tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rob Abernethy IV" <aberne...@dynedge.com>
Subject Re: JDBCRealm
Date Tue, 07 Jan 2003 08:53:57 GMT
OK. I was able to get clear-text passwords to work, but I still can't get
encrypted passwords to work.  Using MD5 encryption, Tomcat is able to
successfully open a connection to the database using the JDBCRealm set up in
the server.xml, but it is unable to authenticate users for the admin web app.
 I am using the same username and password (username = "tomcat", password =
"tomcat") for both the JDBCRealm and the admin web app.

JDBCRealm:
<Realm  className="org.apache.catalina.realm.JDBCRealm" debug="99"
       driverName="org.postgresql.Driver"
    connectionURL="jdbc:postgresql://bilbo.dynedge.com/template1"
   connectionName="abernethy" connectionPassword="gceIlu4DaR"
        userTable="pg_shadow" userNameCol="usename" userCredCol="passwd"
    userRoleTable="pg_groupview" roleNameCol="groname"
           digest="MD5" />

pg_shadow:
usename  | passwd
-------------------------
tomcat   | md5efcc1c51a80be13b59cdb96d758a0184

pg_groupview:
 grosysid | groname | usesysid |  usename
----------+---------+----------+-----------
      101 | admin   |      102 | tomcat
      100 | manager |      102 | tomcat

postgresql log (for Tomcat start up):
Jan  7 16:41:17 bilbo tomcat4: dtomcat4 startup succeeded
Jan  7 16:41:25 bilbo postgres[4329]: [1] LOG:  connection received:
host=24.208.224.236 port=33234
Jan  7 16:41:25 bilbo postgres[4329]: [2] LOG:  connection authorized:
user=tomcat database=template1
Jan  7 16:41:25 bilbo postgres[4329]: [3-1] LOG:  query: set datestyle to
'ISO'; select version(), case when pg_encoding_to_char(1) = 'SQL_ASCII' then
'UNKNOWN' else
Jan  7 16:41:25 bilbo postgres[4329]: [3-2]  getdatabaseencoding() end;
Jan  7 16:41:25 bilbo postgres[4329]: [4] LOG:  duration: 0.028513 sec
Jan  7 16:41:25 bilbo postgres[4329]: [5] LOG:  query: set client_encoding =
'UNICODE'; show autocommit
Jan  7 16:41:25 bilbo postgres[4329]: [6] LOG:  duration: 0.000260 sec
Jan  7 16:41:25 bilbo postgres[4329]: [7] LOG:  query: set autocommit = off; 
Jan  7 16:41:25 bilbo postgres[4329]: [8] LOG:  duration: 0.000198 sec

postgresql log (for admin web app authentication):
Jan  7 16:43:34 bilbo postgres[4329]: [9] LOG:  query: SELECT passwd FROM
pg_shadow WHERE usename = 'tomcat'
Jan  7 16:43:34 bilbo postgres[4329]: [10] LOG:  duration: 0.001636 sec

catalina_log.2003-01-07.txt:
2003-01-07 16:43:34 JDBCRealm[Standalone]: Username tomcat NOT successfully
authenticated

Any more ideas?

