Ignacio:
I realize that only by accessing a protected resource should the JDBC realm
be triggered. You might notice (in the web.xml listed below) that I
attempted to make every JSP protected, so any access to a JSP would force
authentication. Still no luck with triggering, however.
I didn't get any response to my query, and I'm still facing the unresolved
issue. As well, I would appreciate anyone being kind enough to answer the
extra questions I had added to the end of my original query:
- If I omit <transport-guarantee>, does it default to NONE?
- Is it possible to use * for <http-method> to specify that all HTTP
methods are to be subject to security?
- I would like to use a numeric column in the database to store the user
authentication level, rather than a text string. Can the JDBC realm be set
up to work this way, or must I subclass a new realm class?
I have a new question:
- Another participant in this listserv mentioned that TomCat 3.2.1's JDBC
realm doesn't use connection pooling. Any idea if TomCat 4.x will implement
this? I want to support a high traffic site, and without using connection
pooling authentication will bog down.
Mike Slinn
From: "Ignacio J. Ortega" <[EMAIL PROTECTED]>
Subject: RE: JDBC Realm not triggering
Message-ID: <80F5674514B4D311BAFC0040F6A45EEE0EC117@ntserver>
Please revise http://localhost:8080/examples/jsp/security/protected ..
The problem is that you need to access a protected resource for FORM
auth to work.., not directly the Login form....in the config below ..
you need to acess a url with the form
http://localhost:8080/context/pwAdmin/ i.e ( i dont know the exact name
of the context .. try substitute "context" with the right one ).. after
that Tomcat tries to authenticate the user prior to access the resource
.. showing the login form.. when you make a correct authentication.. =
it
redirect the form the login page to the original protected resource ..
does not have sense to try to access directly the login form..
Saludos ,
Ignacio J. Ortega
> -----Mensaje original-----
> De: Herchel Wojciech [mailto:[EMAIL PROTECTED]]
> Enviado el: lunes 5 de marzo de 2001 8:14
> Para: '[EMAIL PROTECTED]'
> Asunto: ODP: JDBC Realm not triggering
>=20
>=20
> same problem here - still don't know how to solve it :(
>=20
> vVolf
>=20
>=20
> > -----Oryginalna wiadomooe=E6-----
> > Od: Mike Slinn [mailto:[EMAIL PROTECTED]]
> > Wys=B3ano: 2 marca 2001 18:59
> > Do: [EMAIL PROTECTED]
> > Temat: JDBC Realm not triggering
> >=20
> >=20
> > I feel like I sailed off the edge of the known universe,=20
> > because there isn't
> > much documentation for form-based authentication using JDBC=20
> realms (at
> > least, none that I could find, beyond the short=20
> > JDBCRealm.howto included in
> > the TomCat docs).
> >=20
> > I am using Windows NT Server 4sp6 with JDK1.3 and Tomcat 3.2.1.
> >=20
> > I made the following changes to server.xml:
> >=20
> > <!-- <RequestInterceptor=20
> > className=3D"org.apache.tomcat.request.SimpleRealm"
> > debug=3D"0" /> -->
> > <RequestInterceptor =
className=3D"org.apache.tomcat.request.JDBCRealm"
> > debug=3D"99"
> > driverName=3D"org.gjt.mm.mysql.Driver"
> > connectionURL=3D"jdbc:mysql://blahblah.com:3306/database"
> > connectionName=3D"secret"
> > connectionPassword=3D"secret"
> > userTable=3D"Users" userNameCol=3D"userId"=20
> userCredCol=3D"userPassword"
> > userRoleTable=3D"UserPriv" roleNameCol=3D"privLevel" />
> >=20
> > The database tables exist, exactly as shown in=20
> > <RequestInterceptor>, since
> > mySql is case-sensitive w.r.t. table names.
> >=20
> > Here is a piece of my web.xml:
> >=20
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>developer</web-resource-name>
> > <url-pattern>/pwAdmin/*</url-pattern>
> > <url-pattern>/pwModerator/*</url-pattern>
> > <url-pattern>/pwNormal/*</url-pattern>
> > <url-pattern>/pwPortal/*</url-pattern>
> > <url-pattern>/pwTest/*</url-pattern>
> > <http-method>get</http-method>
> > <http-method>post</http-method>
> > </web-resource-collection>
> >=20
> > <auth-constraint>
> > <role-name>developer</role-name>
> > </auth-constraint>
> >=20
> > <user-data-constraint>
> > <transport-guarantee>NONE</transport-guarantee>
> > </user-data-constraint>
> > </security-constraint>
> >=20
> > <login-config>
> > <auth-method>FORM</auth-method>
> > <realm-name>JDBC</realm-name>
> > <form-login-config>
> > <form-login-page>/index.html</form-login-page>
> > <form-error-page>/register.jsp</form-error-page>
> > </form-login-config>
> > </login-config>
> >=20
> > <security-role>
> > <role-name>developer</role-name>
> > </security-role>
> >=20
> >=20
> > Here is the authentication form:
> > <form method=3D"POST" action=3D"j_security_check">
> > Login id: <input type=3D"text" name=3D"j_username" size=3D"8"
> > class=3DformStyle><br>
> > Password: <input type=3D"password" name=3D"j_password" =
size=3D"8"
> > class=3DformStyle><br>
> > <input type=3D"submit" value=3D" Log In " =
name=3D"LogIn"
> > class=3DformStyle>
> > </form>
> >=20
> >=20
> > When I press the submit button, I get the following error:
> > HTTP 404 - File not found
> > The url reported is http://localhost:8080/j_security_check
> >=20
> > Somehow the form action is not being picked up by the=20
> TomCat security
> > mechanism. What have I missed?
> >=20
> > A few more questions:
> > - If I omit <transport-guarantee>, does it default to NONE?
> > - Is it possible to use * for <http-method> to specify=20
> that all HTTP
> > methods are to be subject to security?
> > - I would like to use a numeric column in the database to=20
> > store the user
> > authentication level, rather than a text string. Can the=20
> > JDBC realm be set
> > up to work this way?
> > - I found very little documentation regarding form-based=20
> > authentication
> > using JDBC realms. Can you point me to some more?
> >=20
> > ... thanks
> > Mikecx
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
