Fw: Re: JDBCRealm
Is there a way to tell Tomcat to use a 'salt' when generating the MD5 digest for JDBCRealm authentication? If not, I think this is a feature that should be added in the future. For example, Realm className=org.apache.catalina.realm.JDBCRealm ... userTable=pg_shadow userNameCol=usename userCredCol=passwd digest=MD5 salt=usename / -- Robert Abernethy IV Dynamic Edge, Inc. 734.975.0460 -- Forwarded Message --- From: Rob Abernethy IV [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Sun, 12 Jan 2003 14:30:22 +0800 Subject: Re: JDBCRealm Alright, I finally have my answer. Postgres prepends the username to the password before creating the digest. For example, if I wish to create a postgres account with the username 'tomcat' and password 'tomcat', postgres will prepend 'tomcat' to 'tomcat' to create 'tomcattomcat' and then make the digest. Unfortunately, I don't think there is any way to tell postgres *not* to use a salt when creating the encrypted version of the password. -- Robert Abernethy IV Dynamic Edge, Inc. 734.975.0460 Ok, I got Java and Perl to come up with the same digest. Postgres' is different. I think it has something to do with the 'salt'. Postgres uses the username as salt. I don't know much about MD5 encryption, but it seems as though Java is using a different salt and, therefore, coming up with a different digest. -- Robert Abernethy IV Dynamic Edge, Inc. 734.975.0460 Clear-text password: tomcat java org.apache.catalina.RealmBase -a MD5 tomcat 1b359d8753858b55befa0441067aaed3 select passwd from pg_shadow where usename='tomcat' md5efcc1c51a80be13b59cdb96d758a0184 md5sum -t tomcat 042d39e062dd4bf342e088dc832526f9 String password = tomcat; byte[] md_password = password.getBytes(); MessageDigest md = MessageDigest.getInstance(MD5); byte[] md_hash = md.digest(md_password); System.out.println(md_hash); [B@15f5897 So obviously the authentication is failing because the MD5'd passwords don't match. Tomcat is calculating the digest using the RealmBase and the digest stored in the table was created by Postgres. Is there a reason why these are all different? -- Robert Abernethy IV Dynamic Edge, Inc. 734.975.0460 - Original Message - The MD5'd password *is* in the pg_shadow.passwd column. I don't see what I'm doing wrong. Is Postgres (or anything other than Java) generating the MD5'd passwords for the pg_shadow table? If so, have you manually generated the MD5's to see if they are the same? Even if they are you can run into problems with storage formats. If Postgres is using a different char set than the Java JVM for manipulating the strings, you can have mismatches. Also, if you use CHAR instead of VARCHAR you may have extra spaces stuck on the end of the returned string to pad it out. The MD5 is longer than the string it is generated from so you need to make sure you have plenty of room for it. For example if Java is using UTF-8 and Postgres is using Win1251, the same character can be represented by different numbers. You usually see this with special or non-english characters. Your web app stores a string in the database, then you look at it with a database with a browsing tool and some characters are different or get returned as ???. This can play hell with MD5 calculations. And, as far as confusing postgres users with tomcat users, is there a problem with using the same user for both? I kind of thought that was the point. When I create a user, they can use the same username and password to access tomcat web apps that they use to connect to the database. That only works if you wait to define connections inside your web app. This severely limits the effectiveness of connection pools. That chews up huge amounts of resources in a web app used by lots of users because building and tearing down connections uses a lot of cycles and memory. Even if you pool in your web app each user will have their own pool and at least one real connection will have to be opened for each user. You can get around this on some databases if they let you set the role or the user on an open connection. That is very non-standard and could cause problems if you switch databases. All users of a web app usually share the same database username/password in a connection pooled environment where you are using a dataSource. It gets locked in at the time the dataSource is set up. So all users of the web app have the same read, update, select privleges. If you want to restrict that on a per user basis you have to enforce that in your web app, usually using Tomcat Roles. A Tomcat Role differs from a database Role, so you have to be careful there. You may or may not have
Re: LifecycleException when setting up JDBCRealm w postgres 7.2.1
