Solved

tomcat 4.0.1 j_security_check error (jdbc realm)

Posted on 2002-06-14
23
938 Views
Last Modified: 2008-03-17
hi all,

i am trying to use jdbc realm and when i run the example after making the necessary changes to server.xml and web.xml

i am getting error 500. it is trying to find j_security_check.

the question is what is j_security_check and where is it?

memory realm is working fine.

error 500: http://localhost:8080/examples/jsp/security/protected/j_security_check
0
Comment
Question by:ahuen
  • 11
  • 10
  • +1
23 Comments
 
LVL 19

Expert Comment

by:cheekycj
ID: 7078818
j_security_check AFAIK is a j2ee defined pointer.

It doesn't really exist. Your servlet container should know when it sees it.

If you access tomcat's port directly (8080) then it should work fine.

This might be a case of Apache not knowing to direct to Tomcat when it encounters that URL.

To get details on j_security_check read section 12.5.3 and the login note 12.5.3.1 in the Servlet 2.3
spec, which you can get from here:
http://www.jcp.org/aboutJava/communityprocess/final/jsr053/

a quick blurb from it:


Formbased login and URLbased session tracking can be problematic to implement.
Form based login should be used only when sessions are being maintained by
cookies or by SSL session information.
In order for the authentication to proceed appropriately, the action of the login
form must always be j_security_check. This restriction is made so that the login
form will work no matter which resource it is for, and to avoid requiring the server
to specify the action field of the outbound form.
Here is an example showing how the form should be coded into the HTML
page:
<form method=”POST” action=”j_security_check”>
<input type=”text” name=”j_username”>
<input type=”password” name=”j_password”>
</form>

HTH,
CJ
0
 

Expert Comment

by:gritto
ID: 7083718
You don't have to pass to the j_security_check as an action phase.
Only the login page has to use that action in order to validate your username and password.
Use for example the home page inside the restricted area:
 http://localhost:8080/examples/jsp/security/protected/home.jsp and leave the login.jsp with the example above in another unrestriced area (like /login).
When a user start to navigate will be redirected automatically to the login page(because your home page is protected and you are not authenticated), perform the security check and go to the desired page if the username and pwd are ok.
0
 

Author Comment

by:ahuen
ID: 7083729
i think my problem is that i broke something when i sub class JDBCRealm and override the authenticate method.

anybody have any experience with sub classing JDBCRealm?

If i use JDBCRealm it works.

thanks.
al
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 7092909
0
 

Author Comment

by:ahuen
ID: 7092924
CJ,

thanks in advance.
here's the method:

 //override to use UserProfile
  public synchronized Principal authenticate(Connection dbConnection,
                                               String username,
                                               String credentials)
        throws SQLException{

        UserLogin.UserProfile userProfile = null;
        ArrayList list = new ArrayList();

        try {
                dbConnection = DatabaseDescriptor.User.getConnection();
                userProfile=UserLogin.login(dbConnection, username, credentials);
                if (userProfile == null) {
                    return (null);
                }

                // Validate the user's credentials
                boolean validated = false;
                if (userProfile.isDCAvailable()) validated=true;

                if (validated) {
                    if (debug >= 2)
                        log(sm.getString("jdbcRealm.authenticateSuccess",
                                         username));
                } else {
                    if (debug >= 2)
                        log(sm.getString("jdbcRealm.authenticateFailure",
                                         username));

                    return (null);
                }

                // Todo: read from db
                list.add("Slave");
                dbConnection.commit();

        } catch (Exception e) {
                log(e.getMessage());
                return null;
        }
        // Create and return a suitable Principal for this user
        return (new NetRiskPrincipal(this, username, credentials, list));

    }
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 7092944
one more question.. if you put logging throughout the method.. is it being called... can you follow the flow??

CJ
0
 

Author Comment

by:ahuen
ID: 7092957
CJ,

nothing gets logged.
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 7092967
even if you add:

log("In my authenticate method");
as the first line of the method??

