Return-Path: 
 <users-return-201487-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: (qmail 48802 invoked from network); 5 Sep 2009 08:56:00 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 5 Sep 2009 08:56:00 -0000
Received: (qmail 48576 invoked by uid 500); 5 Sep 2009 08:55:56 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 48499 invoked by uid 500); 5 Sep 2009 08:55:56 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 48488 invoked by uid 99); 5 Sep 2009 08:55:56 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 05 Sep 2009 08:55:56 +0000
X-ASF-Spam-Status: No, hits=1.2 required=10.0
	tests=SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (nike.apache.org: local policy)
Received: from [193.252.22.159] (HELO smtp5.freeserve.com) (193.252.22.159)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 05 Sep 2009 08:55:45 +0000
Received: from me-wanadoo.net (localhost [127.0.0.1])
	by mwinf3404.me.freeserve.com (SMTP Server) with ESMTP id F1A851C00082
	for <users@tomcat.apache.org>; Sat,  5 Sep 2009 10:55:24 +0200 (CEST)
Received: from me-wanadoo.net (localhost [127.0.0.1])
	by mwinf3404.me.freeserve.com (SMTP Server) with ESMTP id E4B7A1C00085
	for <users@tomcat.apache.org>; Sat,  5 Sep 2009 10:55:24 +0200 (CEST)
Received: from smtp.homeinbox.net (unknown [91.109.133.72])
	by mwinf3404.me.freeserve.com (SMTP Server) with ESMTP id 89D7D1C00082
	for <users@tomcat.apache.org>; Sat,  5 Sep 2009 10:55:24 +0200 (CEST)
X-ME-UUID: 20090905085524564.89D7D1C00082@mwinf3404.me.freeserve.com
Received: from localhost (localhost [127.0.0.1])
	by smtp.homeinbox.net (Postfix) with ESMTP id 204CC1A4223
	for <users@tomcat.apache.org>; Sat,  5 Sep 2009 09:55:21 +0100 (BST)
X-Virus-Scanned: Debian amavisd-new at homeinbox.net
Received: from smtp.homeinbox.net ([127.0.0.1])
	by localhost (server01.dev.local [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id N9hDDisgCLYz for <users@tomcat.apache.org>;
	Sat,  5 Sep 2009 09:55:14 +0100 (BST)
Received: from [192.168.0.9] (study03.dev.local [192.168.0.9])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.homeinbox.net (Postfix) with ESMTPSA id 588631A418A
	for <users@tomcat.apache.org>; Sat,  5 Sep 2009 09:55:14 +0100 (BST)
Message-ID: <4AA2276B.3020908@apache.org>
Date: Sat, 05 Sep 2009 09:55:07 +0100
From: Mark Thomas <markt@apache.org>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Realm configuration issues
References: <e41cadaf0909041726u26a1c5e1geaee645bc06898fc@mail.gmail.com>
In-Reply-To: <e41cadaf0909041726u26a1c5e1geaee645bc06898fc@mail.gmail.com>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org

Adam Posner wrote:
> Hi, I have been trying to implement form based authentication using
> container managed security.
> I had tried originally to use the DataSource Realm but after struggling with
> that for so long I gave up because I had tried everything I could think of
> as far as putting the Realm declaration in varioius places with no luck, and
> I got conflicting answers between the the Apache-Tomcat docs

Generally, the docs will give you more accurate information. If you have
problems ask here and on the odd occasion the docs are wrong they'll get
fixed.

 ( which I've
> read multiple times) and what I found in places like mark-mail and nabble.
> 
> So now I am trying to get it working with the JDBC realm instead.

That is a bad idea. The JDBCRealm is horribly synchronized whereas the
DataSourceRealm uses a connection pool.


> server.xml:
I'd strongly suggest removing the comments from this file. It makes it a
lot easier to read.