Try looking at your Postgres logs for more information. Edit your postgresql.conf file by setting 'syslog' to 1 or 2. Then check your system logs after you try to start up Tomcat. Other options to consider in your postgresql.conf file: log_connections = true debug_level = 4 debug_pring_query = true -- Robert Abernethy IV Dynamic Edge, Inc. 734.975.0460 Hello, I've had a hard time setting up a JDBCRealm in Tomcat 4.1.18 Win2k connecting to a postgresql 7.2.1 server on a seperate machine. I've set up the server.xml following the directions to a tee: Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driver=org.postgresql.Driver connectionURL=jdbc:postgresql://my.database.com/dbname connectionName=username connectionPassword=password digest=MD5 userTable=users userNameCol=username userCredCol=password userRoleTable=user_roles roleNameCol=role_name / I have copied pg73jdbc2.jar (I've also tried pg73jdbc3.jar) to the common/lib directory I can connect to postgresql through jsp just fine, through simple jdbc just fine. I have searched the mailing list archives and groups.google.com none of the answers seem to apply. I originally had the problem with tomcat 4.1.3 and I upgraded but to no avail. Please help. I get this error message when I start up tomcat with this realm config: Bootstrap: Create Catalina server Bootstrap: Starting service Starting service Tomcat-Standalone Apache Tomcat/4.1.18 Catalina.start: LifecycleException: Exception opening database connection: java.sql.SQLException LifecycleException: Exception opening database connection: java.sql.SQLException at org.apache.catalina.realm.JDBCRealm.start(JDBCRealm.java:681) at org.apache.catalina.core.ContainerBase.start (ContainerBase.java:1173) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:347) at org.apache.catalina.core.StandardService.start(StandardService.java:497) at org.apache.catalina.core.StandardServer.start (StandardServer.java:2189) at org.apache.catalina.startup.CatalinaService.start(CatalinaService.java:273) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke (Method.java:324) at org.apache.catalina.startup.BootstrapService.start (BootstrapService.java:245) at org.apache.catalina.startup.BootstrapService.main(BootstrapService.java:307) - Root Cause - java.sql.SQLException at org.apache.catalina.realm.JDBCRealm.open(JDBCRealm.java:606) at org.apache.catalina.realm.JDBCRealm.start(JDBCRealm.java:679) at org.apache.catalina.core.ContainerBase.start (ContainerBase.java:1173) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:347) at org.apache.catalina.core.StandardService.start(StandardService.java:497) at org.apache.catalina.core.StandardServer.start (StandardServer.java:2189) at org.apache.catalina.startup.CatalinaService.start(CatalinaService.java:273) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke (Method.java:324) at org.apache.catalina.startup.BootstrapService.start (BootstrapService.java:245) at org.apache.catalina.startup.BootstrapService.main(BootstrapService.java:307) Bootstrap: Service started -- To unsubscribe, e-mail: mailto:tomcat-user- [EMAIL PROTECTED] For additional commands, e-mail: mailto:tomcat-user- [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: JDBCRealm
) 3. apache decrypts everything and passes it onto tomcat 4. tomcat makes a MD5 form of the given password 5. tomcat compares this with the MD5 password taken from the database Does that sound right? Yes, with the caveats above. Good Luck! Rick -- Robert Abernethy IV Dynamic Edge, Inc. 734.975.0460 Yeah, looks like you almost have it. The MD5'd password should be in pg_shadow in the userCredCol, passwd in this case. Be advised that you should either use only HTTPS for this, or run Tomcat on the same server as Postgres, or run them both on a secure net behind a firewall on separate machines to prevent your Postgres database from being compromised. MD5 really only prevents snoops on your server from being able to easily read the passwords in pg_shadow. Rick - Original Message - * Rob Abernethy IV [EMAIL PROTECTED] [0154 21:54]: OK. I was able to get clear-text passwords to work, but I still can't get encrypted passwords to work. Using MD5 encryption, Tomcat is able to successfully open a connection to the database using the JDBCRealm set up in the server.xml, but it is unable to authenticate users for the admin web app. I am using the same username and password (username = tomcat, password = tomcat) for both the JDBCRealm and the admin web app. JDBCRealm: Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=org.postgresql.Driver connectionURL=jdbc:postgresql://bilbo.dynedge.com/template1 connectionName=abernethy connectionPassword=gceIlu4DaR userTable=pg_shadow userNameCol=usename userCredCol=passwd