Solved

tomcat 4.0.1 j_security_check error (jdbc realm)

Posted on 2002-06-14
23
948 Views
Last Modified: 2008-03-17
hi all,

i am trying to use jdbc realm and when i run the example after making the necessary changes to server.xml and web.xml

i am getting error 500. it is trying to find j_security_check.

the question is what is j_security_check and where is it?

memory realm is working fine.

error 500: http://localhost:8080/examples/jsp/security/protected/j_security_check
0
Comment
Question by:ahuen
  • 11
  • 10
  • +1
23 Comments
 
LVL 19

Expert Comment

by:cheekycj
ID: 7078818
j_security_check AFAIK is a j2ee defined pointer.

It doesn't really exist. Your servlet container should know when it sees it.

If you access tomcat's port directly (8080) then it should work fine.

This might be a case of Apache not knowing to direct to Tomcat when it encounters that URL.

To get details on j_security_check read section 12.5.3 and the login note 12.5.3.1 in the Servlet 2.3
spec, which you can get from here:
http://www.jcp.org/aboutJava/communityprocess/final/jsr053/

a quick blurb from it:


Formbased login and URLbased session tracking can be problematic to implement.
Form based login should be used only when sessions are being maintained by
cookies or by SSL session information.
In order for the authentication to proceed appropriately, the action of the login
form must always be j_security_check. This restriction is made so that the login
form will work no matter which resource it is for, and to avoid requiring the server
to specify the action field of the outbound form.
Here is an example showing how the form should be coded into the HTML
page:
<form method=”POST” action=”j_security_check”>
<input type=”text” name=”j_username”>
<input type=”password” name=”j_password”>
</form>

HTH,
CJ
0
 

Expert Comment

by:gritto
ID: 7083718
You don't have to pass to the j_security_check as an action phase.
Only the login page has to use that action in order to validate your username and password.
Use for example the home page inside the restricted area:
 http://localhost:8080/examples/jsp/security/protected/home.jsp and leave the login.jsp with the example above in another unrestriced area (like /login).
When a user start to navigate will be redirected automatically to the login page(because your home page is protected and you are not authenticated), perform the security check and go to the desired page if the username and pwd are ok.
0
 

Author Comment

by:ahuen
ID: 7083729
i think my problem is that i broke something when i sub class JDBCRealm and override the authenticate method.

anybody have any experience with sub classing JDBCRealm?

If i use JDBCRealm it works.

thanks.
al
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 19

Expert Comment

by:cheekycj
ID: 7092909
0
 

Author Comment

by:ahuen
ID: 7092924
CJ,

thanks in advance.
here's the method:

 //override to use UserProfile
  public synchronized Principal authenticate(Connection dbConnection,
                                               String username,
                                               String credentials)
        throws SQLException{

        UserLogin.UserProfile userProfile = null;
        ArrayList list = new ArrayList();

        try {
                dbConnection = DatabaseDescriptor.User.getConnection();
                userProfile=UserLogin.login(dbConnection, username, credentials);
                if (userProfile == null) {
                    return (null);
                }

                // Validate the user's credentials
                boolean validated = false;
                if (userProfile.isDCAvailable()) validated=true;

                if (validated) {
                    if (debug >= 2)
                        log(sm.getString("jdbcRealm.authenticateSuccess",
                                         username));
                } else {
                    if (debug >= 2)
                        log(sm.getString("jdbcRealm.authenticateFailure",
                                         username));

                    return (null);
                }

                // Todo: read from db
                list.add("Slave");
                dbConnection.commit();

        } catch (Exception e) {
                log(e.getMessage());
                return null;
        }
        // Create and return a suitable Principal for this user
        return (new NetRiskPrincipal(this, username, credentials, list));

    }
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 7092944
one more question.. if you put logging throughout the method.. is it being called... can you follow the flow??

CJ
0
 

Author Comment

by:ahuen
ID: 7092957
CJ,

nothing gets logged.
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 7092967
even if you add:

log("In my authenticate method");
as the first line of the method??

