Solved

tomcat 4.0.1 j_security_check error (jdbc realm)

Posted on 2002-06-14
23
949 Views
Last Modified: 2008-03-17
hi all,

i am trying to use jdbc realm and when i run the example after making the necessary changes to server.xml and web.xml

i am getting error 500. it is trying to find j_security_check.

the question is what is j_security_check and where is it?

memory realm is working fine.

error 500: http://localhost:8080/examples/jsp/security/protected/j_security_check
0
Comment
Question by:ahuen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 10
  • +1
23 Comments
 
LVL 19

Expert Comment

by:cheekycj
ID: 7078818
j_security_check AFAIK is a j2ee defined pointer.

It doesn't really exist. Your servlet container should know when it sees it.

If you access tomcat's port directly (8080) then it should work fine.

This might be a case of Apache not knowing to direct to Tomcat when it encounters that URL.

To get details on j_security_check read section 12.5.3 and the login note 12.5.3.1 in the Servlet 2.3
spec, which you can get from here:
http://www.jcp.org/aboutJava/communityprocess/final/jsr053/

a quick blurb from it:


Formbased login and URLbased session tracking can be problematic to implement.
Form based login should be used only when sessions are being maintained by
cookies or by SSL session information.
In order for the authentication to proceed appropriately, the action of the login
form must always be j_security_check. This restriction is made so that the login
form will work no matter which resource it is for, and to avoid requiring the server
to specify the action field of the outbound form.
Here is an example showing how the form should be coded into the HTML
page:
<form method=”POST” action=”j_security_check”>
<input type=”text” name=”j_username”>
<input type=”password” name=”j_password”>
</form>

HTH,
CJ
0
 

Expert Comment

by:gritto
ID: 7083718
You don't have to pass to the j_security_check as an action phase.
Only the login page has to use that action in order to validate your username and password.
Use for example the home page inside the restricted area:
 http://localhost:8080/examples/jsp/security/protected/home.jsp and leave the login.jsp with the example above in another unrestriced area (like /login).
When a user start to navigate will be redirected automatically to the login page(because your home page is protected and you are not authenticated), perform the security check and go to the desired page if the username and pwd are ok.
0
 

Author Comment

by:ahuen
ID: 7083729
i think my problem is that i broke something when i sub class JDBCRealm and override the authenticate method.

anybody have any experience with sub classing JDBCRealm?

If i use JDBCRealm it works.

thanks.
al
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 19

Expert Comment

by:cheekycj
ID: 7092909
0
 

Author Comment

by:ahuen
ID: 7092924
CJ,

thanks in advance.
here's the method:

 //override to use UserProfile
  public synchronized Principal authenticate(Connection dbConnection,
                                               String username,
                                               String credentials)
        throws SQLException{

        UserLogin.UserProfile userProfile = null;
        ArrayList list = new ArrayList();

        try {
                dbConnection = DatabaseDescriptor.User.getConnection();
                userProfile=UserLogin.login(dbConnection, username, credentials);
                if (userProfile == null) {
                    return (null);
                }

                // Validate the user's credentials
                boolean validated = false;
                if (userProfile.isDCAvailable()) validated=true;

                if (validated) {
                    if (debug >= 2)
                        log(sm.getString("jdbcRealm.authenticateSuccess",
                                         username));
                } else {
                    if (debug >= 2)
                        log(sm.getString("jdbcRealm.authenticateFailure",
                                         username));

                    return (null);
                }

                // Todo: read from db
                list.add("Slave");
                dbConnection.commit();

        } catch (Exception e) {
                log(e.getMessage());
                return null;
        }
        // Create and return a suitable Principal for this user
        return (new NetRiskPrincipal(this, username, credentials, list));

    }
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 7092944
one more question.. if you put logging throughout the method.. is it being called... can you follow the flow??

CJ
0
 

Author Comment

by:ahuen
ID: 7092957
CJ,

nothing gets logged.
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 7092967
even if you add:

log("In my authenticate method");
as the first line of the method??