userRoleTable=pg_groupview roleNameCol=groname digest=MD5 / pg_shadow: usename | passwd - tomcat | md5efcc1c51a80be13b59cdb96d758a0184 You are confusing postgres usernames/passwords with the ones you want in the tables. Tomcat connects to the database as user connectionName , password connectionPassword and looks up http authentication users and passwords in userTable and userRoleTable. It looks from your post like you have that backwards (pg_shadow holds postgres users, not users for your apps). postgresql log (for admin web app authentication): Jan 7 16:43:34 bilbo postgres[4329]: [9] LOG: query: SELECT passwd FROM pg_shadow WHERE usename = 'tomcat' Jan 7 16:43:34 bilbo postgres[4329]: [10] LOG: duration: 0.001636 sec catalina_log.2003-01-07.txt: 2003-01-07 16:43:34 JDBCRealm[Standalone]: Username tomcat NOT successfully authenticated -- Rasputin :: Jack of All Trades - Master of Nuns -- To unsubscribe, e-mail: mailto:tomcat-user- [EMAIL PROTECTED] For additional commands, e-mail: mailto:tomcat-user- [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:tomcat-user- [EMAIL PROTECTED] For additional commands, e-mail: mailto:tomcat-user- [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:tomcat-user- [EMAIL PROTECTED] For additional commands, e-mail: mailto:tomcat-user- [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: JDBCRealm
on a secure net behind a firewall on separate machines to prevent your Postgres database from being compromised. MD5 really only prevents snoops on your server from being able to easily read the passwords in pg_shadow. Rick - Original Message - * Rob Abernethy IV [EMAIL PROTECTED] [0154 21:54]: OK. I was able to get clear-text passwords to work, but I still can't get encrypted passwords to work. Using MD5 encryption, Tomcat is able to successfully open a connection to the database using the JDBCRealm set up in the server.xml, but it is unable to authenticate users for the admin web app. I am using the same username and password (username = tomcat, password = tomcat) for both the JDBCRealm and the admin web app. JDBCRealm: Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=org.postgresql.Driver connectionURL=jdbc:postgresql://bilbo.dynedge.com/template1 connectionName=abernethy connectionPassword=gceIlu4DaR userTable=pg_shadow userNameCol=usename userCredCol=passwd userRoleTable=pg_groupview roleNameCol=groname digest=MD5 / pg_shadow: usename | passwd - tomcat | md5efcc1c51a80be13b59cdb96d758a0184 You are confusing postgres usernames/passwords with the ones you want in the tables. Tomcat connects to the database as user connectionName , password connectionPassword and looks up http authentication users and passwords in userTable and userRoleTable. It looks from your post like you have that backwards (pg_shadow holds postgres users, not users for your apps). postgresql log (for admin web app authentication): Jan 7 16:43:34 bilbo postgres[4329]: [9] LOG: query: SELECT passwd FROM pg_shadow WHERE usename = 'tomcat' Jan 7 16:43:34 bilbo postgres[4329]: [10] LOG: duration: 0.001636 sec catalina_log.2003-01-07.txt: 2003-01-07 16:43:34 JDBCRealm[Standalone]: Username tomcat NOT successfully authenticated -- Rasputin :: Jack of All Trades - Master of Nuns -- To unsubscribe, e-mail: mailto:tomcat-user- [EMAIL PROTECTED] For additional commands, e-mail: mailto:tomcat-user- [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:tomcat-user- [EMAIL PROTECTED] For additional commands, e-mail: mailto:tomcat-user- [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: JDBCRealm
Clear-text password: tomcat java org.apache.catalina.RealmBase -a MD5 tomcat 1b359d8753858b55befa0441067aaed3 select passwd from pg_shadow where usename='tomcat' md5efcc1c51a80be13b59cdb96d758a0184 md5sum -t tomcat 042d39e062dd4bf342e088dc832526f9 String password = tomcat; byte[] md_password = password.getBytes(); MessageDigest md = MessageDigest.getInstance(MD5); byte[] md_hash = md.digest(md_password); System.out.println(md_hash); [B@15f5897 So obviously the authentication is failing because the MD5'd passwords don't match. Tomcat is calculating the digest using the RealmBase and the digest stored in the table was created by Postgres. Is there a reason why these are all different? -- Robert Abernethy IV Dynamic Edge, Inc. 734.975.0460 - Original Message - The MD5'd password *is* in the pg_shadow.passwd column. I don't see what I'm doing wrong. Is Postgres (or anything other than Java) generating the MD5'd passwords for the pg_shadow table? If so, have you manually generated the MD5's to see if they are the same? Even if they are you can run into problems with storage formats. If Postgres is using a different char set than the Java JVM for