jgh

I added a Realm tag to my tomcat server.xml file. Shouldn't that cause a
dialog box to appear when I try to access the application? I don't have
to do anything to my jsp code do I?

Here is my server.xml:

<Server port="8005" shutdown="shutdown" debug="0">

<Service name="Tomcat-Apache">

<Connector className="org.apache.ajp.tomcat4.Ajp13Connector"
address="127.0.0.1" port="8009" minProcessors="5"
maxProcessors="75"
enableLookups="false" acceptCount="10" debug="0"/>

<Engine name="lightning" debug="0" defaultHost="localhost">
<Logger
className="org.apache.catalina.logger.FileLogger"
prefix="catalina_log." suffix=".txt"
timestamp="true"/>


<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="oracle.jdbc.driver.OracleDriver"
connectionURL="jdbc:Oracle:thin:@sec-
authdb.doit.wisc.edu:1531:secauthd"
connectionName="bogus"
connectionPassword="boguser"
userTable="users" userNameCol="user_name"
userCredCol="user_pass"
userRoleTable="user_roles" roleNameCol="role_name"/>


<Host name="localhost" debug="0" unpackWARs="true">

<Context path=""
docBase="/home/tomcat/your_application"
debug="0" reloadable="true" />
</Host>
</Engine>

</Service>

</Server>

juha laiho

JGH <johnheim@nospam.tds.net> said:


Just introducing a realm isn't enough -- you'll need to declare the
protected pages in the application-specific web.xml. So, within
a single webapp you may have public resources and resources
requiring authentication.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

jgh

Thanks. The documentation on the apache web site just ended after
explaining how to create a realm. Actually, I think it's wrong in that
it says you have to modify the server.xml file and that's not true in
tomcat 5+. There's an xml file for each context and you can add it
there.

Anyway, now I've created login.jsp and error.jsp pages and configured
the web.xml file within my application to display it for any doc
requested in the app. But when I try to log in, an empty document is
returned. Not the page I requested, not the error page, not an error
message.

If there was some trouble shooting guide I'd search that. But the
problem here is that there are so many steps, you can't do a partial
implementation and get ome of it working. Arrgh!

Below is my web.xml and my login.jsp web.xml:
<!-- Define a security constraint on this application -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>tpusers</role-name>
</auth-constraint>
</security-constraint>
<!-- Default login configuration uses form-based authentication -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>TPUsers</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>


login.jsp:
<html>
<head>
<title>TPUsers Login</title>
<body>
<form method="POST" action="j_security_check" >
<table border="0" cellspacing="5">
<tr>
<th align="right">Username:</th>
<td align="left"><input type="text" name="j_username"></td>
</tr>
<tr>
<th align="right">Password:</th>
<td align="left"><input type="password" name="j_password"></td>
</tr>
<tr>
<td align="right"><input type="submit" value="Log In"></td>
<td align="left"><input type="reset"></td>
</tr>
</table>
</form>
</body>
</html>

juha laiho

JGH <johnheim@nospam.tds.net> said:

This problem appears to be common across J2EE app.servers; (some days
ago I helped a friend to pick together pieces of the J2EE login process
for BEA WebLogic).

I think this comes from the multiplicity of different developer roles
Sun has assigned for J2EE development process. Creating the realm is
one part of the game -- and this is documented in the server
administration guides (and is different for each type of server).
The other part is writing the application to utilise the realm
(and this is independent of the server).

You're right.


Ok, I think there's one piece missing here. You should also have:
<!-- Security roles referenced by this web application -->
<security-role>
<description> Blabla
</description>
<role-name>tpusers</role-name>
</security-role>

.... to declare all the security roles that your application uses.

Other than that, I don't see a problem. Note that the ordering of elements
within web.xml makes a difference; the order for the above three
elements must be security-constraint,login-config,security-role .


Crosscheck what you have with either Tomcat admin webapp, or
the authentication example from the Tomcat example webapp.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

why does Tomcat need to know what the roles are, anyways? is that a
J2EE spec or something? having to hardcode those values into a web.xml
file seems to defeat part of the purpose of using a database in the
first place - flexibility. but since most of the Tomcat devs are
smarter than me, I want to know why, b/c apparently more than a few
people thought it was a good idea...