Solved

Hi, Tomcat Form Authentication example...

Posted on 2006-07-11
11
1,932 Views
Last Modified: 2012-03-19
Hi, I'm looking at a form-based authentication example (downloaded from http://www.onjava.com/lpt/a/1024  near bottom of page).  I check my Tomcat logs and I see that I have logged in successfully but after I log in, I get message "HTTP Status 403 - Access to the requested resource has been denied".  I'm using a SQL Server 2000 ODBC datasource.

I downloaded the above webapp and made the following changes:

1. In Sql Server 2000: I have a "users" table with username and pswd columns

2. Added realm to Tomcat's \conf\server.xml:<
<Realm  className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="sun.jdbc.odbc.JdbcOdbcDriver"
connectionURL="jdbc:odbc:testMarvel"
connectionName="marveluser" connectionPassword="marveluser"
userTable="users" userNameCol="username" userCredCol="pswd"
userRoleTable="user_roles" roleNameCol="rolename" />

3. Added "manager" from my "user_roles" table to a role in my web.xml:

<security-constraint>
<web-resource-collection>
<web-resource-name>SecurePages</web-resource-name>
<description>Security constraint for resources in the secure directory</description>
<url-pattern>/secure/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>

<auth-constraint><description>only let the system user login </description>            
<role-name>manager</role-name>
</auth-constraint>
<user-data-constraint>
<description>SSL not required</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/LoginForm.html</form-login-page>
<form-error-page>/LoginError.html</form-error-page>
</form-login-config>
</login-config>

<security-role>
<description>The Secure ROLE</description>
<role-name>manager</role-name>
</security-role>

4. When I try to login using "ghostrider" and "password" (values from my 'username' and 'pswd' columns in my users table).  I check the Tomcat logs, I get: "Username ghostrider successfully authenticated" but I get message "HTTP Status 403 - Access to the requested resource has been denied".  


Can anyone give me an idea what is wrong?  If I take out my realm configuration from servers.xml and use the default Tomcat login ("admin" with no password), I get in perfect.

Thanks so much,
noijet
0
Comment
Question by:noijet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
11 Comments
 
LVL 25

Expert Comment

by:Tomas Helgi Johannsson
ID: 17088809
Does your user "ghostrider" have the role manager ?

Regards,
  Tomas Helgi
0
 

Author Comment

by:noijet
ID: 17103145
Hi Tomas, I have only implemented the above changes, how do I have my user "ghostrider" get the role manager?

Thanks so much,
noijet
0
 
LVL 25

Accepted Solution

by:
Tomas Helgi Johannsson earned 125 total points
ID: 17103872
change the weblogic.xml file to

<weblogic-web-app>
      <security-role-assignment>
            <role-name>manager</role-name>
            <principal-name>ghostrider</principal-name>
      </security-role-assignment>
</weblogic-web-app>

That should do the trick.

Regards,
  Tomas Helgi
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:noijet
ID: 17123355
Hi TomasHelgi, thanks for your response, I'm using Tomcat, do I do the same exact thing for the web.xml?

Thanks,
noijet
0
 
LVL 25

Expert Comment

by:Tomas Helgi Johannsson
ID: 17123668
hmmm sorry,
yes

Regards,
  Tomas Helgi
0
 

Author Comment

by:noijet
ID: 17139680
Hi Tomas, I will try it and get back to you,

noijet
0
 

Author Comment

by:noijet
ID: 17169427
Hi Tomas, I'm really bogged down at work to you, sorrie I haven't kept in touch with you more readily.  I want to reward points for your great comments, and hopefully when I get to this I can ask you some questions if necessary.

Thanks so much,
noijet
0
 

Author Comment

by:noijet
ID: 17188072
Hi Tomas, I plan to create a website with a login page using form-based authentication.  I'm using Tomcat as a stand-alone application server for learning.  I see that I can add a user and role inside Tomcat_user_role.xml (not sure of exact name) file so that the server would use that to check against when user inputed in the user/password input fields.  However, I see other programmers (.NET) do not use xml for their user/password or role entries because they store them in the database and dynamically add roles inside their web app.  Somehow, they also use form authentication this way: User inputs username/password --> They click submit and a class verifies the user against the database --> If valid, they tell their framework that the user is valid and the framework allows them to login.  This sequence was used by a .NET programmer, I assume we can do the same in Java.

I was wondering what the best approach is for my project.  I'm a little lost right now, I'm relatively new in web developement, so please reply with as much detail as possible (good tutorial links are good too).

Thanks so much,
noijet
0
 
LVL 25

Expert Comment

by:Tomas Helgi Johannsson
ID: 17190850
There are several Online J2EE and Servlet/JSP tutorials both free and commercial.

http://java.sun.com/javaee/reference/tutorials/index.jsp
http://www.exforsys.com/forum/java-tutorials/95154-free-j2ee-tutorials.html
http://www.coreservlets.com/
http://www.gayanb.com/free_j2ee_books.php

These are all very good tutorials.
Then there is always www.theserverside.com with a lot of articles and discussions.
This site is one of top 5 Java sites in my mind.

Regards,
  Tomas Helgi
0
 

Author Comment

by:noijet
ID: 17195965
Thanks so much Tomas!

Cheers,
noijet
0
 

Expert Comment

by:montblack
ID: 37740146
the problem for me was that i'm using glassfish-web.xml and i should use sun-web.xml for glassfish 3.0.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Determining the an SCCM package name from the Package ID
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question