tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Realm configuration issues
Date Sat, 05 Sep 2009 08:55:07 GMT
Adam Posner wrote:
> Hi, I have been trying to implement form based authentication using
> container managed security.
> I had tried originally to use the DataSource Realm but after struggling with
> that for so long I gave up because I had tried everything I could think of
> as far as putting the Realm declaration in varioius places with no luck, and
> I got conflicting answers between the the Apache-Tomcat docs

Generally, the docs will give you more accurate information. If you have
problems ask here and on the odd occasion the docs are wrong they'll get
fixed.

 ( which I've
> read multiple times) and what I found in places like mark-mail and nabble.
> 
> So now I am trying to get it working with the JDBC realm instead.

That is a bad idea. The JDBCRealm is horribly synchronized whereas the
DataSourceRealm uses a connection pool.


> server.xml:
I'd strongly suggest removing the comments from this file. It makes it a
lot easier to read.

> <?xml version='1.0' encoding='utf-8'?>
> <Server port="8005" shutdown="SHUTDOWN">
> 
>   <Listener className="org.apache.catalina.core.AprLifecycleListener"
> SSLEngine="on" />
>   <Listener className="org.apache.catalina.core.JasperListener" />
>   <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"
> />
>   <Listener
> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
> 
>   <GlobalNamingResources>
> 
>     <Resource name="UserDatabase" auth="Container"
>               type="org.apache.catalina.UserDatabase"
>               description="User database that can be updated and saved"
>               factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
>               pathname="conf/tomcat-users.xml" />
>   </GlobalNamingResources>
> 
>   <Service name="Catalina">
>     <Connector port="8080" protocol="HTTP/1.1"
>                connectionTimeout="20000"
>                redirectPort="8443" />
> 
>     <!-- Define an AJP 1.3 Connector on port 8009 -->
>     <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
>     <Engine name="Catalina" defaultHost="localhost">
> 
>       <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
>              resourceName="UserDatabase"/>
> 
>       <Host name="localhost"  appBase="webapps"
>             unpackWARs="true" autoDeploy="true"
>             xmlValidation="false" xmlNamespaceAware="false">
> 
>         <Context path="/blurbV1"
>              docBase="blurbV1"
>              debug="99"

debug doesn't do anything - delete it. This begs the question why did
you add it? Any docs that say you need it are for the wrong Tomcat
version. That is why you are best following the official Tomcat 6 docs.
>              reloadable="true">
> 
>             <Resource name="jdbc/trailsDB" auth="Container"
>                   type="javax.sql.DataSource"
> 
>                   driverClassName="com.mysql.jdbc.Driver"
> 
> url="jdbc:mysql://localhost:3306/trailsDB?user=buzz&amp;password=999999"
>                        maxActive="8"/>

I assume this resource is required by the application since the
JBDCRealm won't use it.

>             <Realm className="org.apache.catalina.realm.JDBCRealm"
>                    debug="99"
>                    driverName="com.mysql.jdbc.Driver"
>                    connectionURL="jdbc:mysql://localhost:3306/trailsDB"
>                    userTable="users"
>                    userNameCol="user_name"
>                    userCredCol="user_pass"
>                    userRoleTable="user_roles"
>                    roleNameCol="role_name"
>             />

You are missing the connectionName and connectionPassword attributes.
Both of which are clearly marked as required in the docs. Again - use
the official docs and life gets a lot easier.

>               </Context>
> 
>       </Host>
>     </Engine>
>   </Service>
> </Server>
> 
> And my web.xml:
> 
>   <security-constraint>
> 
>     <web-resource-collection>
> 
>         <web-resource-name>UpdateTrails</web-resource-name>
> 
>         <url-pattern>/*</url-pattern>
> 
>         <http-method>GET</http-method>
>         <http-method>POST</http-method>

This is bad from a security point of view. This means *only* GET and
POST are protected but all of the other HTTP methods are allowed. I
doubt that is what you want.

>     </web-resource-collection>
> 
>         <auth-constraint>
>             <description>These are the roles who have access</description>
>             <role-name>admin</role-name>
>         </auth-constraint>
> 
> </security-constraint>
> 
> <login-config>
>     <auth-method>FORM</auth-method>
>     <realm-name>Tomcat Server Configuration Form-Based
>         Authentication Area</realm-name>
>     <form-login-config>
>         <form-login-page>/Login.html</form-login-page>
>         <form-error-page>/auth-error.html</form-error-page>
>     </form-login-config>
>         </login-config>
> 
> 
> <resource-ref>
>     <description>DB Connection</description>
>     <res-ref-name>jdbc/trailsDB</res-ref-name>
>     <res-type>javax.sql.DataSource</res-type>
>     <res-auth>Container</res-auth>
> </resource-ref>
> 
> </web-app>
> 
> Even though it says DataSource in the above resource-ref tag, all the info I
> found told me
> to do that even with the JDBCRealm.

Really? If the official Tomcat docs say you need to do that then they
are wrong. I had a quick look but I couldn't see anything that said
this. Where did you read it and I'll get it fixed.

> So there seems to be 2 problems. Here's what Tomcat gives me when I attempt
> to login:
> 
> HTTP Status 404 - /blurbV1/auth-error.html
> ------------------------------
> 
> *type* Status report
> 
> *message* */blurbV1/auth-error.html*
> 
> *description* *The requested resource (/blurbV1/auth-error.html) is not
> available.*
> ------------------------------
> Apache Tomcat/6.0.16
> But it should allow me to login since I have the users and the database
> setup with the correct
> user and role tables. Here is the tomcat-users.xml created by Tomcat:

Huh? Tomcat doesn't create this file. You must have created it. Added to
which it is irrelevant in this case since your context is using the
JDBCRealm, not the UserDatabaseRealm.

> Any ideas why I might be getting this ?

The 404 suggests the auth-error.html does not exist. Where is the file
located?

You are seeing the error page because Tomcat can't connect to your
database to authenticate the user. You need to fix the various problems
outlined above.

Mark




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message