manipulating the strings, you can have mismatches. Also, if you use CHAR instead of VARCHAR you may have extra spaces stuck on the end of the returned string to pad it out. The MD5 is longer than the string it is generated from so you need to make sure you have plenty of room for it. For example if Java is using UTF-8 and Postgres is using Win1251, the same character can be represented by different numbers. You usually see this with special or non-english characters. Your web app stores a string in the database, then you look at it with a database with a browsing tool and some characters are different or get returned as ???. This can play hell with MD5 calculations. And, as far as confusing postgres users with tomcat users, is there a problem with using the same user for both? I kind of thought that was the point. When I create a user, they can use the same username and password to access tomcat web apps that they use to connect to the database. That only works if you wait to define connections inside your web app. This severely limits the effectiveness of connection pools. That chews up huge amounts of resources in a web app used by lots of users because building and tearing down connections uses a lot of cycles and memory. Even if you pool in your web app each user will have their own pool and at least one real connection will have to be opened for each user. You can get around this on some databases if they let you set the role or the user on an open connection. That is very non-standard and could cause problems if you switch databases. All users of a web app usually share the same database username/password in a connection pooled environment where you are using a dataSource. It gets locked in at the time the dataSource is set up. So all users of the web app have the same read, update, select privleges. If you want to restrict that on a per user basis you have to enforce that in your web app, usually using Tomcat Roles. A Tomcat Role differs from a database Role, so you have to be careful there. You may or may not have access to the databases user Role table depending on the database. The problem is that if your dataSource belongs to user tomcat and user Joe logs into the web app the database may not let tomcat look at Joe's database Roles for security reasons. Thanks for the pointers on security. Both Tomcat and Postgres are on the same server. I'm also planning on using HTTPS, but apache will handle that part. I think it will work something like this: 1. user types username and password (clear-text) into form 2. web browser encrypts everything and sends it to web server (https) 3. apache decrypts everything and passes it onto tomcat 4. tomcat makes a MD5 form of the given password 5. tomcat compares this with the MD5 password taken from the database Does that sound right? Yes, with the caveats above. Good Luck! Rick -- Robert Abernethy IV Dynamic Edge, Inc. 734.975.0460 Yeah, looks like you almost have it. The MD5'd password should be in pg_shadow in the userCredCol, passwd in this case. Be advised that you should either use only HTTPS for this, or run Tomcat on the same server as Postgres, or run them both on a secure net behind a firewall on separate machines to prevent your Postgres database from being compromised. MD5 really only prevents snoops on your server from being able to easily read the passwords in pg_shadow. Rick - Original Message - * Rob Abernethy IV [EMAIL PROTECTED] [0154 21:54]: OK. I was able to get clear-text passwords to work, but I still can't get encrypted passwords to work. Using
Re: JDBCRealm
The MD5'd password *is* in the pg_shadow.passwd column. I don't see what I'm doing wrong. And, as far as confusing postgres users with tomcat users, is there a problem with using the same user for both? I kind of thought that was the point. When I create a user, they can use the same username and password to access tomcat web apps that they use to connect to the database. Thanks for the pointers on security. Both Tomcat and Postgres are on the same server. I'm also planning on using HTTPS, but apache will handle that part. I think it will work something like this: 1. user types username and password (clear-text) into form 2. web browser encrypts everything and sends it to web server (https) 3. apache decrypts everything and passes it onto tomcat 4. tomcat makes a MD5 form of the given password 5. tomcat compares this with the MD5 password taken from the database Does that sound right? -- Robert Abernethy IV Dynamic Edge, Inc. 734.975.0460 Yeah, looks like you almost have it. The MD5'd password should be in pg_shadow in the userCredCol, passwd in this case. Be advised that you should either use only HTTPS for this, or run Tomcat