 | Mailing List | | Home | | Forum Home | | JBoss - Java Application Server | | Struts - A MVC web framework | | Tomcat - JSP/Servlet container | | iText - An open source PDF Java Library | | JDOM - JDOM XML Parser | | J2EE - A mailing list for Java(tm) 2 Platform, Enterprise Edition | | J2EE Pattern - An interest list for Sun Java Center J2EE Pattern Catalog | | Servlet - A mailing list for discussion about Sun Microsystem's Java Servlet API Technology | | JSP - A mailing list about Java Server Pages specification and reference | |
Struts & Hibernate
|
|
|
| | | Tomcat JDBCRealm And <security-constraint > in the web.xml | Tomcat JDBCRealm And <security-constraint > in the web.xml 2003-10-23 - By Derek Mahar
Back
Caroline:
Tomcat authentication will not work if you store your usernames in a
JDBC source and your user roles in $TOMCAT_HOME/conf/tomcat-users.xml.
You must store the users and roles in the same JDBC source. Do you
store your roles in table user_roles?
Please post your <security-constraint> and <login-config> for the first
application (artimus_1_1).
Also, the connection URL in your JDBCRealm statement does not look
correct. You seem to be missing a question mark (?) between "artimus"
and "user".
BASIC authentication does not imply that the user roles are stored in
$TOMCAT_HOME/conf/tomcat-users.xml. It requires that the browser
accepts the username and password, sends it to the server for
authentication, and stores the authenticated session information. FORM
authentication, however, uses a form to accept the username and
password, executes a specific servlet to authenticate the user, and
stores the authenticated session information on the server. In order to
logout of a BASIC authentication session, the user need only close the
browser, but in order to logout of a FORM authentication session, the
application must invalidate the session.
Derek
-- ---- ---- ---- ---- ---- ---- ----
Derek Mahar
Software Developer
Penson Financial Services Canada
360 St-Jacques St West, 12th Floor
Montreal QC H2Y 1P5
514.841.9665 x212 Phone
514.841.9700 Fax
-- ---- ---- ---- ---- ---- ---- ----
-- --Original Message-- --
From: Caroline Jen [mailto:jiapei_jen@(protected)]
Sent: October 11, 2003 11:21 PM
To: tomcat-user@(protected)
Subject: Tomcat JDBCRealm And <security-constraint> in the web.xml
My applications behave wierd after I configured the
JDBCRealm. After experimenting in many different
ways, I found that as long as I have the JDBCRealm in
the server.xml, the Tomcat does not accept <security-constraint>
specified in the application's web.xml file. Please help me.
My configuration in the $TOMCAT_HOME/conf/sever.xml is
shown below:
<Engine>
<Host>
<Context>
<Realm className="org.apache.catalina.realm.JDBCRealm  "
debug="99"
driverName="com.mysql.jdbc.Driver "
connectionURL="jdbc:mysql://localhost:3306/artimus
user=javauser&password=javadude" userTable="members"
userNameCol="user_name"
userCredCol="user_password" userRoleTable="user_roles"
roleNameCol="user_role"/> </Context> </Host> </Engine>
What happened is:
First, I have an application artimus_1_1 that had
worked well before JDBCRealm was inserted in the
server.xml. Now, whenever I run the same application,
I get:
HTTP Status 404 -/artimus_1_1
description: The requested resource(/artimus_1_1)
is not availabe.
The web.xml of the application artimus_1_1 has <security-constraint>
element in it and uses BASIC to authenticate users (i.e. the roles of
the users are stored in the $TOMCAT_HOME/conf/tomcat-users.xml.)
Second, I am working on another application. And I
want to user FORM-based container-managed
authentication for this application. I had
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/signin/logon.jsp</form-login-page>
<form-error-page>/signin/logon.jsp?error=true</form-error-page>
</form-login-config>
</login-config>
in the web.xml file and I had JDBCRealm in the
$TOMCAT_HOME/conf/server.xml. I was able to display the welcome page.
Thereafter,I inserted <security-constraint> preceding the <login-config>
element, and inserted <security-role> following the <login-config>
element. The application stops functioning. I get:
HTTP Status 404 -/PracticeVersion
description: The requested resource(/PracticeVersion)
is not availabe.
in the browser, and I have this message in the Tomcat
log file (the Tomcat log file can be found in the
attachment):
LifecycleException: Container
StandardContext[/PracticeVersion] has not been started
This is what my PracticeVersion/WEB-INF/web.xml looks
like when the problem
happens (nothing is wrong with the specification and
order of the tags):
<security-constraint>
<web-resource-collection>
<web-resource-name>Administrative</web-resource-name>
<!-- The URLs to protect -->
<url-pattern>/do/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- The authorized users -->
<role-name>administrator</role-name>
<role-name>editor</role-name>
<role-name>contributor</role-name>
<role-name>advisor</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/signin/logon.jsp</form-login-page>
<form-error-page>/signin/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>administrator</role-name>
</security-role>
<security-role>
<role-name>advisor</role-name>
</security-role>
<security-role>
<role-name>editor</role-name>
</security-role>
<security-role>
<role-name>contributor</role-name>
</security-role>
__ ____ ____ ____ ____ ____ ______
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ------
To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
For additional commands, e-mail: tomcat-user-help@(protected)
|
|
|
