Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 1383 invoked from network); 21 Aug 2006 16:48:08 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 21 Aug 2006 16:48:08 -0000 Received: (qmail 63485 invoked by uid 500); 21 Aug 2006 16:47:58 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 62957 invoked by uid 500); 21 Aug 2006 16:47:56 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 62939 invoked by uid 99); 21 Aug 2006 16:47:56 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 21 Aug 2006 09:47:56 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: local policy) Received: from [128.253.83.141] (HELO authusersmtp.mail.cornell.edu) (128.253.83.141) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 21 Aug 2006 09:47:55 -0700 Received: from [128.253.38.244] (defiant.ento.cornell.edu [128.253.38.244]) (authenticated bits=0) by authusersmtp.mail.cornell.edu (8.13.1/8.12.10) with ESMTP id k7LGlXcF014870 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Mon, 21 Aug 2006 12:47:34 -0400 (EDT) Message-ID: <44E9E3A5.7010905@cornell.edu> Date: Mon, 21 Aug 2006 12:47:33 -0400 From: David Smith User-Agent: Mozilla Thunderbird 1.0.6 (Macintosh/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Tomcat Users List Subject: Re: Security constraint/login form References: <3A55348B50FD2A40AAA40ABA16C6B6D607F29765@EXNJMB23.nam.nsroot.net> In-Reply-To: <3A55348B50FD2A40AAA40ABA16C6B6D607F29765@EXNJMB23.nam.nsroot.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Looking at the source for org.apache.catalina.JDBCRealm, the queries on the database are confined to the rows/columns required for authentication. Other columns could be present in both users and roles without any impact. Prepared statement for fetching credentials: select userCredCol from userTable where userNameCol = ? Prepared statement for fetching roles: select roleNameCol from userRoleTable where userNameCol = ? --David Propes, Barry L wrote: >Thanks, David. Yeah, I replied back to it a minute ago...I had the role-name elements in the (web)XML file askew from what was in the DB. > >Got it working now. And, one more thing. I should be able to add a third column to the role_name db table, shouldn't I? >If so, do I need to add a matching third col to the users table as well? Or is that immaterial? > >-----Original Message----- >From: David Smith [mailto:dns4@cornell.edu] >Sent: Monday, August 21, 2006 10:51 AM >To: Tomcat Users List >Subject: Re: Security constraint/login form > > >Could you post some relevant sections of your webapp? I'm thinking the >security constraint section of your web.xml, a representative segment of >your user database table, and the logs where a request is made to >login. Something just seems off here. > >As a test a few days ago, I changed the role name of the users that >could get into the manager app -- both in manager webapp's web.xml and >in tomcat-users.xml and it worked without a hitch. > >--David > >Propes, Barry L wrote: > > > >>Ok, I'm finding that the names are somewhat relevant. >> >>For instance, if I assign a user the role service, or admin, it works with no problems. >> >>If I assign another name -- say senior, or legal or business -- it does not work. >> >>Any ideas why? And, if it's limited to this by Tomcat's default security constraint class files, can I individually edit and recompile them, and then it will redeploy in the war file upon restart? >> >>-----Original Message----- >>From: Marc Farrow [mailto:marc.farrow@gmail.com] >>Sent: Thursday, August 17, 2006 4:03 PM >>To: Tomcat Users List >>Subject: Re: Security constraint/login form >> >> >>The names are irrelevant. They just have to match between implementation >>and setup. >> >>On 8/17/06, Propes, Barry L wrote: >> >> >> >> >>>quick answer is yes to they have to be service or admin or yes to I can >>>declare them anything that matches the column in another DB table I've >>>created or yest to my last question about the values being what I want? >>> >>>-----Original Message----- >>>From: Marc Farrow [mailto:marc.farrow@gmail.com] >>>Sent: Thursday, August 17, 2006 3:38 PM >>>To: Tomcat Users List >>>Subject: Re: Security constraint/login form >>> >>> >>>Quick answer is yes. >>> >>>On 8/17/06, Propes, Barry L wrote: >>> >>> >>> >>> >>>>I wonder though...do the role_names have to be service or admin or >>>>something like that? >>>> >>>>Can they be anything I declare them to be that matches the column in >>>>another DB table? >>>> >>>>i.e. >>>>I've got user_name and role_name as columns in the user_roles table. >>>> >>>>Can I