OK. I was able to get clear-text passwords to work, but I still can't get
encrypted passwords to work. Using MD5 encryption, Tomcat is able to
successfully open a connection to the database using the JDBCRealm set up in
the server.xml, but it is unable to authenticate users for the admin web app.
I am using the same username and password (username = "tomcat", password =
"tomcat") for both the JDBCRealm and the admin web app.
JDBCRealm:
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="org.postgresql.Driver"
connectionURL="jdbc:postgresql://bilbo.dynedge.com/template1"
connectionName="abernethy" connectionPassword="gceIlu4DaR"
userTable="pg_shadow" userNameCol="usename" userCredCol="passwd"
userRoleTable="pg_groupview" roleNameCol="groname"
digest="MD5" />
pg_shadow:
usename | passwd
-------------------------
tomcat | md5efcc1c51a80be13b59cdb96d758a0184
pg_groupview:
grosysid | groname | usesysid | usename
----------+---------+----------+-----------
101 | admin | 102 | tomcat
100 | manager | 102 | tomcat
postgresql log (for Tomcat start up):
Jan 7 16:41:17 bilbo tomcat4: dtomcat4 startup succeeded
Jan 7 16:41:25 bilbo postgres[4329]: [1] LOG: connection received:
host=24.208.224.236 port=33234
Jan 7 16:41:25 bilbo postgres[4329]: [2] LOG: connection authorized:
user=tomcat database=template1
Jan 7 16:41:25 bilbo postgres[4329]: [3-1] LOG: query: set datestyle to
'ISO'; select version(), case when pg_encoding_to_char(1) = 'SQL_ASCII' then
'UNKNOWN' else
Jan 7 16:41:25 bilbo postgres[4329]: [3-2] getdatabaseencoding() end;
Jan 7 16:41:25 bilbo postgres[4329]: [4] LOG: duration: 0.028513 sec
Jan 7 16:41:25 bilbo postgres[4329]: [5] LOG: query: set client_encoding =
'UNICODE'; show autocommit
Jan 7 16:41:25 bilbo postgres[4329]: [6] LOG: duration: 0.000260 sec
Jan 7 16:41:25 bilbo postgres[4329]: [7] LOG: query: set autocommit = off;
Jan 7 16:41:25 bilbo postgres[4329]: [8] LOG: duration: 0.000198 sec
postgresql log (for admin web app authentication):
Jan 7 16:43:34 bilbo postgres[4329]: [9] LOG: query: SELECT passwd FROM
pg_shadow WHERE usename = 'tomcat'
Jan 7 16:43:34 bilbo postgres[4329]: [10] LOG: duration: 0.001636 sec
catalina_log.2003-01-07.txt:
2003-01-07 16:43:34 JDBCRealm[Standalone]: Username tomcat NOT successfully
authenticated
Any more ideas?
--
Robert Abernethy IV
Dynamic Edge, Inc.
734.975.0460
> Hi Rob,
>
> You have two separate sets of usernames and passwords here. One
> that the JDBC driver uses to open the database connection, and
> another set that Tomcat reads from a database table and compares to
> what you type in when prompted
>
> The realm stuff sets up when Tomcat starts, but it just sits there
> until you try to get a JSP page that a webapp has designated in it's
> web.xml to be restricted..
>
> When that happens, Tomcat will get your browser to generate a login dialog
> box, or will run your login page if you use form based authentication.
>
> Tomcat will then take the username and password that it gets from
> that and generate an SQL statement to select the password column of
> the userTable
> ("pg_shadow" in your case) in the row where the username is equal to
> whatever you typed into the login box.
>
> It uses the connection opened to your user/password table when Tomcat
> started and set up the realm using the driver, database name,
> usernames and passwords that you supplied in the server.xml realm entry.
>
> Tomcat then takes the password string that is returned and compares
> it to what you typed in as a password.
>
> If you have MD5 enabled it converts the password string you typed in
> to it's MD5 form before comparing it to what it pulls from the
> database. In this case you have to convert the password string to
> its MD5 format before you store it in the Postgres database.
>
> It looks like you have stuff set up properly, it also looks like the
> username "tomcat" and password "tomcat" are getting you into the database
> OK.
>
> Since you are not able to log in to webapps that require no role, it
> looks like the username or password that you are typing in when you
> try to log in is not matching what tomcat it getting from Postgres
> from the table "pg_shadow" in the "usename" and "passwd" fields, respectively.
>
> If there were some kindof error, with debug=99 your logs would have
> a lot of error info, particularly if there were some SQL error.
>
> I don't know what kind of logging Postgres has but you should see a
> successful SQL statement handled by Postgres in the log at the time
> you try to authenticate, even if authentication fails.
>
> If so, what you are typing in for username/password just isn't matching
> what's in the database, or more precisely what the JDBC driver is returning
> from the database.
>
> This could be a character set or case sensitivity issue with the
> JDBC driver you are using.
>
> This does work, believe it or not. I've been using it for months
> with the Firebird open source SQL database and various versions of
> Tomcat 4.1.X.
>
> Rick
>
> ----- Original Message -----
>
> > Does Tomcat process the JDBC Realm on start up, or only when a web app
> asks
> > for authentication? I seem to recall that I was unable to start Tomcat if
> > the realm was not configured correctly. Also, I see a postgres process
> (see
> > below) which indicates a connection to the database. The process
> > shows 'tomcat' because that is the *user name* I am using in the realm
> > configuration.
