Within Postgres have you granted select privleges to the database
> > table in template1 to the user tomcat in the tables pg_shadow and
> pg_groupview?
> >
> > Can you use a db browser tool to log in as tomcat and execute an SQL
> > command like: SELECT groname FROM TABLE pg_groupview WHERE usename
> > IS 'tomcat'?
> >
> > Rick
> >
> > >
> > > --
> > > Robert Abernethy IV
> > > Dynamic Edge, Inc.
> > > 734.975.0460
> > >
> > > > Hi Rob,
> > > >
> > > > Try it in clear text without the MD5 digest, to verify that your
> > > > password, username, role, etc are correct.
> > > >
> > > > I had a lot of problems with digesting.
> > > >
> > > > Also some databases return column names in upper case even if they
> > > > are in lower case so you may want to try all caps on your db column
> > > > names.  I think you would get a different eror message if this was
> > > > the case, though.
> > > >
> > > > Rick
> > > >
> > > > ----- Original Message -----
> > > >
> > > > > I'm trying to set up a JDBCRealm for use with the admin and
manager
> > > > webapps.
> > > > > The problem is that I am unable to authenticate any users.
> > > > >
> > > > > - Tomcat 4.1.18
> > > > > - Postgresql 7.3.1
> > > > > - JDBC driver is in $CATALINA_HOME/common/lib
> > > > > - Tomcat starts up fine, I just can't authenticate
> > > > > - I can directly connect to my database with the username and
password
> > > > > - I have created the 'admin' and 'manager' groups in the database
> > > > > - I have added the users to both groups
> > > > >
> > > > > Realm:
> > > > > <Realm  className="org.apache.catalina.realm.JDBCRealm" debug="99"
> > > > >        driverName="org.postgresql.Driver"
> > > > >     connectionURL="jdbc:postgresql://bilbo.dynedge.com/template1"
> > > > >    connectionName="tomcat" connectionPassword="tomcat"
> > > > >         userTable="pg_shadow" userNameCol="usename"
> > userCredCol="passwd"
> > > > >     userRoleTable="pg_groupview" roleNameCol="groname"
> > > > >            digest="MD5" />
> > > > >
> > > > > Log:
> > > > > 2003-01-02 12:34:34 JDBCRealm[Standalone]: Username tomcat NOT
> > > > successfully
> > > > > authenticated
> > > > >
> > > > > Any ideas?
> > > > >
> > > > > --
> > > > > Robert Abernethy IV
> > > > > Dynamic Edge, Inc.
> > > > > 734.975.0460


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message