CJ
0
 

Author Comment

by:ahuen
ID: 7092987
how do i do that? or rather where?

i was logging in the method...
System.out.println(....)

thanks.
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 7093001
read this:
http://tomcat.mslinn.com/tomcat/realms.html

the last two sections are about overriding authentication in jdbc realms in 3.2.x and 4.x

CJ
0
 

Author Comment

by:ahuen
ID: 7093013
CJ,
I thought you have to subclass JDBCRealm and override it's methods because in server.xml JDBCRealm is set by

 <Realm  className="org.apache.catalina.realm.JDBCRealm" debug="99"
             driverName="sun.jdbc.odbc.JdbcOdbcDriver"
          connectionURL="jdbc:odbc:xyz" connectionName="abc" connectionPassword="abc"
           userTable="tmp" userNameCol="user_name" userCredCol="user_pass" />

so if you subclass JDBCRealm you can set it the realm class to className="com.xyz.stuff.MyRealm"
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 19

Expert Comment

by:cheekycj
ID: 7093024
It looks as though that was the case in Tomcat 3.x but as of 4.x you just subclass the authenticator class.

CJ
0
 

Author Comment

by:ahuen
ID: 7093037
if i only subclass and override org.apache.catalina.authenticator.FormAuthenticator.authenticate, and authenticate calls

Realm realm = context.getRealm();
principal=realm.authenticate(username, password);

this means that it is still using JDBCRealm.authenticate(...) which expects the user table, etc and that implies that I would not be able to use my UserProfile.

hmmmm
0
 

Author Comment

by:ahuen
ID: 7093041
oops...
i see ...
i forgot the part where i am overriding.. it is up to me what to do in the code....

but still the part where

Realm realm = context.getRealm();
principal=realm.authenticate(username, password);

should still work. right?
0
 

Author Comment

by:ahuen
ID: 7093052
hmmm...
but if i override org.apache.catalina.authenticator.FormAuthenticator

and my new class is in my package how would tomcat know to use my class instead of the base class?
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 7093554
isn't that in the login-config in the web.xml?

CJ
0
 

Author Comment

by:ahuen
ID: 7098844
CJ,

Found the problem...
it wasn't finding one of my jars...

I have another question...

how do you set up so that tomcat won't require a user to have a role to log in? if i omit the <auth-constraint> it won't show the login. teh role "slave" is being added to the Principal but it is not finding it.

at this point i don't need the role functionality.

thanks.

    <security-constraint>
     
     <web-resource-collection>
         <web-resource-name>User Protected Area</web-resource-name>
          <url-pattern>/ovdc/*</url-pattern>
            <http-method>DELETE</http-method>
          <http-method>GET</http-method>
            <http-method>POST</http-method>
           <http-method>PUT</http-method>
      </web-resource-collection>

      <auth-constraint>
       <role-name>slave</role-name>
      </auth-constraint>

    </security-constraint>
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 7098912
can you override the hasRole() method to always return true?

CJ
0
 

Author Comment

by:ahuen
ID: 7098916
CJ,

where is hasRole() located?

thanks.
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 7098972
should be in JDBCRealm.

CJ
0
 
LVL 19

Accepted Solution

by:
cheekycj earned 200 total points
ID: 7098981
actually hasRole() is in RealmBase which JDBCRealm extends (so it inherits both the authenticate and hasRole methods from it)

CJ
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 7098994
Thanx for the "A".

CJ
0
 
LVL 1

Expert Comment

by:TomBruser
ID: 11739407
Simple solution:

At the start of your login and login-error pages, include the following:

    if (request.getAttribute("javax.servlet.forward.request_uri") == null) {
        response.sendRedirect("/index.jsp");
    }

where /index.jsp is equivalant to some acceptable page to forward users to if they have inadvertantly hit the back button to reach the login page.

To create a logout function, make a logout.jsp that contains the following:

        session.invalidate();
        response.sendRedirect("/index.jsp");

0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
A procedure for exporting installed hotfix details of remote computers using powershell
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now