on the same server as Postgres, or run them both on a secure net behind a firewall on separate machines to prevent your Postgres database from being compromised. MD5 really only prevents snoops on your server from being able to easily read the passwords in pg_shadow. Rick - Original Message - * Rob Abernethy IV [EMAIL PROTECTED] [0154 21:54]: OK. I was able to get clear-text passwords to work, but I still can't get encrypted passwords to work. Using MD5 encryption, Tomcat is able to successfully open a connection to the database using the JDBCRealm set up in the server.xml, but it is unable to authenticate users for the admin web app. I am using the same username and password (username = tomcat, password = tomcat) for both the JDBCRealm and the admin web app. JDBCRealm: Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=org.postgresql.Driver connectionURL=jdbc:postgresql://bilbo.dynedge.com/template1 connectionName=abernethy connectionPassword=gceIlu4DaR userTable=pg_shadow userNameCol=usename userCredCol=passwd userRoleTable=pg_groupview roleNameCol=groname digest=MD5 / pg_shadow: usename | passwd - tomcat | md5efcc1c51a80be13b59cdb96d758a0184 You are confusing postgres usernames/passwords with the ones you want in the tables. Tomcat connects to the database as user connectionName , password connectionPassword and looks up http authentication users and passwords in userTable and userRoleTable. It looks from your post like you have that backwards (pg_shadow holds postgres users, not users for your apps). postgresql log (for admin web app authentication): Jan 7 16:43:34 bilbo postgres[4329]: [9] LOG: query: SELECT passwd FROM pg_shadow WHERE usename = 'tomcat' Jan 7 16:43:34 bilbo postgres[4329]: [10] LOG: duration: 0.001636 sec catalina_log.2003-01-07.txt: 2003-01-07 16:43:34 JDBCRealm[Standalone]: Username tomcat NOT successfully authenticated -- Rasputin :: Jack of All Trades - Master of Nuns -- To unsubscribe, e-mail: mailto:tomcat-user- [EMAIL PROTECTED] For additional commands, e-mail: mailto:tomcat-user- [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: JDBCRealm
OK. I was able to get clear-text passwords to work, but I still can't get encrypted passwords to work. Using MD5 encryption, Tomcat is able to successfully open a connection to the database using the JDBCRealm set up in the server.xml, but it is unable to authenticate users for the admin web app. I am using the same username and password (username = tomcat, password = tomcat) for both the JDBCRealm and the admin web app. JDBCRealm: Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=org.postgresql.Driver connectionURL=jdbc:postgresql://bilbo.dynedge.com/template1 connectionName=abernethy connectionPassword=gceIlu4DaR userTable=pg_shadow userNameCol=usename userCredCol=passwd userRoleTable=pg_groupview roleNameCol=groname digest=MD5 / pg_shadow: usename | passwd - tomcat | md5efcc1c51a80be13b59cdb96d758a0184 pg_groupview: grosysid | groname | usesysid | usename --+-+--+--- 101 | admin | 102 | tomcat 100 | manager | 102 | tomcat postgresql log (for Tomcat start up): Jan 7 16:41:17 bilbo tomcat4: dtomcat4 startup succeeded Jan 7 16:41:25 bilbo postgres[4329]: [1] LOG: connection received: host=24.208.224.236 port=33234 Jan 7 16:41:25 bilbo postgres[4329]: [2] LOG: connection authorized: user=tomcat database=template1 Jan 7 16:41:25 bilbo postgres[4329]: [3-1] LOG: query: set datestyle to 'ISO'; select version(), case when pg_encoding_to_char(1) = 'SQL_ASCII' then 'UNKNOWN' else Jan 7 16:41:25 bilbo postgres[4329]: [3-2] getdatabaseencoding() end; Jan 7 16:41:25 bilbo postgres[4329]: [4] LOG: duration: 0.028513 sec Jan 7 16:41:25 bilbo postgres[4329]: [5] LOG: query: set client_encoding = 'UNICODE'; show autocommit Jan 7 16:41:25 bilbo postgres[4329]: [6] LOG: duration: 0.000260 sec Jan 7 16:41:25 bilbo postgres[4329]: [7] LOG: query: set autocommit = off; Jan 7 16:41:25 bilbo postgres[4329]: [8] LOG: duration: 0.000198 sec postgresql log (for admin web app authentication): Jan 7 16:43:34 bilbo postgres[4329]: [9] LOG: query: SELECT passwd FROM pg_shadow WHERE usename = 'tomcat' Jan 7 16:43:34 bilbo postgres[4329]: [10] LOG: duration: 0.001636 sec catalina_log.2003-01-07.txt: 2003-01-07 16:43:34 JDBCRealm[Standalone]: Username tomcat NOT successfully authenticated Any more ideas? -- Robert Abernethy IV Dynamic Edge, Inc. 734.975.0460 Hi Rob, You have two separate sets of usernames and passwords here. One that the JDBC driver uses to open the database connection, and another set that Tomcat reads from a database table and compares to what you type in when prompted The realm stuff sets up when Tomcat starts, but it just sits there until you try to get a JSP page that a