> <?xml version='1.0' encoding='utf-8'?>
> <Server port="8005" shutdown="SHUTDOWN">
> 
>   <Listener className="org.apache.catalina.core.AprLifecycleListener"
> SSLEngine="on" />
>   <Listener className="org.apache.catalina.core.JasperListener" />
>   <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"
> />
>   <Listener
> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
> 
>   <GlobalNamingResources>
> 
>     <Resource name="UserDatabase" auth="Container"
>               type="org.apache.catalina.UserDatabase"
>               description="User database that can be updated and saved"
>               factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
>               pathname="conf/tomcat-users.xml" />
>   </GlobalNamingResources>
> 
>   <Service name="Catalina">
>     <Connector port="8080" protocol="HTTP/1.1"
>                connectionTimeout="20000"
>                redirectPort="8443" />
> 
>     <!-- Define an AJP 1.3 Connector on port 8009 -->
>     <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
>     <Engine name="Catalina" defaultHost="localhost">
> 
>       <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
>              resourceName="UserDatabase"/>
> 
>       <Host name="localhost"  appBase="webapps"
>             unpackWARs="true" autoDeploy="true"
>             xmlValidation="false" xmlNamespaceAware="false">
> 
>         <Context path="/blurbV1"
>              docBase="blurbV1"
>              debug="99"

debug doesn't do anything - delete it. This begs the question why did
you add it? Any docs that say you need it are for the wrong Tomcat
version. That is why you are best following the official Tomcat 6 docs.
>              reloadable="true">
> 
>             <Resource name="jdbc/trailsDB" auth="Container"
>                   type="javax.sql.DataSource"
> 
>                   driverClassName="com.mysql.jdbc.Driver"
> 
> url="jdbc:mysql://localhost:3306/trailsDB?user=buzz&amp;password=999999"
>                        maxActive="8"/>

I assume this resource is required by the application since the
JBDCRealm won't use it.

>             <Realm className="org.apache.catalina.realm.JDBCRealm"
>                    debug="99"
>                    driverName="com.mysql.jdbc.Driver"
>                    connectionURL="jdbc:mysql://localhost:3306/trailsDB"
>                    userTable="users"
>                    userNameCol="user_name"
>                    userCredCol="user_pass"
>                    userRoleTable="user_roles"
>                    roleNameCol="role_name"
>             />

You are missing the connectionName and connectionPassword attributes.
Both of which are clearly marked as required in the docs. Again - use
the official docs and life gets a lot easier.

>               </Context>
> 
>       </Host>
>     </Engine>
>   </Service>
> </Server>
> 
> And my web.xml:
> 
>   <security-constraint>
> 
>     <web-resource-collection>
> 
>         <web-resource-name>UpdateTrails</web-resource-name>
> 
>         <url-pattern>/*</url-pattern>
> 
>         <http-method>GET</http-method>
>         <http-method>POST</http-method>

This is bad from a security point of view. This means *only* GET and
POST are protected but all of the other HTTP methods are allowed. I
doubt that is what you want.

>     </web-resource-collection>
> 
>         <auth-constraint>
>             <description>These are the roles who have access</description>
>             <role-name>admin</role-name>
>         </auth-constraint>
> 
> </security-constraint>
> 
> <login-config>
>     <auth-method>FORM</auth-method>
>     <realm-name>Tomcat Server Configuration Form-Based
>         Authentication Area</realm-name>
>     <form-login-config>
>         <form-login-page>/Login.html</form-login-page>
>         <form-error-page>/auth-error.html</form-error-page>
>     </form-login-config>
>         </login-config>
> 
> 
> <resource-ref>
>     <description>DB Connection</description>
>     <res-ref-name>jdbc/trailsDB</res-ref-name>
>     <res-type>javax.sql.DataSource</res-type>
>     <res-auth>Container</res-auth>
> </resource-ref>
> 
> </web-app>
> 
> Even though it says DataSource in the above resource-ref tag, all the info I
> found told me
> to do that even with the JDBCRealm.

Really? If the official Tomcat docs say you need to do that then they
are wrong. I had a quick look but I couldn't see anything that said
this. Where did you read it and I'll get it fixed.

> So there seems to be 2 problems. Here's what Tomcat gives me when I attempt
> to login:
> 
> HTTP Status 404 - /blurbV1/auth-error.html
> ------------------------------
> 
> *type* Status report
> 
> *message* */blurbV1/auth-error.html*
> 
> *description* *The requested resource (/blurbV1/auth-error.html) is not
> available.*
> ------------------------------
> Apache Tomcat/6.0.16
> But it should allow me to login since I have the users and the database
> setup with the correct
> user and role tables. Here is the tomcat-users.xml created by Tomcat:

Huh? Tomcat doesn't create this file. You must have created it. Added to
which it is irrelevant in this case since your context is using the
JDBCRealm, not the UserDatabaseRealm.

> Any ideas why I might be getting this ?

The 404 suggests the auth-error.html does not exist. Where is the file
located?

You are seeing the error page because Tomcat can't connect to your
database to authenticate the user. You need to fix the various problems
outlined above.

Mark




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org