Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Hi, Tomcat Form Authentication example...

Posted on 2006-07-11
11
Medium Priority
?
1,942 Views
Last Modified: 2012-03-19
Hi, I'm looking at a form-based authentication example (downloaded from http://www.onjava.com/lpt/a/1024  near bottom of page).  I check my Tomcat logs and I see that I have logged in successfully but after I log in, I get message "HTTP Status 403 - Access to the requested resource has been denied".  I'm using a SQL Server 2000 ODBC datasource.

I downloaded the above webapp and made the following changes:

1. In Sql Server 2000: I have a "users" table with username and pswd columns

2. Added realm to Tomcat's \conf\server.xml:<
<Realm  className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="sun.jdbc.odbc.JdbcOdbcDriver"
connectionURL="jdbc:odbc:testMarvel"
connectionName="marveluser" connectionPassword="marveluser"
userTable="users" userNameCol="username" userCredCol="pswd"
userRoleTable="user_roles" roleNameCol="rolename" />

3. Added "manager" from my "user_roles" table to a role in my web.xml:

<security-constraint>
<web-resource-collection>
<web-resource-name>SecurePages</web-resource-name>
<description>Security constraint for resources in the secure directory</description>
<url-pattern>/secure/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>

<auth-constraint><description>only let the system user login </description>            
<role-name>manager</role-name>
</auth-constraint>
<user-data-constraint>
<description>SSL not required</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/LoginForm.html</form-login-page>
<form-error-page>/LoginError.html</form-error-page>
</form-login-config>
</login-config>

<security-role>
<description>The Secure ROLE</description>
<role-name>manager</role-name>
</security-role>

4. When I try to login using "ghostrider" and "password" (values from my 'username' and 'pswd' columns in my users table).  I check the Tomcat logs, I get: "Username ghostrider successfully authenticated" but I get message "HTTP Status 403 - Access to the requested resource has been denied".  


Can anyone give me an idea what is wrong?  If I take out my realm configuration from servers.xml and use the default Tomcat login ("admin" with no password), I get in perfect.

Thanks so much,
noijet
0
Comment
Question by:noijet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
11 Comments
 
LVL 25

Expert Comment

by:Tomas Helgi Johannsson
ID: 17088809
Does your user "ghostrider" have the role manager ?

Regards,
  Tomas Helgi
0
 

Author Comment

by:noijet
ID: 17103145
Hi Tomas, I have only implemented the above changes, how do I have my user "ghostrider" get the role manager?

Thanks so much,
noijet
0
 
LVL 25

Accepted Solution

by:
Tomas Helgi Johannsson earned 500 total points
ID: 17103872
change the weblogic.xml file to

<weblogic-web-app>
      <security-role-assignment>
            <role-name>manager</role-name>
            <principal-name>ghostrider</principal-name>
      </security-role-assignment>
</weblogic-web-app>

That should do the trick.

Regards,
  Tomas Helgi
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:noijet
ID: 17123355
Hi TomasHelgi, thanks for your response, I'm using Tomcat, do I do the same exact thing for the web.xml?

Thanks,
noijet
0
 
LVL 25

Expert Comment

by:Tomas Helgi Johannsson
ID: 17123668
hmmm sorry,
yes

Regards,
  Tomas Helgi
0
 

Author Comment

by:noijet
ID: 17139680
Hi Tomas, I will try it and get back to you,

noijet
0
 

Author Comment

by:noijet
ID: 17169427
Hi Tomas, I'm really bogged down at work to you, sorrie I haven't kept in touch with you more readily.  I want to reward points for your great comments, and hopefully when I get to this I can ask you some questions if necessary.

Thanks so much,
noijet
0
 

Author Comment

by:noijet
ID: 17188072
Hi Tomas, I plan to create a website with a login page using form-based authentication.  I'm using Tomcat as a stand-alone application server for learning.  I see that I can add a user and role inside Tomcat_user_role.xml (not sure of exact name) file so that the server would use that to check against when user inputed in the user/password input fields.  However, I see other programmers (.NET) do not use xml for their user/password or role entries because they store them in the database and dynamically add roles inside their web app.  Somehow, they also use form authentication this way: User inputs username/password --> They click submit and a class verifies the user against the database --> If valid, they tell their framework that the user is valid and the framework allows them to login.  This sequence was used by a .NET programmer, I assume we can do the same in Java.

I was wondering what the best approach is for my project.  I'm a little lost right now, I'm relatively new in web developement, so please reply with as much detail as possible (good tutorial links are good too).

Thanks so much,
noijet
0
 
LVL 25

Expert Comment

by:Tomas Helgi Johannsson
ID: 17190850
There are several Online J2EE and Servlet/JSP tutorials both free and commercial.

http://java.sun.com/javaee/reference/tutorials/index.jsp
http://www.exforsys.com/forum/java-tutorials/95154-free-j2ee-tutorials.html
http://www.coreservlets.com/
http://www.gayanb.com/free_j2ee_books.php

These are all very good tutorials.
Then there is always www.theserverside.com with a lot of articles and discussions.
This site is one of top 5 Java sites in my mind.

Regards,
  Tomas Helgi
0
 

Author Comment

by:noijet
ID: 17195965
Thanks so much Tomas!

Cheers,
noijet
0
 

Expert Comment

by:montblack
ID: 37740146
the problem for me was that i'm using glassfish-web.xml and i should use sun-web.xml for glassfish 3.0.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question