I feel like I sailed off the edge of the known universe, because there isn't
much documentation for form-based authentication using JDBC realms (at
least, none that I could find, beyond the short JDBCRealm.howto included in
the TomCat docs).
I am using Windows NT Server 4sp6 with JDK1.3 and Tomcat 3.2.1.
I made the following changes to server.xml:
<!-- <RequestInterceptor className="org.apache.tomcat.request.SimpleRealm"
debug="0" /> -->
<RequestInterceptor className="org.apache.tomcat.request.JDBCRealm"
debug="99"
driverName="org.gjt.mm.mysql.Driver"
connectionURL="jdbc:mysql://blahblah.com:3306/database"
connectionName="secret"
connectionPassword="secret"
userTable="Users" userNameCol="userId" userCredCol="userPassword"
userRoleTable="UserPriv" roleNameCol="privLevel" />
The database tables exist, exactly as shown in <RequestInterceptor>, since
mySql is case-sensitive w.r.t. table names.
Here is a piece of my web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>developer</web-resource-name>
<url-pattern>/pwAdmin/*</url-pattern>
<url-pattern>/pwModerator/*</url-pattern>
<url-pattern>/pwNormal/*</url-pattern>
<url-pattern>/pwPortal/*</url-pattern>
<url-pattern>/pwTest/*</url-pattern>
<http-method>get</http-method>
<http-method>post</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>developer</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>JDBC</realm-name>
<form-login-config>
<form-login-page>/index.html</form-login-page>
<form-error-page>/register.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>developer</role-name>
</security-role>
Here is the authentication form:
<form method="POST" action="j_security_check">
Login id: <input type="text" name="j_username" size="8"
class=formStyle><br>
Password: <input type="password" name="j_password" size="8"
class=formStyle><br>
<input type="submit" value=" Log In " name="LogIn"
class=formStyle>
</form>
When I press the submit button, I get the following error:
HTTP 404 - File not found
The url reported is http://localhost:8080/j_security_check
Somehow the form action is not being picked up by the TomCat security
mechanism. What have I missed?
A few more questions:
- If I omit <transport-guarantee>, does it default to NONE?
- Is it possible to use * for <http-method> to specify that all HTTP
methods are to be subject to security?
- I would like to use a numeric column in the database to store the user
authentication level, rather than a text string. Can the JDBC realm be set
up to work this way?
- I found very little documentation regarding form-based authentication
using JDBC realms. Can you point me to some more?
... thanks
Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
