On 09/23/2003 04:43 PM Laurent Perez wrote:
Hello
I am trying to protect a webapp I wrote using a JDBCRealm, but it doesn't seem to work as expected. I am using Tomcat 4.1.27, and Postgresql 7.3.2, with latest JDBC driver within $tomcat/common/lib.
My realm is described as follows, in $tomcat/conf/server.xml :
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99" driverName="org.postgresql.Driver" digest="md5" connectionURL="jdbc:postgresql://127.0.0.1/mydb" connectionName="mylogin" connectionPassword="mypass" userTable="pg_shadow" userNameCol="usename" userCredCol="passwd" userRoleTable="named_roles" roleNameCol="role" />
When I start Tomcat, I can see it connecting and idling to mydb, so JDBC driver works. Also 'mylogin' has read access on named_roles.
My webapp is called 'test' and located within $tomcat/webapps/, its WEB-INF/web.xml is as follows :
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2.2.dtd";>
<web-app> <security-constraint> <web-ressource-collection> <web-ressource-name>test</web-ressource-name> <url-pattern>/*</url-pattern> </web-ressource-collection> <auth-constraint> <role-name>myrole</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>test</realm-name> </login-config> <security-role> <role-name>myrole</role-name> </security-role> </web-app>
The 'myrole' role is defined in my named_roles table, and I have several users under that role. I did add <security-role> tags because Tomcat would warn me about 'myrole' not being within <security-role> tags on startup.
Now when I am trying to access http://localhost:8080/test, no authentication window pops up, I can access it freely, which shouldn't be correct (?). When I look at logs, I can see :
2003-09-23 14:14:52 ContextConfig[/test]: Configured an authenticator for method BASIC
2003-09-23 14:14:52 StandardManager[/test]: Seeding random number generator class java.security.SecureRandom
2003-09-23 14:14:52 StandardManager[/test]: Seeding of random number generator has been completed
If BASIC auth method is activated, why isn't my browser showing up an auth window ? :-/
Also I know Postgres doesn't store md5 password files like md5_func(password), but instead md5_func(password+login), will it cause problems with Tomcat's digest=md5 behaviour ?
Thanks for any help
Laurent Perez
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- struts 1.1 + tomcat 4.1.27 + java 1.4.2 Linux 2.4.20 RH9
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
