tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rob Abernethy IV" <aberne...@dynedge.com>
Subject Re: JDBCRealm
Date Tue, 07 Jan 2003 08:59:19 GMT
The connectionName and connectionPassword should be "tomcat" and "tomcat." 
The other name/password is left over from my clear-text attempts.

--
Robert Abernethy IV
Dynamic Edge, Inc.
734.975.0460


> OK. I was able to get clear-text passwords to work, but I still 
> can't get encrypted passwords to work.  Using MD5 encryption, Tomcat 
> is able to successfully open a connection to the database using the 
> JDBCRealm set up in the server.xml, but it is unable to authenticate 
> users for the admin web app. I am using the same username and 
> password (username = "tomcat", password = "tomcat") for both the 
> JDBCRealm and the admin web app.
> 
> JDBCRealm:
> <Realm  className="org.apache.catalina.realm.JDBCRealm" debug="99"
>        driverName="org.postgresql.Driver"
>     connectionURL="jdbc:postgresql://bilbo.dynedge.com/template1"
>    connectionName="abernethy" connectionPassword="gceIlu4DaR"
>         userTable="pg_shadow" userNameCol="usename" userCredCol="passwd"
>     userRoleTable="pg_groupview" roleNameCol="groname"
>            digest="MD5" />
> 
> pg_shadow:
> usename  | passwd
> -------------------------
> tomcat   | md5efcc1c51a80be13b59cdb96d758a0184
> 
> pg_groupview:
>  grosysid | groname | usesysid |  usename
> ----------+---------+----------+-----------
>       101 | admin   |      102 | tomcat
>       100 | manager |      102 | tomcat
> 
> postgresql log (for Tomcat start up):
> Jan  7 16:41:17 bilbo tomcat4: dtomcat4 startup succeeded
> Jan  7 16:41:25 bilbo postgres[4329]: [1] LOG:  connection received:
> host=24.208.224.236 port=33234
> 
> Jan  7 16:41:25 bilbo postgres[4329]: [2] LOG:  connection 
> authorized: user=tomcat database=template1
> Jan  7 16:41:25 bilbo postgres[4329]: [3-1] LOG:  query: set 
> datestyle to 'ISO'; select version(), case when 
> pg_encoding_to_char(1) = 'SQL_ASCII' then 'UNKNOWN' else
> Jan  7 16:41:25 bilbo postgres[4329]: [3-2]  getdatabaseencoding() end;
> 
> Jan  7 16:41:25 bilbo postgres[4329]: [4] LOG:  duration: 0.028513 sec
> Jan  7 16:41:25 bilbo postgres[4329]: [5] LOG:  query: set 
> client_encoding = 'UNICODE'; show autocommit
> Jan  7 16:41:25 bilbo postgres[4329]: [6] LOG:  duration: 0.000260 sec
> Jan  7 16:41:25 bilbo postgres[4329]: [7] LOG:  query: set 
> autocommit = off;
> Jan  7 16:41:25 bilbo postgres[4329]: [8] LOG:  duration: 0.000198 sec
> 
> postgresql log (for admin web app authentication):
> 
> Jan  7 16:43:34 bilbo postgres[4329]: [9] LOG:  query: SELECT passwd 
> FROM pg_shadow WHERE usename = 'tomcat'
> Jan  7 16:43:34 bilbo postgres[4329]: [10] LOG:  duration: 0.001636 sec
> 
> catalina_log.2003-01-07.txt:
> 
> 2003-01-07 16:43:34 JDBCRealm[Standalone]: Username tomcat NOT successfully
> authenticated
> 
> Any more ideas?
> 
> --
> Robert Abernethy IV
> Dynamic Edge, Inc.
> 734.975.0460
> 
> > Hi Rob,
> >
> > You have two separate sets of usernames and passwords here.  One
> > that the JDBC driver uses to open the database connection, and
> > another set that Tomcat reads from a database table and compares to
> > what you type in when prompted
> >
> > The realm stuff sets up when Tomcat starts, but it just sits there
> > until you try to get a JSP page that a webapp has designated in it's
> > web.xml to be restricted..
