Solved

Hi, Tomcat Form Authentication example...

Posted on 2006-07-11
11
1,919 Views
Last Modified: 2012-03-19
Hi, I'm looking at a form-based authentication example (downloaded from http://www.onjava.com/lpt/a/1024  near bottom of page).  I check my Tomcat logs and I see that I have logged in successfully but after I log in, I get message "HTTP Status 403 - Access to the requested resource has been denied".  I'm using a SQL Server 2000 ODBC datasource.

I downloaded the above webapp and made the following changes:

1. In Sql Server 2000: I have a "users" table with username and pswd columns

2. Added realm to Tomcat's \conf\server.xml:<
<Realm  className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="sun.jdbc.odbc.JdbcOdbcDriver"
connectionURL="jdbc:odbc:testMarvel"
connectionName="marveluser" connectionPassword="marveluser"
userTable="users" userNameCol="username" userCredCol="pswd"
userRoleTable="user_roles" roleNameCol="rolename" />

3. Added "manager" from my "user_roles" table to a role in my web.xml:

<security-constraint>
<web-resource-collection>
<web-resource-name>SecurePages</web-resource-name>
<description>Security constraint for resources in the secure directory</description>
<url-pattern>/secure/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>

<auth-constraint><description>only let the system user login </description>            
<role-name>manager</role-name>
</auth-constraint>
<user-data-constraint>
<description>SSL not required</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/LoginForm.html</form-login-page>
<form-error-page>/LoginError.html</form-error-page>
</form-login-config>
</login-config>

<security-role>
<description>The Secure ROLE</description>
<role-name>manager</role-name>
</security-role>

4. When I try to login using "ghostrider" and "password" (values from my 'username' and 'pswd' columns in my users table).  I check the Tomcat logs, I get: "Username ghostrider successfully authenticated" but I get message "HTTP Status 403 - Access to the requested resource has been denied".  


Can anyone give me an idea what is wrong?  If I take out my realm configuration from servers.xml and use the default Tomcat login ("admin" with no password), I get in perfect.

Thanks so much,
noijet
0
Comment
Question by:noijet
  • 6
  • 4
11 Comments
 
LVL 24

Expert Comment

by:Tomas Helgi Johannsson
ID: 17088809
Does your user "ghostrider" have the role manager ?

Regards,
  Tomas Helgi
0
 

Author Comment

by:noijet
ID: 17103145
Hi Tomas, I have only implemented the above changes, how do I have my user "ghostrider" get the role manager?

Thanks so much,
noijet
0
 
LVL 24

Accepted Solution

by:
Tomas Helgi Johannsson earned 125 total points
ID: 17103872
change the weblogic.xml file to

<weblogic-web-app>
      <security-role-assignment>
            <role-name>manager</role-name>
            <principal-name>ghostrider</principal-name>
      </security-role-assignment>
</weblogic-web-app>

That should do the trick.

Regards,
  Tomas Helgi
0
 

Author Comment

by:noijet
ID: 17123355
Hi TomasHelgi, thanks for your response, I'm using Tomcat, do I do the same exact thing for the web.xml?

Thanks,
noijet
0
 
LVL 24

Expert Comment

by:Tomas Helgi Johannsson
ID: 17123668
hmmm sorry,
yes

Regards,
  Tomas Helgi
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:noijet
ID: 17139680
Hi Tomas, I will try it and get back to you,

noijet
0
 

Author Comment

by:noijet
ID: 17169427
Hi Tomas, I'm really bogged down at work to you, sorrie I haven't kept in touch with you more readily.  I want to reward points for your great comments, and hopefully when I get to this I can ask you some questions if necessary.

Thanks so much,
noijet
0
 

Author Comment

by:noijet
ID: 17188072
Hi Tomas, I plan to create a website with a login page using form-based authentication.  I'm using Tomcat as a stand-alone application server for learning.  I see that I can add a user and role inside Tomcat_user_role.xml (not sure of exact name) file so that the server would use that to check against when user inputed in the user/password input fields.  However, I see other programmers (.NET) do not use xml for their user/password or role entries because they store them in the database and dynamically add roles inside their web app.  Somehow, they also use form authentication this way: User inputs username/password --> They click submit and a class verifies the user against the database --> If valid, they tell their framework that the user is valid and the framework allows them to login.  This sequence was used by a .NET programmer, I assume we can do the same in Java.

I was wondering what the best approach is for my project.  I'm a little lost right now, I'm relatively new in web developement, so please reply with as much detail as possible (good tutorial links are good too).

Thanks so much,
noijet
0
 
LVL 24

Expert Comment

by:Tomas Helgi Johannsson
ID: 17190850
There are several Online J2EE and Servlet/JSP tutorials both free and commercial.

http://java.sun.com/javaee/reference/tutorials/index.jsp
http://www.exforsys.com/forum/java-tutorials/95154-free-j2ee-tutorials.html
http://www.coreservlets.com/
http://www.gayanb.com/free_j2ee_books.php

These are all very good tutorials.
Then there is always www.theserverside.com with a lot of articles and discussions.
This site is one of top 5 Java sites in my mind.

Regards,
  Tomas Helgi
0
 

Author Comment

by:noijet
ID: 17195965
Thanks so much Tomas!

Cheers,
noijet
0
 

Expert Comment

by:montblack
ID: 37740146
the problem for me was that i'm using glassfish-web.xml and i should use sun-web.xml for glassfish 3.0.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

In this article, you will read about the trends across the human resources departments for the upcoming year. Some of them include improving employee experience, adopting new technologies, using HR software to its full extent, and integrating artifi…
In this article, I will show you HOW TO: Install VMware Tools for Windows on a VMware Windows virtual machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, using the VMware Host Client. The virtual machine has Windows Server 2016 instal…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now