Solved

Hi, Tomcat Form Authentication example...

Posted on 2006-07-11
11
1,924 Views
Last Modified: 2012-03-19
Hi, I'm looking at a form-based authentication example (downloaded from http://www.onjava.com/lpt/a/1024  near bottom of page).  I check my Tomcat logs and I see that I have logged in successfully but after I log in, I get message "HTTP Status 403 - Access to the requested resource has been denied".  I'm using a SQL Server 2000 ODBC datasource.

I downloaded the above webapp and made the following changes:

1. In Sql Server 2000: I have a "users" table with username and pswd columns

2. Added realm to Tomcat's \conf\server.xml:<
<Realm  className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="sun.jdbc.odbc.JdbcOdbcDriver"
connectionURL="jdbc:odbc:testMarvel"
connectionName="marveluser" connectionPassword="marveluser"
userTable="users" userNameCol="username" userCredCol="pswd"
userRoleTable="user_roles" roleNameCol="rolename" />

3. Added "manager" from my "user_roles" table to a role in my web.xml:

<security-constraint>
<web-resource-collection>
<web-resource-name>SecurePages</web-resource-name>
<description>Security constraint for resources in the secure directory</description>
<url-pattern>/secure/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>

<auth-constraint><description>only let the system user login </description>            
<role-name>manager</role-name>
</auth-constraint>
<user-data-constraint>
<description>SSL not required</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/LoginForm.html</form-login-page>
<form-error-page>/LoginError.html</form-error-page>
</form-login-config>
</login-config>

<security-role>
<description>The Secure ROLE</description>
<role-name>manager</role-name>
</security-role>

4. When I try to login using "ghostrider" and "password" (values from my 'username' and 'pswd' columns in my users table).  I check the Tomcat logs, I get: "Username ghostrider successfully authenticated" but I get message "HTTP Status 403 - Access to the requested resource has been denied".  


Can anyone give me an idea what is wrong?  If I take out my realm configuration from servers.xml and use the default Tomcat login ("admin" with no password), I get in perfect.

Thanks so much,
noijet
0
Comment
Question by:noijet
  • 6
  • 4
11 Comments
 
LVL 25

Expert Comment

by:Tomas Helgi Johannsson
ID: 17088809
Does your user "ghostrider" have the role manager ?

Regards,
  Tomas Helgi
0
 

Author Comment

by:noijet
ID: 17103145
Hi Tomas, I have only implemented the above changes, how do I have my user "ghostrider" get the role manager?

Thanks so much,
noijet
0
 
LVL 25

Accepted Solution

by:
Tomas Helgi Johannsson earned 125 total points
ID: 17103872
change the weblogic.xml file to

<weblogic-web-app>
      <security-role-assignment>
            <role-name>manager</role-name>
            <principal-name>ghostrider</principal-name>
      </security-role-assignment>
</weblogic-web-app>

That should do the trick.

Regards,
  Tomas Helgi
0
 

Author Comment

by:noijet
ID: 17123355
Hi TomasHelgi, thanks for your response, I'm using Tomcat, do I do the same exact thing for the web.xml?

Thanks,
noijet
0
 
LVL 25

Expert Comment

by:Tomas Helgi Johannsson
ID: 17123668
hmmm sorry,
yes

Regards,
  Tomas Helgi
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:noijet
ID: 17139680
Hi Tomas, I will try it and get back to you,

noijet
0
 

Author Comment

by:noijet
ID: 17169427
Hi Tomas, I'm really bogged down at work to you, sorrie I haven't kept in touch with you more readily.  I want to reward points for your great comments, and hopefully when I get to this I can ask you some questions if necessary.

Thanks so much,
noijet
0
 

Author Comment

by:noijet
ID: 17188072
Hi Tomas, I plan to create a website with a login page using form-based authentication.  I'm using Tomcat as a stand-alone application server for learning.  I see that I can add a user and role inside Tomcat_user_role.xml (not sure of exact name) file so that the server would use that to check against when user inputed in the user/password input fields.  However, I see other programmers (.NET) do not use xml for their user/password or role entries because they store them in the database and dynamically add roles inside their web app.  Somehow, they also use form authentication this way: User inputs username/password --> They click submit and a class verifies the user against the database --> If valid, they tell their framework that the user is valid and the framework allows them to login.  This sequence was used by a .NET programmer, I assume we can do the same in Java.

I was wondering what the best approach is for my project.  I'm a little lost right now, I'm relatively new in web developement, so please reply with as much detail as possible (good tutorial links are good too).

Thanks so much,
noijet
0
 
LVL 25

Expert Comment

by:Tomas Helgi Johannsson
ID: 17190850
There are several Online J2EE and Servlet/JSP tutorials both free and commercial.

http://java.sun.com/javaee/reference/tutorials/index.jsp
http://www.exforsys.com/forum/java-tutorials/95154-free-j2ee-tutorials.html
http://www.coreservlets.com/
http://www.gayanb.com/free_j2ee_books.php

These are all very good tutorials.
Then there is always www.theserverside.com with a lot of articles and discussions.
This site is one of top 5 Java sites in my mind.

Regards,
  Tomas Helgi
0
 

Author Comment

by:noijet
ID: 17195965
Thanks so much Tomas!

Cheers,
noijet
0
 

Expert Comment

by:montblack
ID: 37740146
the problem for me was that i'm using glassfish-web.xml and i should use sun-web.xml for glassfish 3.0.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Reading data  from excel sheet and displaying 1 74
build fail in maven project 11 179
spring JDBC Template example error 26 208
listing all functions in JavaScript 19 180
Knowledge base software has turned out to be a quite reliable method for storing information, promoting collaborative work and for sharing valuable input and solutions.However, some organizations are trying to develop a knowledge base that works wit…
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now