tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Laurent Perez <downloa...@free.fr>
Subject JDBC Realm problems
Date Tue, 23 Sep 2003 14:43:51 GMT
Hello

I am trying to protect a webapp I wrote using a JDBCRealm, but it doesn't 
seem to work as expected. I am using Tomcat 4.1.27, and Postgresql 7.3.2, 
with latest JDBC driver within $tomcat/common/lib.

My realm is described as follows, in $tomcat/conf/server.xml :

<Realm  className="org.apache.catalina.realm.JDBCRealm" debug="99"
         driverName="org.postgresql.Driver"
         digest="md5"
         connectionURL="jdbc:postgresql://127.0.0.1/mydb"
         connectionName="mylogin" connectionPassword="mypass"
         userTable="pg_shadow" userNameCol="usename" userCredCol="passwd"
         userRoleTable="named_roles" roleNameCol="role" />

When I start Tomcat, I can see it connecting and idling to mydb, so JDBC 
driver works. Also 'mylogin' has read access on named_roles.

My webapp is called 'test' and located within $tomcat/webapps/, its 
WEB-INF/web.xml is as follows :

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE web-app
     PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
     "http://java.sun.com/j2ee/dtds/web-app_2.2.dtd">

<web-app>
   <security-constraint>
   <web-ressource-collection>
     <web-ressource-name>test</web-ressource-name>
     <url-pattern>/*</url-pattern>
   </web-ressource-collection>
   <auth-constraint>
     <role-name>myrole</role-name>
   </auth-constraint>
   </security-constraint>
   <login-config>
   <auth-method>BASIC</auth-method>
   <realm-name>test</realm-name>
   </login-config>
   <security-role>
     <role-name>myrole</role-name>
   </security-role>
</web-app>

The 'myrole' role is defined in my named_roles table, and I have several 
users under that role. I did add <security-role> tags because Tomcat would 
warn me about 'myrole' not being within <security-role> tags on startup.

Now when I am trying to access http://localhost:8080/test, no 
authentication window pops up, I can access it freely, which shouldn't be 
correct (?). When I look at logs, I can see :
2003-09-23 14:14:52 ContextConfig[/test]: Configured an authenticator for 
method BASIC
2003-09-23 14:14:52 StandardManager[/test]: Seeding random number generator 
class java.security.SecureRandom
2003-09-23 14:14:52 StandardManager[/test]: Seeding of random number 
generator has been completed

If BASIC auth method is activated, why isn't my browser showing up an auth 
window ? :-/

Also I know Postgres doesn't store md5 password files like 
md5_func(password), but instead md5_func(password+login), will it cause 
problems with Tomcat's digest=md5 behaviour ?

Thanks for any help

Laurent Perez



Mime
View raw message