webapp has designated in it's web.xml to be restricted.. When that happens, Tomcat will get your browser to generate a login dialog box, or will run your login page if you use form based authentication. Tomcat will then take the username and password that it gets from that and generate an SQL statement to select the password column of the userTable (pg_shadow in your case) in the row where the username is equal to whatever you typed into the login box. It uses the connection opened to your user/password table when Tomcat started and set up the realm using the driver, database name, usernames and passwords that you supplied in the server.xml realm entry. Tomcat then takes the password string that is returned and compares it to what you typed in as a password. If you have MD5 enabled it converts the password string you typed in to it's MD5 form before comparing it to what it pulls from the database. In this case you have to convert the password string to its MD5 format before you store it in the Postgres database. It looks like you have stuff set up properly, it also looks like the username tomcat and password tomcat are getting you into the database OK. Since you are not able to log in to webapps that require no role, it looks like the username or password that you are typing in when you try to log in is not matching what tomcat it getting from Postgres from the table pg_shadow in the usename and passwd fields, respectively. If there were some kindof error, with debug=99 your logs would have a lot of error info, particularly if there were some SQL error. I don't know what kind of logging Postgres has but you should see a successful SQL statement handled by Postgres in the log at the time you try to authenticate, even if authentication fails. If so, what you are typing in for username/password just isn't matching what's in the database, or more precisely what the JDBC driver is returning from the database. This could be a character set or case sensitivity issue with the JDBC driver you are using. This does work, believe it or not. I've been using it for months with the Firebird
Re: JDBCRealm
The connectionName and connectionPassword should be tomcat and tomcat. The other name/password is left over from my clear-text attempts. -- Robert Abernethy IV Dynamic Edge, Inc. 734.975.0460 OK. I was able to get clear-text passwords to work, but I still can't get encrypted passwords to work. Using MD5 encryption, Tomcat is able to successfully open a connection to the database using the JDBCRealm set up in the server.xml, but it is unable to authenticate users for the admin web app. I am using the same username and password (username = tomcat, password = tomcat) for both the JDBCRealm and the admin web app. JDBCRealm: Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=org.postgresql.Driver connectionURL=jdbc:postgresql://bilbo.dynedge.com/template1 connectionName=abernethy connectionPassword=gceIlu4DaR userTable=pg_shadow userNameCol=usename userCredCol=passwd userRoleTable=pg_groupview roleNameCol=groname digest=MD5 / pg_shadow: usename | passwd - tomcat | md5efcc1c51a80be13b59cdb96d758a0184 pg_groupview: grosysid | groname | usesysid | usename --+-+--+--- 101 | admin | 102 | tomcat 100 | manager | 102 | tomcat postgresql log (for Tomcat start up): Jan 7 16:41:17 bilbo tomcat4: dtomcat4 startup succeeded Jan 7 16:41:25 bilbo postgres[4329]: [1] LOG: connection received: host=24.208.224.236 port=33234 Jan 7 16:41:25 bilbo postgres[4329]: [2] LOG: connection authorized: user=tomcat database=template1 Jan 7 16:41:25 bilbo postgres[4329]: [3-1] LOG: query: set datestyle to 'ISO'; select version(), case when pg_encoding_to_char(1) = 'SQL_ASCII' then 'UNKNOWN' else Jan 7 16:41:25 bilbo postgres[4329]: [3-2] getdatabaseencoding() end; Jan 7 16:41:25 bilbo postgres[4329]: [4] LOG: duration: 0.028513 sec Jan 7 16:41:25 bilbo postgres[4329]: [5] LOG: query: set client_encoding = 'UNICODE'; show autocommit Jan 7 16:41:25 bilbo postgres[4329]: [6] LOG: duration: 0.000260 sec Jan 7 16:41:25 bilbo postgres[4329]: [7] LOG: query: set autocommit = off; Jan 7 16:41:25 bilbo postgres[4329]: [8] LOG: duration: 0.000198 sec postgresql log (for admin web app authentication): Jan 7 16:43:34 bilbo postgres[4329]: [9] LOG: query: SELECT passwd FROM pg_shadow WHERE usename = 'tomcat' Jan 7 16:43:34 bilbo postgres[4329]: [10] LOG: duration: 0.001636 sec catalina_log.2003-01-07.txt: 2003-01-07 16:43:34 JDBCRealm[Standalone]: Username tomcat NOT successfully authenticated Any more ideas? -- Robert Abernethy IV Dynamic Edge, Inc. 734.975.0460 Hi Rob, You have two separate sets of usernames and passwords here. One that the JDBC driver uses to open the database connection, and another