Caroline: Tomcat authentication will not work if you store your usernames in a JDBC source and your user roles in $TOMCAT_HOME/conf/tomcat-users.xml. You must store the users and roles in the same JDBC source. Do you store your roles in table user_roles?
Please post your <security-constraint> and <login-config> for the first application (artimus_1_1). Also, the connection URL in your JDBCRealm statement does not look correct. You seem to be missing a question mark (?) between "artimus" and "user". BASIC authentication does not imply that the user roles are stored in $TOMCAT_HOME/conf/tomcat-users.xml. It requires that the browser accepts the username and password, sends it to the server for authentication, and stores the authenticated session information. FORM authentication, however, uses a form to accept the username and password, executes a specific servlet to authenticate the user, and stores the authenticated session information on the server. In order to logout of a BASIC authentication session, the user need only close the browser, but in order to logout of a FORM authentication session, the application must invalidate the session. Derek ------------------------------------- Derek Mahar Software Developer Penson Financial Services Canada 360 St-Jacques St West, 12th Floor Montreal QC H2Y 1P5 514.841.9665 x212 Phone 514.841.9700 Fax ------------------------------------- -----Original Message----- From: Caroline Jen [mailto:[EMAIL PROTECTED] Sent: October 11, 2003 11:21 PM To: [EMAIL PROTECTED] Subject: Tomcat JDBCRealm And <security-constraint> in the web.xml My applications behave wierd after I configured the JDBCRealm. After experimenting in many different ways, I found that as long as I have the JDBCRealm in the server.xml, the Tomcat does not accept <security-constraint> specified in the application's web.xml file. Please help me. My configuration in the $TOMCAT_HOME/conf/sever.xml is shown below: <Engine> <Host> <Context> <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99" driverName="com.mysql.jdbc.Driver" connectionURL="jdbc:mysql://localhost:3306/artimus user=javauser&password=javadude" userTable="members" userNameCol="user_name" userCredCol="user_password" userRoleTable="user_roles" roleNameCol="user_role"/> </Context> </Host> </Engine> What happened is: First, I have an application artimus_1_1 that had worked well before JDBCRealm was inserted in the server.xml. Now, whenever I run the same application, I get: HTTP Status 404 -/artimus_1_1 description: The requested resource(/artimus_1_1) is not availabe. The web.xml of the application artimus_1_1 has <security-constraint> element in it and uses BASIC to authenticate users (i.e. the roles of the users are stored in the $TOMCAT_HOME/conf/tomcat-users.xml.) Second, I am working on another application. And I want to user FORM-based container-managed authentication for this application. I had <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/signin/logon.jsp</form-login-page> <form-error-page>/signin/logon.jsp?error=true</form-error-page> </form-login-config> </login-config> in the web.xml file and I had JDBCRealm in the $TOMCAT_HOME/conf/server.xml. I was able to display the welcome page. Thereafter,I inserted <security-constraint> preceding the <login-config> element, and inserted <security-role> following the <login-config> element. The application stops functioning. I get: HTTP Status 404 -/PracticeVersion description: The requested resource(/PracticeVersion) is not availabe. in the browser, and I have this message in the Tomcat log file (the Tomcat log file can be found in the attachment): LifecycleException: Container StandardContext[/PracticeVersion] has not been started This is what my PracticeVersion/WEB-INF/web.xml looks like when the problem happens (nothing is wrong with the specification and order of the tags): <security-constraint> <web-resource-collection> <web-resource-name>Administrative</web-resource-name> <!-- The URLs to protect --> <url-pattern>/do/admin/*</url-pattern> </web-resource-collection> <auth-constraint> <!-- The authorized users --> <role-name>administrator</role-name> <role-name>editor</role-name> <role-name>contributor</role-name> <role-name>advisor</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/signin/logon.jsp</form-login-page> <form-error-page>/signin/error.jsp</form-error-page> </form-login-config> </login-config> <security-role> <role-name>administrator</role-name> </security-role> <security-role> <role-name>advisor</role-name> </security-role> <security-role> <role-name>editor</role-name> </security-role> <security-role> <role-name>contributor</role-name> </security-role> __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]