--
Robert Abernethy IV
Dynamic Edge, Inc.
734.975.0460

> Hi Rob,
> 
> You have two separate sets of usernames and passwords here.  One 
> that the JDBC driver uses to open the database connection, and 
> another set that Tomcat reads from a database table and compares to 
> what you type in when prompted
> 
> The realm stuff sets up when Tomcat starts, but it just sits there 
> until you try to get a JSP page that a webapp has designated in it's 
> web.xml to be restricted..
> 
> When that happens, Tomcat will get your browser to generate a login dialog
> box, or will run your login page if you use form based authentication.
> 
> Tomcat will then take the username and password that it gets from 
> that and generate an SQL statement to select the password column of 
> the userTable
> ("pg_shadow" in your case) in the row where the username is equal to 
> whatever you typed into the login box.
> 
> It uses the connection opened to your user/password table when Tomcat
> started and set up the realm using the driver, database name,
>  usernames and passwords that you supplied in the server.xml realm entry.
> 
> Tomcat then takes the password string that is returned and compares 
> it to what you typed in as a password.
> 
> If you have MD5 enabled it converts the password string you typed in 
> to it's MD5 form before comparing it to what it pulls from the 
> database.  In this case you have to convert the password string to 
> its MD5 format before you store it in the Postgres database.
> 
> It looks like you have stuff set up properly, it also looks like the
> username "tomcat" and password "tomcat" are getting you into the database
> OK.
> 
> Since you are not able to log in to webapps that require no role, it 
> looks like the username or password that you are typing in when you 
> try to log in is not matching what tomcat it getting from Postgres 
> from the table "pg_shadow" in the "usename" and "passwd" fields, respectively.
> 
> If there were some kindof error, with debug=99 your logs would have 
> a lot of error info, particularly if there were some SQL error.
> 
> I don't know what kind of logging Postgres has but you should see a
> successful SQL statement handled by Postgres in the log at the time 
> you try to authenticate, even if authentication fails.
> 
> If so, what you are typing in for username/password just isn't matching
> what's in the database, or more precisely what the JDBC driver is returning
> from the database.
> 
> This could be a character set or case sensitivity issue with the 
> JDBC driver you are using.
> 
> This does work, believe it or not.  I've been using it for months 
> with the Firebird open source SQL database and various versions of 
> Tomcat 4.1.X.
> 
> Rick
> 
> ----- Original Message -----
> 
> > Does Tomcat process the JDBC Realm on start up, or only when a web app
> asks
> > for authentication?  I seem to recall that I was unable to start Tomcat if
> > the realm was not configured correctly.  Also, I see a postgres process
> (see
> > below) which indicates a connection to the database.  The process
> > shows 'tomcat' because that is the *user name* I am using in the realm
> > configuration.
> >
> > The column names are correct (postgres uses 'usename' not 'username').
> >
> > The "tomcat" user has the correct privilages on the necessary tables.
> >
> > I have written a simple Java program that is able to connect and display
> data
> > from pg_shadow and pg_groupview.  This program uses the same JDBC driver,
> > connection URL, user name ("tomcat"), and password.
> >
> > I have created my own web app (thinking the admin or manager web apps
> might
> > be the problem), but it is also unable to authenticate users.
> >
> > Any other ideas?  I am using the JPackage RPM - could that have anything
> to
> > do with it?  How about the JPackage RPM for xerces-J2?  I know they have
> had
> > problems with xerces before (unable to view example web apps).
> >
> > --
> > Robert Abernethy IV
> > Dynamic Edge, Inc.
> > 734.975.0460
> >
> > > Hi Rob,
> > >
> > > > Ok, I tried cleartext passwords, but I came up with the same result.
> I
> > > don't
> > > > understand why tomcat is able to start up at all, if the
> authentication is
> > > > failing.
> > >
> > > Users are authenticated not Tomcat, so starting Tomcat has nothing
> > > to do with authentication.  Tomcat is just a Java program.
> > >
> > > When a user tries to access a web app Tomcat will authenticate that
> > > user if that web app's web.xml file tells it to. The manager app is
> > > set up to require authentication .
> > >
> > > The web.xml file for admin is in
> > > CATALINA_HOME/server/webapps/admin/WEB-INF/web.xml, you can see how
> > > it is set up there.  If you want to authenticate users for your own
> > > web apps, set up their web.xml security roles in a similar fashion.
> > >
> > > > When I run 'ps' after starting up tomcat, I see this process:
> > > >
> > > > 40 S postgres  2825  2758  0  75   0    -  2431 schedu 18:12 pts/0
> > > 00:00:00
> > > > postgres: tomcat template1 24.208.224.236 idle in transaction
> > > >
> > > > Seeing this makes me believe that Tomcat is correctlty connecting to
> the
> > > > database at startup.  Is this true?  If so, why can't the admin or
> manager
> > > > apps authenticate?  They are using the same Realm (it's nested inside
> the
> > > > <Engine> tag) and I'm supplying the same username and password.
> > >
> > > A couple of other things you can check:
> > >
> > > Should  userNameCol="usename" be userNameCol="username" ?
> > >
> > > Can you access Postgres data from that file in your web apps using that
> > > driver and username/password?  You should be able to write a simple
> program
> > > to read the role names from the database.
> > >
> > > Within Postgres have you granted select privleges to the database
> > > table in template1 to the user tomcat in the tables pg_shadow and
> > pg_groupview?
> > >
> > > Can you use a db browser tool to log in as tomcat and execute an SQL
> > > command like: SELECT groname FROM TABLE pg_groupview WHERE usename
> > > IS 'tomcat'?
> > >
> > > Rick
> > >
> > > >
> > > > --
> > > > Robert Abernethy IV
> > > > Dynamic Edge, Inc.
> > > > 734.975.0460
> > > >
> > > > > Hi Rob,
> > > > >
> > > > > Try it in clear text without the MD5 digest, to verify that your
> > > > > password, username, role, etc are correct.
> > > > >
> > > > > I had a lot of problems with digesting.
> > > > >
> > > > > Also some databases return column names in upper case even if they
> > > > > are in lower case so you may want to try all caps on your db column
> > > > > names.  I think you would get a different eror message if this was
> > > > > the case, though.
> > > > >
> > > > > Rick
> > > > >
> > > > > ----- Original Message -----
> > > > >
> > > > > > I'm trying to set up a JDBCRealm for use with the admin and
> manager
> > > > > webapps.
> > > > > > The problem is that I am unable to authenticate any users.
> > > > > >
> > > > > > - Tomcat 4.1.18
> > > > > > - Postgresql 7.3.1
> > > > > > - JDBC driver is in $CATALINA_HOME/common/lib
> > > > > > - Tomcat starts up fine, I just can't authenticate
> > > > > > - I can directly connect to my database with the username and
> password
> > > > > > - I have created the 'admin' and 'manager' groups in the database
> > > > > > - I have added the users to both groups
> > > > > >
> > > > > > Realm:
> > > > > > <Realm  className="org.apache.catalina.realm.JDBCRealm" debug="99"
> > > > > >        driverName="org.postgresql.Driver"
> > > > > >     connectionURL="jdbc:postgresql://bilbo.dynedge.com/template1"
> > > > > >    connectionName="tomcat" connectionPassword="tomcat"
> > > > > >         userTable="pg_shadow" userNameCol="usename"
> > > userCredCol="passwd"
> > > > > >     userRoleTable="pg_groupview" roleNameCol="groname"
> > > > > >            digest="MD5" />
> > > > > >
> > > > > > Log:
> > > > > > 2003-01-02 12:34:34 JDBCRealm[Standalone]: Username tomcat NOT
> > > > > successfully
> > > > > > authenticated
> > > > > >
> > > > > > Any ideas?
> > > > > >
> > > > > > --
> > > > > > Robert Abernethy IV
> > > > > > Dynamic Edge, Inc.
> > > > > > 734.975.0460
> 
> --
> To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>



--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message