-Original Message-
From: Neven Cvetkovic [mailto:neven.cvetko...@gmail.com]
Sent: Friday, 5 September 2014 11:40 PM
To: Tomcat Users List
Subject: Re: web.xml authentication and Tomcat Realm
Hey Janusz,
On Thu, Sep 4, 2014 at 8:02 PM, Dalecki, Janusz jdale...@tycoint.com
wrote:
Follow the link Chris provided. It will give you some ideas about how Realms
work.
(Note that using JDBCRealm will give you terrible performance: use a
DataSourceRealm instead with a JNDI DataSource.)
You really need to read this:
http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html
- -chris
Hi,
Sorry I need to explain my problem more clearly.
I have put JDBCRealm configuration with all details in the META-INF
folder:
Realm className=org.apache.catalina.realm.JDBCRealm
driverName=org.postgresql.Driver
connectionURL=jdbc:postgresql://localhost:5432/df_Scheduler?user=postgresamp;password=admin
userTable=users userNameCol=userName userCredCol=password
userRoleTable=user_roles roleNameCol=roleName/
Where specifically did you put in this Realm information? Is it
YourApp.war/META-INF/context.xml file?
What this configuration means is that your users/passwords for authentication
and users/roles for authorization are going to be stored in the JDBCRealm, i.e.
in your Postgres database called df_Scheduler, more specifically in your
users table and in your user_roles table.
You can connect to your database and see specifically what users and roles are
defined in these tables, e.g.
psql -U postgres -W -h localhost df_Scheduler (prompted for password)
SELECT userName,password FROM users;
Should give you all the users and their passwords, e.g.
janusz / mypassword1
john / mypassword2
...
SELECT * FROM user_roles;
Should give you all users and their respective roles, one combo per row/record,
e.g.
janusz TPA_USER
janusz TPA_ADMIN
janusz SYSADMIN
john TPA_USER
...
You need to inspect and see that the actual username/password combinations
actually exist in the database.
In my web.xml I have login-config element and security constraint as
follows:
security-constraint
web-resource-collection
web-resource-nameAdmin/web-resource-name
url-pattern/auth/*/url-pattern
/web-resource-collection
auth-constraint
role-nameSYSADMIN/role-name
/auth-constraint
/security-constraint
security-role
role-nameSYSADMIN/role-name
/security-role
login-config
auth-methodBASIC/auth-method
!--realm-nameAdmin/realm-name--
/login-config
What this configuration in YourApp.war/WEB-INF/web.xml file does, is that it
configures that all requests made to /auth/*, e.g.
http://blahblah/YourApp/auth/
So, all these requests will need to know who makes the call (Authorization) and
once you login, logged user needs to have SYSADMIN role defined in the Realm.
Also, the login-config mandates BASIC login mechanism, i.e. window popup with
username/password.
So, once you make the first request, your browser will popup authentication
window asking you for username and password, it would have said Admin but you
commented out the realm-nameAdmin/realm-name in the login-config
configuration.
Once you submit username/password it will try to authenticate against whatever
Realm was setup (I will get to this point later). If the username/password
combination does not match, it asks again, and again, and again, until you
press ESC, which you will get redirected to 401 (Not
Authenticated) page.
Next, if the username/password combination was successful, the user is
Authenticated, next - it needs to be Authorized, i.e. it needs to be associated
with the Role defined in the auth-constraint, e.g. SYSADMIN. So, whoever logged
in - they need to have SYSADMIN role in order to get to the resources
(/auth/* pages). If they don't have required role - the server would return
403 (Forbidden) page. If they do have the required role - the server would
proceed with the request (i.e. happy path).
I have defined users and passwords as explained in the TOMCAT Realm
Configuration – HOW TO.
When I ask for a page */auth/* the user/password dialog box pops up
and no matter what I type in in user name field and password field and
pops up again for ever.
What am I doing wrong?
Now, there are two things that could be the reason of the behaviour you
described:
(1) The realm defined for this application is ignored or not setup properly.
The easiest test would be to change the password, and try restarting the server
and try logging in again. See if the console/logfile shows any errors. If it
does, you will know your Realm configuration is being read.
(That's a good thing, you know your configuration is being read!) If you don't
observe any errors, and you get the same type of behaviour, that means your