set that Tomcat reads from a database table and compares to what you type in when prompted The realm stuff sets up when Tomcat starts, but it just sits there until you try to get a JSP page that a webapp has designated in it's web.xml to be restricted.. When that happens, Tomcat will get your browser to generate a login dialog box, or will run your login page if you use form based authentication. Tomcat will then take the username and password that it gets from that and generate an SQL statement to select the password column of the userTable (pg_shadow in your case) in the row where the username is equal to whatever you typed into the login box. It uses the connection opened to your user/password table when Tomcat started and set up the realm using the driver, database name, usernames and passwords that you supplied in the server.xml realm entry. Tomcat then takes the password string that is returned and compares it to what you typed in as a password. If you have MD5 enabled it converts the password string you typed in to it's MD5 form before comparing it to what it pulls from the database. In this case you have to convert the password string to its MD5 format before you store it in the Postgres database. It looks like you have stuff set up properly, it also looks like the username tomcat and password tomcat are getting you into the database OK. Since you are not able to log in to webapps that require no role, it looks like the username or password that you are typing in when you try to log in is not matching what tomcat it getting from Postgres from the table pg_shadow in the usename and passwd fields, respectively. If there were some kindof error, with debug=99 your logs would have a lot of error info, particularly if there were some SQL error. I don't know what kind of logging Postgres has but you should see a successful SQL statement handled by Postgres in the log at the time you try to authenticate, even if authentication fails. If so, what you are typing in for username/password just isn't
Re: JDBCRealm
Does Tomcat process the JDBC Realm on start up, or only when a web app asks for authentication? I seem to recall that I was unable to start Tomcat if the realm was not configured correctly. Also, I see a postgres process (see below) which indicates a connection to the database. The process shows 'tomcat' because that is the *user name* I am using in the realm configuration. The column names are correct (postgres uses 'usename' not 'username'). The tomcat user has the correct privilages on the necessary tables. I have written a simple Java program that is able to connect and display data from pg_shadow and pg_groupview. This program uses the same JDBC driver, connection URL, user name (tomcat), and password. I have created my own web app (thinking the admin or manager web apps might be the problem), but it is also unable to authenticate users. Any other ideas? I am using the JPackage RPM - could that have anything to do with it? How about the JPackage RPM for xerces-J2? I know they have had problems with xerces before (unable to view example web apps). -- Robert Abernethy IV Dynamic Edge, Inc. 734.975.0460 Hi Rob, Ok, I tried cleartext passwords, but I came up with the same result. I don't understand why tomcat is able to start up at all, if the authentication is failing. Users are authenticated not Tomcat, so starting Tomcat has nothing to do with authentication. Tomcat is just a Java program. When a user tries to access a web app Tomcat will authenticate that user if that web app's web.xml file tells it to. The manager app is set up to require authentication . The web.xml file for admin is in CATALINA_HOME/server/webapps/admin/WEB-INF/web.xml, you can see how it is set up there. If you want to authenticate users for your own web apps, set up their web.xml security roles in a similar fashion. When I run 'ps' after starting up tomcat, I see this process: 40 S postgres 2825 2758 0 75 0- 2431 schedu 18:12 pts/0 00:00:00 postgres: tomcat template1 24.208.224.236 idle in transaction Seeing this makes me believe that Tomcat is correctlty connecting to the database at startup. Is this true? If so, why can't the admin or manager apps authenticate? They are using the same Realm (it's nested inside the Engine tag) and I'm supplying the same username and password. A couple of other things you can check: Should userNameCol=usename be userNameCol=username ? Can you access Postgres data from that file in your web apps using that driver and username/password? You should be able to write a simple program to read the role names from the database. Within Postgres have you granted select privleges to the database table in template1 to the user tomcat