make a 3rd table also having a column called role_name, but with a >>>>value such as RISK, author, legaldept, etc.? >>>> >>>>-----Original Message----- >>>>From: Marc Farrow [mailto:marc.farrow@gmail.com] >>>>Sent: Thursday, August 17, 2006 2:11 PM >>>>To: Tomcat Users List >>>>Subject: Re: Security constraint/login form >>>> >>>> >>>>Are you talking about the tomcat-users.xml file and the roles defined in >>>>there? >>>> >>>>The security-contraints are pretty flexible and you can use any number >>>> >>>> >>>> >>>> >>>of >>> >>> >>> >>> >>>>ways to define your realms. If you look at the web.xml for the manager >>>>application (that is shipped with Tomcat), you can see how that realm is >>>>defined and used. You can even use encrypting on the passwords in that >>>>file. If you don't mind maintaing that file for roles and users, then >>>>just >>>>modify it to fit your needs and change your security contraint for your >>>>web >>>>application to match those roles. Below is a quick example. If you are >>>>wanting something for flexible, then you can research and use your >>>>favorite >>>>database for authentication or even your favorite LDAP. Below is a >>>> >>>> >>>> >>>> >>>quick >>> >>> >>> >>> >>>>example of how to use a user-defined role in the tomcat-users.xml file >>>> >>>> >>>> >>>> >>>and >>> >>> >>> >>> >>>>how to match it to two different URLS in one web app. >>>> >>>>Please understand, this is just a quick example and I do not dare >>>> >>>> >>>> >>>> >>>declare >>> >>> >>> >>> >>>>that this will work. Just a springboard to help you get your feet wet. >>>> >>>> >>>>tomcat-users.xml: >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>application's web.xml: >>>> >>>> >>>> >>>> Restrict to role1 and role2/> >>>> /welcome.jsp >>>> >>>> >>>> role1 >>>> role2 >>>> >>>> >>>> >>>> >>>> >>>> Restrict to role2 only/> >>>> /other.jsp >>>> >>>> >>>> role2 >>>> >>>> >>>> >>>> >>>> some descr >>>> role1 >>>> role2 >>>> >>>> >>>> >>>>On 8/17/06, Propes, Barry L wrote: >>>> >>>> >>>> >>>> >>>>>to add to my question earlier below, would it be something as simple >>>>> >>>>> >>>>> >>>>> >>>as? >>> >>> >>> >>> >>>>>String juser= (String) request.getAttribute("j_username"); >>>>> >>>>>Granted I have no idea what the session attribute is under the hood, >>>>> >>>>> >>>>> >>>>> >>>>only >>>> >>>> >>>> >>>> >>>>>know that j_username is the input name for the user_name. >>>>> >>>>>I was thinking with that info, I could then run a select query to >>>>> >>>>> >>>>> >>>>> >>>>extract >>>> >>>> >>>> >>>> >>>>>the role_name from an additional joined table to authenticate a step >>>>>further. Does what I am explaining make sense? Forgive me if not. >>>>> >>>>>When I say additional table, I mean one in addition to the user_name >>>>> >>>>> >>>>> >>>>> >>>and >>> >>> >>> >>> >>>>>user_roles table that Tomcat requires for the form login security >>>>> >>>>> >>>>> >>>>> >>>>constraint >>>> >>>> >>>> >>>> >>>>>to work. >>>>> >>>>> >>>>> >>>>>-----Original Message----- >>>>>From: Propes, Barry L >>>>>Sent: Thursday, August 17, 2006 11:13 AM >>>>>To: Tomcat Users List >>>>>Subject: Security constraint/login form >>>>> >>>>> >>>>>I realize that in Tomcat (I'm using 4.1.3 and 4.0.1 by the way -- a >>>>>version on a prod. server and one ony my desktop) that you can create >>>>> >>>>> >>>>> >>>>> >>>>the >>>> >>>> >>>> >>>> >>>>>simple table titled users and configure it in the server.xml file and >>>>> >>>>> >>>>> >>>>> >>>>then >>>> >>>> >>>> >>>> >>>>>likewise configure the web.xml file's security constraint properties. >>>>> >>>>>My question is, can you add other columns to the table and then do a >>>>> >>>>> >>>>> >>>>> >>>>join >>>> >>>> >>>> >>>> >>>>>on another table as to further enhance security? >>>>> >>>>>If so, what is involved, and how involved is it? >>>>> >>>>>Thanks! >>>>> >>>>>Barry >>>>> >>>>> >>>>>--------------------------------------------------------------------- >>>>>To start a new topic, e-mail: users@tomcat.apache.org >>>>>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >>>>>For additional commands, e-mail: users-help@tomcat.apache.org >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>-- >>>>Marc Farrow >>>> >>>> >>>> >>>> >>>> >>>-- >>>Marc Farrow >>> >>> >>> >>> >>> >> >> >> >> >> > > >--------------------------------------------------------------------- >To start a new topic, e-mail: users@tomcat.apache.org >To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >For additional commands, e-mail: users-help@tomcat.apache.org > > > --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org