> >
> > The column names are correct (postgres uses 'usename' not 'username').
> >
> > The "tomcat" user has the correct privilages on the necessary tables.
> >
> > I have written a simple Java program that is able to connect and display
> data
> > from pg_shadow and pg_groupview. This program uses the same JDBC driver,
> > connection URL, user name ("tomcat"), and password.
> >
> > I have created my own web app (thinking the admin or manager web apps
> might
> > be the problem), but it is also unable to authenticate users.
> >
> > Any other ideas? I am using the JPackage RPM - could that have anything
> to
> > do with it? How about the JPackage RPM for xerces-J2? I know they have
> had
> > problems with xerces before (unable to view example web apps).
> >
> > --
> > Robert Abernethy IV
> > Dynamic Edge, Inc.
> > 734.975.0460
> >
> > > Hi Rob,
> > >
> > > > Ok, I tried cleartext passwords, but I came up with the same result.
> I
> > > don't
> > > > understand why tomcat is able to start up at all, if the
> authentication is
> > > > failing.
> > >
> > > Users are authenticated not Tomcat, so starting Tomcat has nothing
> > > to do with authentication. Tomcat is just a Java program.
> > >
> > > When a user tries to access a web app Tomcat will authenticate that
> > > user if that web app's web.xml file tells it to. The manager app is
> > > set up to require authentication .
> > >
> > > The web.xml file for admin is in
> > > CATALINA_HOME/server/webapps/admin/WEB-INF/web.xml, you can see how
> > > it is set up there. If you want to authenticate users for your own
> > > web apps, set up their web.xml security roles in a similar fashion.
> > >
> > > > When I run 'ps' after starting up tomcat, I see this process:
> > > >
> > > > 40 S postgres 2825 2758 0 75 0 - 2431 schedu 18:12 pts/0
> > > 00:00:00
> > > > postgres: tomcat template1 24.208.224.236 idle in transaction
> > > >
> > > > Seeing this makes me believe that Tomcat is correctlty connecting to
> the
> > > > database at startup. Is this true? If so, why can't the admin or
> manager
> > > > apps authenticate? They are using the same Realm (it's nested inside
> the
> > > > <Engine> tag) and I'm supplying the same username and password.
> > >
> > > A couple of other things you can check:
> > >
> > > Should userNameCol="usename" be userNameCol="username" ?
> > >
> > > Can you access Postgres data from that file in your web apps using that
> > > driver and username/password? You should be able to write a simple
> program
> > > to read the role names from the database.
> > >
> > > Within Postgres have you granted select privleges to the database
> > > table in template1 to the user tomcat in the tables pg_shadow and
> > pg_groupview?
> > >
> > > Can you use a db browser tool to log in as tomcat and execute an SQL
> > > command like: SELECT groname FROM TABLE pg_groupview WHERE usename
> > > IS 'tomcat'?
> > >
> > > Rick
> > >
> > > >
> > > > --
> > > > Robert Abernethy IV
> > > > Dynamic Edge, Inc.
> > > > 734.975.0460
> > > >
> > > > > Hi Rob,
> > > > >
> > > > > Try it in clear text without the MD5 digest, to verify that your
> > > > > password, username, role, etc are correct.
> > > > >
> > > > > I had a lot of problems with digesting.
> > > > >
> > > > > Also some databases return column names in upper case even if they
> > > > > are in lower case so you may want to try all caps on your db column
> > > > > names. I think you would get a different eror message if this was
> > > > > the case, though.
> > > > >
> > > > > Rick
> > > > >
> > > > > ----- Original Message -----
> > > > >
> > > > > > I'm trying to set up a JDBCRealm for use with the admin and
> manager
> > > > > webapps.
> > > > > > The problem is that I am unable to authenticate any users.
> > > > > >
> > > > > > - Tomcat 4.1.18
> > > > > > - Postgresql 7.3.1
> > > > > > - JDBC driver is in $CATALINA_HOME/common/lib
> > > > > > - Tomcat starts up fine, I just can't authenticate
> > > > > > - I can directly connect to my database with the username and
> password
> > > > > > - I have created the 'admin' and 'manager' groups in the database
> > > > > > - I have added the users to both groups
> > > > > >
> > > > > > Realm:
> > > > > > <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
> > > > > > driverName="org.postgresql.Driver"
> > > > > > connectionURL="jdbc:postgresql://bilbo.dynedge.com/template1"
> > > > > > connectionName="tomcat" connectionPassword="tomcat"
> > > > > > userTable="pg_shadow" userNameCol="usename"
> > > userCredCol="passwd"
> > > > > > userRoleTable="pg_groupview" roleNameCol="groname"
> > > > > > digest="MD5" />
> > > > > >
> > > > > > Log:
> > > > > > 2003-01-02 12:34:34 JDBCRealm[Standalone]: Username tomcat NOT
> > > > > successfully
> > > > > > authenticated
> > > > > >
> > > > > > Any ideas?
> > > > > >
> > > > > > --
> > > > > > Robert Abernethy IV
> > > > > > Dynamic Edge, Inc.
> > > > > > 734.975.0460
>
> --
> To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