CJ
0
 

Author Comment

by:ahuen
ID: 7092987
how do i do that? or rather where?

i was logging in the method...
System.out.println(....)

thanks.
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 7093001
read this:
http://tomcat.mslinn.com/tomcat/realms.html

the last two sections are about overriding authentication in jdbc realms in 3.2.x and 4.x

CJ
0
 

Author Comment

by:ahuen
ID: 7093013
CJ,
I thought you have to subclass JDBCRealm and override it's methods because in server.xml JDBCRealm is set by

 <Realm  className="org.apache.catalina.realm.JDBCRealm" debug="99"
             driverName="sun.jdbc.odbc.JdbcOdbcDriver"
          connectionURL="jdbc:odbc:xyz" connectionName="abc" connectionPassword="abc"
           userTable="tmp" userNameCol="user_name" userCredCol="user_pass" />

so if you subclass JDBCRealm you can set it the realm class to className="com.xyz.stuff.MyRealm"
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 7093024
It looks as though that was the case in Tomcat 3.x but as of 4.x you just subclass the authenticator class.

CJ
0
 

Author Comment

by:ahuen
ID: 7093037
if i only subclass and override org.apache.catalina.authenticator.FormAuthenticator.authenticate, and authenticate calls

Realm realm = context.getRealm();
principal=realm.authenticate(username, password);

this means that it is still using JDBCRealm.authenticate(...) which expects the user table, etc and that implies that I would not be able to use my UserProfile.

hmmmm
0
 

Author Comment

by:ahuen
ID: 7093041
oops...
i see ...
i forgot the part where i am overriding.. it is up to me what to do in the code....

but still the part where

Realm realm = context.getRealm();
principal=realm.authenticate(username, password);

should still work. right?
0
 

Author Comment

by:ahuen
ID: 7093052
hmmm...
but if i override org.apache.catalina.authenticator.FormAuthenticator

and my new class is in my package how would tomcat know to use my class instead of the base class?
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 7093554
isn't that in the login-config in the web.xml?

CJ
0
 

Author Comment

by:ahuen
ID: 7098844
CJ,

Found the problem...
it wasn't finding one of my jars...

I have another question...

how do you set up so that tomcat won't require a user to have a role to log in? if i omit the <auth-constraint> it won't show the login. teh role "slave" is being added to the Principal but it is not finding it.

at this point i don't need the role functionality.

thanks.

    <security-constraint>
     
     <web-resource-collection>
         <web-resource-name>User Protected Area</web-resource-name>
          <url-pattern>/ovdc/*</url-pattern>
            <http-method>DELETE</http-method>
          <http-method>GET</http-method>
            <http-method>POST</http-method>
           <http-method>PUT</http-method>
      </web-resource-collection>

      <auth-constraint>
       <role-name>slave</role-name>
      </auth-constraint>

    </security-constraint>
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 7098912
can you override the hasRole() method to always return true?

CJ
0
 

Author Comment

by:ahuen
ID: 7098916
CJ,

where is hasRole() located?

thanks.
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 7098972
should be in JDBCRealm.

CJ
0
 
LVL 19

Accepted Solution

by:
cheekycj earned 200 total points
ID: 7098981
actually hasRole() is in RealmBase which JDBCRealm extends (so it inherits both the authenticate and hasRole methods from it)

CJ
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 7098994
Thanx for the "A".

CJ
0
 
LVL 1

Expert Comment

by:TomBruser
ID: 11739407
Simple solution:

At the start of your login and login-error pages, include the following:

    if (request.getAttribute("javax.servlet.forward.request_uri") == null) {
        response.sendRedirect("/index.jsp");
    }

where /index.jsp is equivalant to some acceptable page to forward users to if they have inadvertantly hit the back button to reach the login page.

To create a logout function, make a logout.jsp that contains the following:

        session.invalidate();
        response.sendRedirect("/index.jsp");

0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows how to use a free utility called 'Parkdale' to easily test the performance and benchmark any Hard Drive(s) installed in your computer. We also look at RAM Disks and their speed comparisons.
Popular third-party chat platforms like Slack, Discord, and Telegram are just a few of the many new productivity applications that are being hijacked by cybercriminals to create command-and-control (C&C) communications infrastructures for their malw…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question