tomcat ignoring JDBC realm?

Thread view:

JGH - 24 Mar 2005 23:45 GMT

I added a Realm tag to my tomcat server.xml file. Shouldn't that cause a
dialog box to appear when I try to access the application? I don't have
to do anything to my jsp code do I?

Here is my server.xml:

<Server port="8005" shutdown="shutdown" debug="0">

    <Service name="Tomcat-Apache">

        <Connector className="org.apache.ajp.tomcat4.Ajp13Connector"
            address="127.0.0.1" port="8009" minProcessors="5"
maxProcessors="75"
            enableLookups="false" acceptCount="10" debug="0"/>

        <Engine name="lightning" debug="0" defaultHost="localhost">
            <Logger
className="org.apache.catalina.logger.FileLogger"
                prefix="catalina_log." suffix=".txt"
                timestamp="true"/>

    <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
        driverName="oracle.jdbc.driver.OracleDriver"
        connectionURL="jdbc:Oracle:thin:@sec-
authdb.doit.wisc.edu:1531:secauthd"
        connectionName="bogus"
        connectionPassword="boguser"
        userTable="users" userNameCol="user_name"
userCredCol="user_pass"
        userRoleTable="user_roles" roleNameCol="role_name"/>

            <Host name="localhost" debug="0" unpackWARs="true">

                <Context path=""
docBase="/home/tomcat/your_application"
                debug="0" reloadable="true" />
            </Host>
        </Engine>

    </Service>

</Server>

Reply to this Message

Juha Laiho - 25 Mar 2005 19:58 GMT

JGH <johnheim@nospam.tds.net> said:

>I added a Realm tag to my tomcat server.xml file. Shouldn't that cause a
>dialog box to appear when I try to access the application? I don't have
>to do anything to my jsp code do I?

Just introducing a realm isn't enough -- you'll need to declare the
protected pages in the application-specific web.xml. So, within
a single webapp you may have public resources and resources
requiring authentication.

Signature

Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

Reply to this Message

JGH - 28 Mar 2005 18:57 GMT

Juha Laiho <Juha.Laiho@iki.fi> wrote in news:d21n0u$eee$4@ichaos.ichaos-
int:

> JGH <johnheim@nospam.tds.net> said:
>>I added a Realm tag to my tomcat server.xml file. Shouldn't that cause a
[quoted text clipped - 5 lines]
> a single webapp you may have public resources and resources
> requiring authentication.

Thanks. The documentation on the apache web site just ended after
explaining how to create a realm. Actually, I think it's wrong in that
it says you have to modify the server.xml file and that's not true in
tomcat 5+. There's an xml file for each context and you can add it
there.

Anyway, now I've created login.jsp and error.jsp pages and configured
the web.xml file within my application to display it for any doc
requested in the app. But when I try to log in, an empty document is
returned. Not the page I requested, not the error page, not an error
message.

If there was some trouble shooting guide I'd search that. But the
problem here is that there are so many steps, you can't do a partial
implementation and get ome of it working. Arrgh!

Below is my web.xml and my login.jsp

web.xml:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Entire Application</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>tpusers</role-name>
    </auth-constraint>
</security-constraint>


<login-config>
<auth-method>FORM</auth-method>
<realm-name>TPUsers</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>

login.jsp:

<html>
<head>
<title>TPUsers Login</title>
<body>
<form method="POST" action="j_security_check" >
<table border="0" cellspacing="5">
<tr>
<th align="right">Username:</th>
<td align="left"><input type="text" name="j_username"></td>
</tr>
<tr>
<th align="right">Password:</th>
<td align="left"><input type="password" name="j_password"></td>
</tr>
<tr>
<td align="right"><input type="submit" value="Log In"></td>
<td align="left"><input type="reset"></td>
</tr>
</table>
</form>
</body>
</html>

Reply to this Message

Juha Laiho - 28 Mar 2005 20:02 GMT

JGH <johnheim@nospam.tds.net> said:

>> JGH <johnheim@nospam.tds.net> said:
>>>I added a Realm tag to my tomcat server.xml file. Shouldn't that
[quoted text clipped - 8 lines]
>Thanks. The documentation on the apache web site just ended after
>explaining how to create a realm.

This problem appears to be common across J2EE app.servers; (some days
ago I helped a friend to pick together pieces of the J2EE login process
for BEA WebLogic).

I think this comes from the multiplicity of different developer roles
Sun has assigned for J2EE development process. Creating the realm is
one part of the game -- and this is documented in the server
administration guides (and is different for each type of server).
The other part is writing the application to utilise the realm
(and this is independent of the server).

>Actually, I think it's wrong in that it says you have to modify the
>server.xml file and that's not true in tomcat 5+. There's an xml file
>for each context and you can add it there.

You're right.

>Below is my web.xml and my login.jsp
>
[quoted text clipped - 19 lines]
> </form-login-config>
> </login-config>

Ok, I think there's one piece missing here. You should also have:

<security-role>
<description>
Blabla
</description>
<role-name>tpusers</role-name>
</security-role>

... to declare all the security roles that your application uses.

Other than that, I don't see a problem. Note that the ordering of elements
within web.xml makes a difference; the order for the above three
elements must be security-constraint,login-config,security-role .

Crosscheck what you have with either Tomcat admin webapp, or
the authentication example from the Tomcat example webapp.

Signature

Reply to this Message

techguy_chicago@yahoo.com - 20 Apr 2005 02:17 GMT

why does Tomcat need to know what the roles are, anyways? is that a
J2EE spec or something? having to hardcode those values into a web.xml
file seems to defeat part of the purpose of using a database in the
first place - flexibility. but since most of the Tomcat devs are
smarter than me, I want to know why, b/c apparently more than a few
people thought it was a good idea...

Reply to this Message

tomcat ignoring JDBC realm?

Free Magazines