tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rob Abernethy IV" <aberne...@dynedge.com>
Subject Re: JDBCRealm
Date Wed, 08 Jan 2003 03:48:49 GMT
The MD5'd password *is* in the pg_shadow.passwd column.  I don't see what 
I'm doing wrong.  And, as far as confusing postgres users with tomcat users, 
is there a problem with using the same user for both?  I kind of thought 
that was the point.  When I create a user, they can use the same username 
and password to access tomcat web apps that they use to connect to the 
database.

Thanks for the pointers on security.  Both Tomcat and Postgres are on the 
same server.  I'm also planning on using HTTPS, but apache will handle that 
part.  I think it will work something like this:

1. user types username and password (clear-text) into form
2. web browser encrypts everything and sends it to web server (https)
3. apache decrypts everything and passes it onto tomcat
4. tomcat makes a MD5 form of the given password
5. tomcat compares this with the MD5 password taken from the database

Does that sound right?

--
Robert Abernethy IV
Dynamic Edge, Inc.
734.975.0460

> Yeah, looks like you almost have it.  The MD5'd password should be in
> pg_shadow in the userCredCol, passwd in this case.
> 
> Be advised that you should either use only HTTPS for this, or run 
> Tomcat on the same server as Postgres, or run them both on a secure 
> net behind a firewall on separate machines to prevent your Postgres 
> database from being compromised.
> 
> MD5 really only prevents snoops on your server from being able to easily
> read the passwords in pg_shadow.
> 
> Rick
> 
> ----- Original Message -----
> 
> > * Rob Abernethy IV <abernethy@dynedge.com> [0154 21:54]:
> > > OK. I was able to get clear-text passwords to work, but I still can't
> get
> > > encrypted passwords to work.  Using MD5 encryption, Tomcat is able to
> > > successfully open a connection to the database using the JDBCRealm set
> up in
> > > the server.xml, but it is unable to authenticate users for the admin 
web
> app.
> > >  I am using the same username and password (username = "tomcat",
> password =
> > > "tomcat") for both the JDBCRealm and the admin web app.
> > >
> > > JDBCRealm:
> > > <Realm  className="org.apache.catalina.realm.JDBCRealm" debug="99"
> > >        driverName="org.postgresql.Driver"
> > >     connectionURL="jdbc:postgresql://bilbo.dynedge.com/template1"
> > >    connectionName="abernethy" connectionPassword="gceIlu4DaR"
> > >         userTable="pg_shadow" userNameCol="usename" 
userCredCol="passwd"
> > >     userRoleTable="pg_groupview" roleNameCol="groname"
> > >            digest="MD5" />
> > > pg_shadow:
> > > usename  | passwd
> > > -------------------------
> > > tomcat   | md5efcc1c51a80be13b59cdb96d758a0184
> >
> > You are confusing postgres usernames/passwords with the ones you want in
> the tables.
> > Tomcat connects to the database as user connectionName , password
> connectionPassword
> >
> > and looks up http authentication users and passwords in userTable  and
> userRoleTable.
> >
> > It looks from your post like you have that backwards (pg_shadow holds
> postgres users, not users
> > for your apps).
> >
> > > postgresql log (for admin web app authentication):
> > > Jan  7 16:43:34 bilbo postgres[4329]: [9] LOG:  query: SELECT passwd
> FROM
> > > pg_shadow WHERE usename = 'tomcat'
> > > Jan  7 16:43:34 bilbo postgres[4329]: [10] LOG:  duration: 0.001636 sec
> > >
> > > catalina_log.2003-01-07.txt:
> > > 2003-01-07 16:43:34 JDBCRealm[Standalone]: Username tomcat NOT
> successfully
> > > authenticated
> >
> > --
> > Rasputin :: Jack of All Trades - Master of Nuns
> 
> --
> To unsubscribe, e-mail:   <mailto:tomcat-user-
unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-user-
help@jakarta.apache.org>




--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message