CJ
0
 

Author Comment

by:ahuen
ID: 7092987
how do i do that? or rather where?

i was logging in the method...
System.out.println(....)

thanks.
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 7093001
read this:
http://tomcat.mslinn.com/tomcat/realms.html

the last two sections are about overriding authentication in jdbc realms in 3.2.x and 4.x

CJ
0
 

Author Comment

by:ahuen
ID: 7093013
CJ,
I thought you have to subclass JDBCRealm and override it's methods because in server.xml JDBCRealm is set by

 <Realm  className="org.apache.catalina.realm.JDBCRealm" debug="99"
             driverName="sun.jdbc.odbc.JdbcOdbcDriver"
          connectionURL="jdbc:odbc:xyz" connectionName="abc" connectionPassword="abc"
           userTable="tmp" userNameCol="user_name" userCredCol="user_pass" />

so if you subclass JDBCRealm you can set it the realm class to className="com.xyz.stuff.MyRealm"
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 7093024
It looks as though that was the case in Tomcat 3.x but as of 4.x you just subclass the authenticator class.

CJ
0
 

Author Comment

by:ahuen
ID: 7093037
if i only subclass and override org.apache.catalina.authenticator.FormAuthenticator.authenticate, and authenticate calls

Realm realm = context.getRealm();
principal=realm.authenticate(username, password);

this means that it is still using JDBCRealm.authenticate(...) which expects the user table, etc and that implies that I would not be able to use my UserProfile.

hmmmm
0
 

Author Comment

by:ahuen
ID: 7093041
oops...
i see ...
i forgot the part where i am overriding.. it is up to me what to do in the code....

but still the part where

Realm realm = context.getRealm();
principal=realm.authenticate(username, password);

should still work. right?
0
 

Author Comment

by:ahuen
ID: 7093052
hmmm...
but if i override org.apache.catalina.authenticator.FormAuthenticator

and my new class is in my package how would tomcat know to use my class instead of the base class?
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 7093554
isn't that in the login-config in the web.xml?

CJ
0
 

Author Comment

by:ahuen
ID: 7098844
CJ,

Found the problem...
it wasn't finding one of my jars...

I have another question...

how do you set up so that tomcat won't require a user to have a role to log in? if i omit the <auth-constraint> it won't show the login. teh role "slave" is being added to the Principal but it is not finding it.

at this point i don't need the role functionality.

thanks.

    <security-constraint>
     
     <web-resource-collection>
         <web-resource-name>User Protected Area</web-resource-name>
          <url-pattern>/ovdc/*</url-pattern>
            <http-method>DELETE</http-method>
          <http-method>GET</http-method>
            <http-method>POST</http-method>
           <http-method>PUT</http-method>
      </web-resource-collection>

      <auth-constraint>
       <role-name>slave</role-name>
      </auth-constraint>

    </security-constraint>
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 7098912
can you override the hasRole() method to always return true?

CJ
0
 

Author Comment

by:ahuen
ID: 7098916
CJ,

where is hasRole() located?

thanks.
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 7098972
should be in JDBCRealm.

CJ
0
 
LVL 19

Accepted Solution

by:
cheekycj earned 200 total points
ID: 7098981
actually hasRole() is in RealmBase which JDBCRealm extends (so it inherits both the authenticate and hasRole methods from it)

CJ
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 7098994
Thanx for the "A".

CJ
0
 
LVL 1

Expert Comment

by:TomBruser
ID: 11739407
Simple solution:

At the start of your login and login-error pages, include the following:

    if (request.getAttribute("javax.servlet.forward.request_uri") == null) {
        response.sendRedirect("/index.jsp");
    }

where /index.jsp is equivalant to some acceptable page to forward users to if they have inadvertantly hit the back button to reach the login page.

To create a logout function, make a logout.jsp that contains the following:

        session.invalidate();
        response.sendRedirect("/index.jsp");

0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Facebook has became the #1 social media platform. People share many funny videos there, yet you don't know how to download them? Now you can download Videos from Facebook in just 3 simple steps.
Today it’s fairly well known that high-performing websites and applications bring in more visitors, higher SEO, and ultimately more sales. By the same token, downtime is disastrous for companies and can lead to major hits on a brand, reputation, an…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question