?
Solved

Hi, Tomcat Form Authentication example...

Posted on 2006-07-11
11
Medium Priority
?
1,941 Views
Last Modified: 2012-03-19
Hi, I'm looking at a form-based authentication example (downloaded from http://www.onjava.com/lpt/a/1024  near bottom of page).  I check my Tomcat logs and I see that I have logged in successfully but after I log in, I get message "HTTP Status 403 - Access to the requested resource has been denied".  I'm using a SQL Server 2000 ODBC datasource.

I downloaded the above webapp and made the following changes:

1. In Sql Server 2000: I have a "users" table with username and pswd columns

2. Added realm to Tomcat's \conf\server.xml:<
<Realm  className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="sun.jdbc.odbc.JdbcOdbcDriver"
connectionURL="jdbc:odbc:testMarvel"
connectionName="marveluser" connectionPassword="marveluser"
userTable="users" userNameCol="username" userCredCol="pswd"
userRoleTable="user_roles" roleNameCol="rolename" />

3. Added "manager" from my "user_roles" table to a role in my web.xml:

<security-constraint>
<web-resource-collection>
<web-resource-name>SecurePages</web-resource-name>
<description>Security constraint for resources in the secure directory</description>
<url-pattern>/secure/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>

<auth-constraint><description>only let the system user login </description>            
<role-name>manager</role-name>
</auth-constraint>
<user-data-constraint>
<description>SSL not required</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/LoginForm.html</form-login-page>
<form-error-page>/LoginError.html</form-error-page>
</form-login-config>
</login-config>

<security-role>
<description>The Secure ROLE</description>
<role-name>manager</role-name>
</security-role>

4. When I try to login using "ghostrider" and "password" (values from my 'username' and 'pswd' columns in my users table).  I check the Tomcat logs, I get: "Username ghostrider successfully authenticated" but I get message "HTTP Status 403 - Access to the requested resource has been denied".  


Can anyone give me an idea what is wrong?  If I take out my realm configuration from servers.xml and use the default Tomcat login ("admin" with no password), I get in perfect.

Thanks so much,
noijet
0
Comment
Question by:noijet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
11 Comments
 
LVL 25

Expert Comment

by:Tomas Helgi Johannsson
ID: 17088809
Does your user "ghostrider" have the role manager ?

Regards,
  Tomas Helgi
0
 

Author Comment

by:noijet
ID: 17103145
Hi Tomas, I have only implemented the above changes, how do I have my user "ghostrider" get the role manager?

Thanks so much,
noijet
0
 
LVL 25

Accepted Solution

by:
Tomas Helgi Johannsson earned 500 total points
ID: 17103872
change the weblogic.xml file to

<weblogic-web-app>
      <security-role-assignment>
            <role-name>manager</role-name>
            <principal-name>ghostrider</principal-name>
      </security-role-assignment>
</weblogic-web-app>

That should do the trick.

Regards,
  Tomas Helgi
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:noijet
ID: 17123355
Hi TomasHelgi, thanks for your response, I'm using Tomcat, do I do the same exact thing for the web.xml?

Thanks,
noijet
0
 
LVL 25

Expert Comment

by:Tomas Helgi Johannsson
ID: 17123668
hmmm sorry,
yes

Regards,
  Tomas Helgi
0
 

Author Comment

by:noijet
ID: 17139680
Hi Tomas, I will try it and get back to you,

noijet
0
 

Author Comment

by:noijet
ID: 17169427
Hi Tomas, I'm really bogged down at work to you, sorrie I haven't kept in touch with you more readily.  I want to reward points for your great comments, and hopefully when I get to this I can ask you some questions if necessary.

Thanks so much,
noijet
0
 

Author Comment

by:noijet
ID: 17188072
Hi Tomas, I plan to create a website with a login page using form-based authentication.  I'm using Tomcat as a stand-alone application server for learning.  I see that I can add a user and role inside Tomcat_user_role.xml (not sure of exact name) file so that the server would use that to check against when user inputed in the user/password input fields.  However, I see other programmers (.NET) do not use xml for their user/password or role entries because they store them in the database and dynamically add roles inside their web app.  Somehow, they also use form authentication this way: User inputs username/password --> They click submit and a class verifies the user against the database --> If valid, they tell their framework that the user is valid and the framework allows them to login.  This sequence was used by a .NET programmer, I assume we can do the same in Java.

I was wondering what the best approach is for my project.  I'm a little lost right now, I'm relatively new in web developement, so please reply with as much detail as possible (good tutorial links are good too).

Thanks so much,
noijet
0
 
LVL 25

Expert Comment

by:Tomas Helgi Johannsson
ID: 17190850
There are several Online J2EE and Servlet/JSP tutorials both free and commercial.

http://java.sun.com/javaee/reference/tutorials/index.jsp
http://www.exforsys.com/forum/java-tutorials/95154-free-j2ee-tutorials.html
http://www.coreservlets.com/
http://www.gayanb.com/free_j2ee_books.php

These are all very good tutorials.
Then there is always www.theserverside.com with a lot of articles and discussions.
This site is one of top 5 Java sites in my mind.

Regards,
  Tomas Helgi
0
 

Author Comment

by:noijet
ID: 17195965
Thanks so much Tomas!

Cheers,
noijet
0
 

Expert Comment

by:montblack
ID: 37740146
the problem for me was that i'm using glassfish-web.xml and i should use sun-web.xml for glassfish 3.0.
0

Featured Post

Want to be a Web Developer? Get Certified Today!

Enroll in the Certified Web Development Professional course package to learn HTML, Javascript, and PHP. Build a solid foundation to work toward your dream job!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
Check out the latest tech news, community articles, and expert highlights in August's newsletter.
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question