> >
> > When that happens, Tomcat will get your browser to generate a login dialog
> > box, or will run your login page if you use form based authentication.
> >
> > Tomcat will then take the username and password that it gets from
> > that and generate an SQL statement to select the password column of
> > the userTable
> > ("pg_shadow" in your case) in the row where the username is equal to
> > whatever you typed into the login box.
> >
> > It uses the connection opened to your user/password table when Tomcat
> > started and set up the realm using the driver, database name,
> >  usernames and passwords that you supplied in the server.xml realm entry.
> >
> > Tomcat then takes the password string that is returned and compares
> > it to what you typed in as a password.
> >
> > If you have MD5 enabled it converts the password string you typed in
> > to it's MD5 form before comparing it to what it pulls from the
> > database.  In this case you have to convert the password string to
> > its MD5 format before you store it in the Postgres database.
> >
> > It looks like you have stuff set up properly, it also looks like the
> > username "tomcat" and password "tomcat" are getting you into the database
> > OK.
> >
> > Since you are not able to log in to webapps that require no role, it
> > looks like the username or password that you are typing in when you
> > try to log in is not matching what tomcat it getting from Postgres
> > from the table "pg_shadow" in the "usename" and "passwd" fields, respectively.
> >
> > If there were some kindof error, with debug=99 your logs would have
> > a lot of error info, particularly if there were some SQL error.
> >
> > I don't know what kind of logging Postgres has but you should see a
> > successful SQL statement handled by Postgres in the log at the time
> > you try to authenticate, even if authentication fails.
> >
> > If so, what you are typing in for username/password just isn't matching
> > what's in the database, or more precisely what the JDBC driver is returning
> > from the database.
> >
> > This could be a character set or case sensitivity issue with the
> > JDBC driver you are using.
> >
> > This does work, believe it or not.  I've been using it for months
> > with the Firebird open source SQL database and various versions of
> > Tomcat 4.1.X.
> >
> > Rick
> >
> > ----- Original Message -----
> >
> > > Does Tomcat process the JDBC Realm on start up, or only when a web app
> > asks
> > > for authentication?  I seem to recall that I was unable to start Tomcat if
> > > the realm was not configured correctly.  Also, I see a postgres process
> > (see
> > > below) which indicates a connection to the database.  The process
> > > shows 'tomcat' because that is the *user name* I am using in the realm
> > > configuration.
> > >
> > > The column names are correct (postgres uses 'usename' not 'username').
> > >
> > > The "tomcat" user has the correct privilages on the necessary tables.
> > >
> > > I have written a simple Java program that is able to connect and display
> > data
> > > from pg_shadow and pg_groupview.  This program uses the same JDBC driver,
> > > connection URL, user name ("tomcat"), and password.
> > >
> > > I have created my own web app (thinking the admin or manager web apps
> > might
> > > be the problem), but it is also unable to authenticate users.
> > >
> > > Any other ideas?  I am using the JPackage RPM - could that have anything
> > to
> > > do with it?  How about the JPackage RPM for xerces-J2?  I know they have
> > had
> > > problems with xerces before (unable to view example web apps).
> > >
> > > --
> > > Robert Abernethy IV
> > > Dynamic Edge, Inc.
> > > 734.975.0460
> > >
> > > > Hi Rob,
> > > >
> > > > > Ok, I tried cleartext passwords, but I came up with the same result.
> > I
> > > > don't
> > > > > understand why tomcat is able to start up at all, if the
> > authentication is
> > > > > failing.
> > > >
> > > > Users are authenticated not Tomcat, so starting Tomcat has nothing
> > > > to do with authentication.  Tomcat is just a Java program.
> > > >
> > > > When a user tries to access a web app Tomcat will authenticate that
> > > > user if that web app's web.xml file tells it to. The manager app is
> > > > set up to require authentication .
> > > >
> > > > The web.xml file for admin is in
> > > > CATALINA_HOME/server/webapps/admin/WEB-INF/web.xml, you can see how
> > > > it is set up there.  If you want to authenticate users for your own
> > > > web apps, set up their web.xml security roles in a similar fashion.