in the tables pg_shadow and pg_groupview? Can you use a db browser tool to log in as tomcat and execute an SQL command like: SELECT groname FROM TABLE pg_groupview WHERE usename IS 'tomcat'? Rick -- Robert Abernethy IV Dynamic Edge, Inc. 734.975.0460 Hi Rob, Try it in clear text without the MD5 digest, to verify that your password, username, role, etc are correct. I had a lot of problems with digesting. Also some databases return column names in upper case even if they are in lower case so you may want to try all caps on your db column names. I think you would get a different eror message if this was the case, though. Rick - Original Message - I'm trying to set up a JDBCRealm for use with the admin and manager webapps. The problem is that I am unable to authenticate any users. - Tomcat 4.1.18 - Postgresql 7.3.1 - JDBC driver is in $CATALINA_HOME/common/lib - Tomcat starts up fine, I just can't authenticate - I can directly connect to my database with the username and password - I have created the 'admin' and 'manager' groups in the database - I have added the users to both groups Realm: Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=org.postgresql.Driver connectionURL=jdbc:postgresql://bilbo.dynedge.com/template1 connectionName=tomcat connectionPassword=tomcat userTable=pg_shadow userNameCol=usename userCredCol=passwd userRoleTable=pg_groupview roleNameCol=groname digest=MD5 / Log: 2003-01-02 12:34:34 JDBCRealm[Standalone]: Username tomcat NOT successfully authenticated Any ideas? -- Robert Abernethy IV Dynamic Edge, Inc. 734.975.0460 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:tomcat-user- [EMAIL PROTECTED] For additional commands, e-mail:
JDBCRealm
I'm trying to set up a JDBCRealm for use with the admin and manager webapps. The problem is that I am unable to authenticate any users. - Tomcat 4.1.18 - Postgresql 7.3.1 - JDBC driver is in $CATALINA_HOME/common/lib - Tomcat starts up fine, I just can't authenticate - I can directly connect to my database with the username and password - I have created the 'admin' and 'manager' groups in the database - I have added the users to both groups Realm: Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=org.postgresql.Driver connectionURL=jdbc:postgresql://bilbo.dynedge.com/template1 connectionName=tomcat connectionPassword=tomcat userTable=pg_shadow userNameCol=usename userCredCol=passwd userRoleTable=pg_groupview roleNameCol=groname digest=MD5 / Log: 2003-01-02 12:34:34 JDBCRealm[Standalone]: Username tomcat NOT successfully authenticated Any ideas? -- Robert Abernethy IV Dynamic Edge, Inc. 734.975.0460 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: JDBCRealm
Ok, I tried cleartext passwords, but I came up with the same result. I don't understand why tomcat is able to start up at all, if the authentication is failing. When I run 'ps' after starting up tomcat, I see this process: 40 S postgres 2825 2758 0 75 0- 2431 schedu 18:12 pts/000:00:00 postgres: tomcat template1 24.208.224.236 idle in transaction Seeing this makes me believe that Tomcat is correctlty connecting to the database at startup. Is this true? If so, why can't the admin or manager apps authenticate? They are using the same Realm (it's nested inside the Engine tag) and I'm supplying the same username and password. -- Robert Abernethy IV Dynamic Edge, Inc. 734.975.0460 Hi Rob, Try it in clear text without the MD5 digest, to verify that your password, username, role, etc are correct. I had a lot of problems with digesting. Also some databases return column names in upper case even if they are in lower case so you may want to try all caps on your db column names. I think you would get a different eror message if this was the case, though. Rick - Original Message - I'm trying to set up a JDBCRealm for use with the admin and manager webapps. The problem is that I am unable to authenticate any users. - Tomcat 4.1.18 - Postgresql 7.3.1 - JDBC driver is in $CATALINA_HOME/common/lib - Tomcat starts up fine, I just can't authenticate - I can directly connect to my database with the username and password - I have created the 'admin' and 'manager' groups in the database - I have added the users to both groups Realm: Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=org.postgresql.Driver connectionURL=jdbc:postgresql://bilbo.dynedge.com/template1 connectionName=tomcat connectionPassword=tomcat userTable=pg_shadow userNameCol=usename userCredCol=passwd userRoleTable=pg_groupview roleNameCol=groname digest=MD5 / Log: 2003-01-02 12:34:34 JDBCRealm[Standalone]: Username tomcat NOT successfully authenticated Any ideas? -- Robert Abernethy IV Dynamic Edge, Inc. 734.975.0460 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]