JDBC Realm - User Roles

[Gary Henson]

I've been trying to set up JDBC Realm authentication with Tomcat.

 

I've run into a problem when it comes to roles. The user is authenticated alright, but the roles do not seem to be

taken from the database. I always get redirected to the error jsp unless I have the user and role specified in the

tomcat-users.xml file.

 

This is the setup I have:

 

** server.xml ***

<RequestInterceptor className="org.apache.tomcat.request.JDBCRealm" debug="99"
         driverName="oracle.jdbc.driver.OracleDriver"
         connectionURL="jdbc:oracle:thin:@testdbase:1521:TEST"
         connectionName="user"
         connectionPassword="pass"
         userTable="security_user" userNameCol="user_id" userCredCol="user_password"
         userRoleTable="security_user_role" roleNameCol="role_name" />

 

All the mentioned tables and columns do exist, I've checked a lot.

 

*** web.xml ***

    <security-constraint>
      <web-resource-collection>
         <web-resource-name>Secure Area</web-resource-name>
         <url-pattern>/secure/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
         <role-name>testrole</role-name>
      </auth-constraint>
    </security-constraint>

 

    <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>Form-Based Authentication Area</realm-name>
      <form-login-config>
        <form-login-page>/secure/login/login.jsp</form-login-page>
        <form-error-page>/secure/login/error.jsp</form-error-page>
      </form-login-config>
    </login-config>

 

As mentioned above, this doesn't work unless I also have the following in tomcat-users.xml

<user name="me"  password=""  roles="testrole" />

 

And yes, it works without the password being in the file. This suggests to me that the username/password is

being checked against the database, but the role against tomcat-users.xml. I'm using Tomcat 3.2.1 currently

as a stand-alone server. Please help, I'm going crazy.

 

Gary.