Re: Configuring Combined Realm
Hello Brian, On Mo, 2013-10-28 at 07:46 -0400, J. Brian Hall wrote: How can I configure CombinedRealm in order to: (1) use JDBCRealm for my webapp with form-based authentication while (2) also using the default UserDatabaseRealm for the Tomcat Web Application Manager? I can get one or the other to work, but not both. Here are the details of my setup: you don't need CombinedRealm to setup two different Realms for two different contexts (webapps). In fact, it is not what you want. Just put the realm definitions into the contexts for the webapps. So the context for your webapp - I will name it appA - would probably be something like this (file: $CATALINA_BASE/conf/Catalina/localhost/appA.xml or $CATALINA_BASE/webapps/appA/META-INF/context.xml) Context Realm className=org.apache.catalina.realm.DataSourceRealm dataSourceName=jdbc/authority... / ... /Context While the context definition for the manager application would take the realm definition for the UserDatabaseRealm (file: $CATALINA_BASE/conf/Catalina/localhost/manager.xml or $CATALINA_BASE/webapps/manager/META-INF/context.xml) Context antiResourceLocking=false privileged=true Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ ... /Context You can wrap those realms with the LockOutRealm as done in your examples, of course. Note, that I replaced JDBCRealm with DataSourceRealm, since it is better suited for production. Look at http://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html#DataSourceRealm for more details to configure it. Regards Felix -OS: Windows 7 -Server: Tomcat 7.0.42 -Database: MySQL 5.6 Articles I have used up to this point: 1. Form-based authentication with Tomcat 7 and MySQL: http://www.thejavageek.com/2013/07/07/configure-jdbcrealm-jaas-for-mysql-and -tomcat-7-with-form-based-authentication/ 2. Configuring CombinedRealm: http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#CombinedRealm 3. Lastly, note that my database, tables, and Connector/J are setup per instructions above and I am able to login to my webapp with form-based authentication when only using JDBCRealm, but I then can't login to the Tomcat Web Application Manager. I configured the file CATALINA_HOME/config/server.xml in two ways: 1. I've identified the following global resources: !--Resource for Tomcat Web App Manager-- Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / !--Resource for my webapp-- Resource name=jdbc/authority auth=Container type=javax.sql.DataSource driverClassName=com.mysql.jdbc.Driver description=mySQL Database url=jdbc:mysql://localhost:3306/authority maxActive=15 maxidle=3/ 2. I've nested Realms within CombinedRealm as follows: Realm className=org.apache.catalina.realm.CombinedRealm !-- LockOutRealm to prevent brute-force attack. -- Realm className=org.apache.catalina.realm.LockOutRealm failureCount=3 lockoutTime=3600/ !-- Default Realm for Tomcat Application Manager -- Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ !-- JDBC Realm for my webapp. -- Realm className=org.apache.catalina.realm.JDBCRealm driverName=com.mysql.jdbc.Driver connectionURL=jdbc:mysql://localhost:3306/authority connectionName=root connectionPassword=root userTable=users userNameCol=user_name userCredCol=user_pass userRoleTable=user_roles roleNameCol=role_name/ /Realm Lastly, I configured my CATALINA_HOME/webapps/[mywebapp]/WEB-INF/web.xml file as follows: ?xml version=1.0 encoding=ISO-8859-1? web-app version=2.4 xmlns=http://java.sun.com/xml/ns/j2ee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd; display-namewebapp/display-name descriptionForm-Based Authentication with mySQL/description resource-ref descriptionmySQL Database/description res-ref-namejdbc/authority/res-ref-name res-typejavax.sql.DataSource/res-type res-authContainer/res-auth /resource-ref security-constraint web-resource-collection
RE: Configuring Combined Realm
Folks, please ignore my question. I found the problem. Basically, I had the same username / password combination in both databases used under CombinedRealm, (which would be fine) but the associated role_name was different and that's what caused the problem. In any event, all is working. Sorry for the fuss. From: J. Brian Hall [mailto:jbrianhall...@me.com] Sent: Monday, October 28, 2013 7:46 AM To: 'users@tomcat.apache.org' Subject: Configuring Combined Realm How can I configure CombinedRealm in order to: (1) use JDBCRealm for my webapp with form-based authentication while (2) also using the default UserDatabaseRealm for the Tomcat Web Application Manager? I can get one or the other to work, but not both. Here are the details of my setup: -OS: Windows 7 -Server: Tomcat 7.0.42 -Database: MySQL 5.6 Articles I have used up to this point: 1. Form-based authentication with Tomcat 7 and MySQL: http://www.thejavageek.com/2013/07/07/configure-jdbcrealm-jaas-for-mysql-and -tomcat-7-with-form-based-authentication/ 2. Configuring CombinedRealm: http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#CombinedRealm 3. Lastly, note that my database, tables, and Connector/J are setup per instructions above and I am able to login to my webapp with form-based authentication when only using JDBCRealm, but I then can't login to the Tomcat Web Application Manager. I configured the file CATALINA_HOME/config/server.xml in two ways: 1. I've identified the following global resources: !--Resource for Tomcat Web App Manager-- Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / !--Resource for my webapp-- Resource name=jdbc/authority auth=Container type=javax.sql.DataSource driverClassName=com.mysql.jdbc.Driver description=mySQL Database url=jdbc:mysql://localhost:3306/authority maxActive=15 maxidle=3/ 2. I've nested Realms within CombinedRealm as follows: Realm className=org.apache.catalina.realm.CombinedRealm !-- LockOutRealm to prevent brute-force attack. -- Realm className=org.apache.catalina.realm.LockOutRealm failureCount=3 lockoutTime=3600/ !-- Default Realm for Tomcat Application Manager -- Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ !-- JDBC Realm for my webapp. -- Realm className=org.apache.catalina.realm.JDBCRealm driverName=com.mysql.jdbc.Driver connectionURL=jdbc:mysql://localhost:3306/authority connectionName=root connectionPassword=root userTable=users userNameCol=user_name userCredCol=user_pass userRoleTable=user_roles roleNameCol=role_name/ /Realm Lastly, I configured my CATALINA_HOME/webapps/[mywebapp]/WEB-INF/web.xml file as follows: ?xml version=1.0 encoding=ISO-8859-1? web-app version=2.4 xmlns=http://java.sun.com/xml/ns/j2ee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd http://java.sun.com/xml/ns/j2ee%20http:/java.sun.com/xml/ns/j2ee/web-app_2_ 4.xsd display-namewebapp/display-name descriptionForm-Based Authentication with mySQL/description resource-ref descriptionmySQL Database/description res-ref-namejdbc/authority/res-ref-name res-typejavax.sql.DataSource/res-type res-authContainer/res-auth /resource-ref security-constraint web-resource-collection web-resource-nameProtected/web-resource-name url-pattern/*/url-pattern http-methodPUT/http-method http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namewebappuser/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/error.jsp/form-error-page /form-login-config /login-config /web-app
RE: Configuring Combined Realm
Hey Felix, thanks much. This is a better alternative for what I am doing. -Original Message- From: Felix Schumacher [mailto:felix.schumac...@internetallee.de] Sent: Monday, October 28, 2013 8:38 AM To: Tomcat Users List Subject: Re: Configuring Combined Realm Hello Brian, On Mo, 2013-10-28 at 07:46 -0400, J. Brian Hall wrote: How can I configure CombinedRealm in order to: (1) use JDBCRealm for my webapp with form-based authentication while (2) also using the default UserDatabaseRealm for the Tomcat Web Application Manager? I can get one or the other to work, but not both. Here are the details of my setup: you don't need CombinedRealm to setup two different Realms for two different contexts (webapps). In fact, it is not what you want. Just put the realm definitions into the contexts for the webapps. So the context for your webapp - I will name it appA - would probably be something like this (file: $CATALINA_BASE/conf/Catalina/localhost/appA.xml or $CATALINA_BASE/webapps/appA/META-INF/context.xml) Context Realm className=org.apache.catalina.realm.DataSourceRealm dataSourceName=jdbc/authority... / ... /Context While the context definition for the manager application would take the realm definition for the UserDatabaseRealm (file: $CATALINA_BASE/conf/Catalina/localhost/manager.xml or $CATALINA_BASE/webapps/manager/META-INF/context.xml) Context antiResourceLocking=false privileged=true Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ ... /Context You can wrap those realms with the LockOutRealm as done in your examples, of course. Note, that I replaced JDBCRealm with DataSourceRealm, since it is better suited for production. Look at http://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html#DataSourceRealm for more details to configure it. Regards Felix -OS: Windows 7 -Server: Tomcat 7.0.42 -Database: MySQL 5.6 Articles I have used up to this point: 1. Form-based authentication with Tomcat 7 and MySQL: http://www.thejavageek.com/2013/07/07/configure-jdbcrealm-jaas-for-mys ql-and -tomcat-7-with-form-based-authentication/ 2. Configuring CombinedRealm: http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#CombinedRealm 3. Lastly, note that my database, tables, and Connector/J are setup per instructions above and I am able to login to my webapp with form-based authentication when only using JDBCRealm, but I then can't login to the Tomcat Web Application Manager. I configured the file CATALINA_HOME/config/server.xml in two ways: 1. I've identified the following global resources: !--Resource for Tomcat Web App Manager-- Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / !--Resource for my webapp-- Resource name=jdbc/authority auth=Container type=javax.sql.DataSource driverClassName=com.mysql.jdbc.Driver description=mySQL Database url=jdbc:mysql://localhost:3306/authority maxActive=15 maxidle=3/ 2. I've nested Realms within CombinedRealm as follows: Realm className=org.apache.catalina.realm.CombinedRealm !-- LockOutRealm to prevent brute-force attack. -- Realm className=org.apache.catalina.realm.LockOutRealm failureCount=3 lockoutTime=3600/ !-- Default Realm for Tomcat Application Manager -- Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ !-- JDBC Realm for my webapp. -- Realm className=org.apache.catalina.realm.JDBCRealm driverName=com.mysql.jdbc.Driver connectionURL=jdbc:mysql://localhost:3306/authority connectionName=root connectionPassword=root userTable=users userNameCol=user_name userCredCol=user_pass userRoleTable=user_roles roleNameCol=role_name/ /Realm Lastly, I configured my CATALINA_HOME/webapps/[mywebapp]/WEB-INF/web.xml file as follows: ?xml version=1.0 encoding=ISO-8859-1? web-app version=2.4 xmlns=http://java.sun.com/xml/ns/j2ee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd; display-namewebapp/display-name descriptionForm-Based Authentication with mySQL/description resource-ref descriptionmySQL Database/description