mock5c
asked on
form based j_security_check authentication
It has been around 2 years since I've had to configure an application that uses j_security_check for form-based authentication.
I've recently made some major changes to a database (split it into a cluster of databases) and changed table names, etc.
My login.html page contains this code:
My server.xml file contains this part:
I've made changes to the server.xml file expecting NOT to be able to login. For example, I've changed user_t to blah_t. Then I restarted tomcat server (assuming this is necessary). However, I can STILL login.
I'm not exactly sure why this is. With my DB changes, I'm expecting to change userTable="user_t" to userTable="common.user_t". But I don't want to begin work if I can't break this in the first place.
So, exactly how does tomcat j_security_check know which table to find the username for authentication if making changes to the above doesn't seem to affect my login?
I've recently made some major changes to a database (split it into a cluster of databases) and changed table names, etc.
My login.html page contains this code:
<form method="POST" action="j_security_check">
<table border="0" cellspacing="5">
<tr>
<th align="right">Username:</th>
<td align="left"><input type="text" name="j_username"></td>
</tr>
<tr>
<th align="right">Password:</th>
<td align="left"><input type="password" name="j_password"></td>
</tr>
<tr>
<td align="right"><input type="submit" value="Log In"></td>
<td align="left"><input type="reset"></td>
</tr>
</table>
</form>
My server.xml file contains this part:
driverName="org.postgresql.Driver" connectionURL="jdbc:postgresql://localhost:5432/mydb?user=my_user& password=my_password" digest="md5" userTable="user_t" userNameCol="username" userCredCol="password" userRoleTable="user_role_t" roleNameCol="role_name"/>
I've made changes to the server.xml file expecting NOT to be able to login. For example, I've changed user_t to blah_t. Then I restarted tomcat server (assuming this is necessary). However, I can STILL login.
I'm not exactly sure why this is. With my DB changes, I'm expecting to change userTable="user_t" to userTable="common.user_t".
So, exactly how does tomcat j_security_check know which table to find the username for authentication if making changes to the above doesn't seem to affect my login?
can you check FormAuthenticator.java. you can know which user name and password it will take or refer
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I got it working and I now know what the problem was.
The mind-boggling thing was that in my test environment, I could make the changes and got the expected behavior (could not log in when providing a table name that does not exist). But in the production environment, I could change it to anything and still be able to log in. It turned out that the conf files in the test environment that I changed were symbolically linked to /etc/tomcat6 directory but in the production environment, it was just copy of the server.xml and not symbolically linked to the actual file that need to be changed.
Anyway, thanks for explaining about <Realm and <Host setting and the fact that I must restart tomcat every time server.xml file is changed.
The mind-boggling thing was that in my test environment, I could make the changes and got the expected behavior (could not log in when providing a table name that does not exist). But in the production environment, I could change it to anything and still be able to log in. It turned out that the conf files in the test environment that I changed were symbolically linked to /etc/tomcat6 directory but in the production environment, it was just copy of the server.xml and not symbolically linked to the actual file that need to be changed.
Anyway, thanks for explaining about <Realm and <Host setting and the fact that I must restart tomcat every time server.xml file is changed.
Thanks for posting back with the explanation of the problem. I think it's part of what we do, confirm how things work, so that you can start looking for alternative explanations.
:) .... i am not clearly understand the question ... but gr8 by mrcoffee365 ...