> > > >
> > > > > When I run 'ps' after starting up tomcat, I see this process:
> > > > >
> > > > > 40 S postgres  2825  2758  0  75   0    -  2431 schedu 18:12 pts/0
> > > > 00:00:00
> > > > > postgres: tomcat template1 24.208.224.236 idle in transaction
> > > > >
> > > > > Seeing this makes me believe that Tomcat is correctlty connecting
to
> > the
> > > > > database at startup.  Is this true?  If so, why can't the admin or
> > manager
> > > > > apps authenticate?  They are using the same Realm (it's nested inside
> > the
> > > > > <Engine> tag) and I'm supplying the same username and password.
> > > >
> > > > A couple of other things you can check:
> > > >
> > > > Should  userNameCol="usename" be userNameCol="username" ?
> > > >
> > > > Can you access Postgres data from that file in your web apps using that
> > > > driver and username/password?  You should be able to write a simple
> > program
> > > > to read the role names from the database.
> > > >
> > > > Within Postgres have you granted select privleges to the database
> > > > table in template1 to the user tomcat in the tables pg_shadow and
> > > pg_groupview?
> > > >
> > > > Can you use a db browser tool to log in as tomcat and execute an SQL
> > > > command like: SELECT groname FROM TABLE pg_groupview WHERE usename
> > > > IS 'tomcat'?
> > > >
> > > > Rick
> > > >
> > > > >
> > > > > --
> > > > > Robert Abernethy IV
> > > > > Dynamic Edge, Inc.
> > > > > 734.975.0460
> > > > >
> > > > > > Hi Rob,
> > > > > >
> > > > > > Try it in clear text without the MD5 digest, to verify that
your
> > > > > > password, username, role, etc are correct.
> > > > > >
> > > > > > I had a lot of problems with digesting.
> > > > > >
> > > > > > Also some databases return column names in upper case even if
they
> > > > > > are in lower case so you may want to try all caps on your db
column
> > > > > > names.  I think you would get a different eror message if this
was
> > > > > > the case, though.
> > > > > >
> > > > > > Rick
> > > > > >
> > > > > > ----- Original Message -----
> > > > > >
> > > > > > > I'm trying to set up a JDBCRealm for use with the admin
and
> > manager
> > > > > > webapps.
> > > > > > > The problem is that I am unable to authenticate any users.
> > > > > > >
> > > > > > > - Tomcat 4.1.18
> > > > > > > - Postgresql 7.3.1
> > > > > > > - JDBC driver is in $CATALINA_HOME/common/lib
> > > > > > > - Tomcat starts up fine, I just can't authenticate
> > > > > > > - I can directly connect to my database with the username
and
> > password
> > > > > > > - I have created the 'admin' and 'manager' groups in the
database
> > > > > > > - I have added the users to both groups
> > > > > > >
> > > > > > > Realm:
> > > > > > > <Realm  className="org.apache.catalina.realm.JDBCRealm"
debug="99"
> > > > > > >        driverName="org.postgresql.Driver"
> > > > > > >     connectionURL="jdbc:postgresql://bilbo.dynedge.com/template1"
> > > > > > >    connectionName="tomcat" connectionPassword="tomcat"
> > > > > > >         userTable="pg_shadow" userNameCol="usename"
> > > > userCredCol="passwd"
> > > > > > >     userRoleTable="pg_groupview" roleNameCol="groname"
> > > > > > >            digest="MD5" />
> > > > > > >
> > > > > > > Log:
> > > > > > > 2003-01-02 12:34:34 JDBCRealm[Standalone]: Username tomcat
NOT
> > > > > > successfully
> > > > > > > authenticated
> > > > > > >
> > > > > > > Any ideas?
> > > > > > >
> > > > > > > --
> > > > > > > Robert Abernethy IV
> > > > > > > Dynamic Edge, Inc.
> > > > > > > 734.975.0460
> >
> > --
> > To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>
> 
> --
> To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message