Hello Mark,
Thanks for pointing out my missing localDataResource property.  It is
prominent enough in the wiki, I just failed to pay close attention.
With this property, the everything in META-INF/context.xml configuration
worked.
Other configurations still do not work except the one I described (Resource
in conf/server.xml AND conf/context.xml, Realm in the engine element of
conf/server.xml).

This covers the deployment scenarios that I may encounter.

If someone out there is interested in pursuing the reasons why other
scenarios did not work for me, I will be happy to provide more details and
info.  Otherwise, thanks to the input of all who responded to this thread,
I am happy with the configurations that do work for me.

BTW I checked the resource-ref element and from what I gather, it provides
a level of isolation between the resource name coded in the application and
the one actually defined in configuration files, so you can change the
latter without having to recompile your app.

Finally, for those interested, here are the contents of relevant config
files in my setup with comments removed and sensitive material replaced (I
am deploying my app as ROOT.war on Tomcat 7):

My application's web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns="
http://java.sun.com/xml/ns/javaee"; xmlns:web="
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"; xsi:schemaLocation="
http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"; id="WebApp_ID"
version="3.0">
  <display-name>MyApp</display-name>
  <welcome-file-list>
    <welcome-file>default.jsp</welcome-file>
  </welcome-file-list>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>member-access</web-resource-name>
      <url-pattern> /priv/* </url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name> site-admin </role-name>
      <role-name> admin </role-name>
      <role-name> user </role-name>
    </auth-constraint>
    <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </security-constraint>
  <filter>
    <filter-name>AccessFilter</filter-name>
    <filter-class>com.mydns.filter.MyFilter</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>AccessFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
  <login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
      <form-error-page>/login.jsp</form-error-page>
      <!--  <form-error-page>/fail_login.jsp</form-error-page> -->
    </form-login-config>
  </login-config>
  <security-role>
    <description> System Administrator </description>
    <role-name> site-admin </role-name>
  </security-role>
  <security-role>
    <description> Manager </description>
    <role-name> admin </role-name>
  </security-role>
  <security-role>
    <description> User </description>
    <role-name> user </role-name>
  </security-role>
 </web-app>
---------------------------------------
My app's META-INF/context.xml (if used):
<?xml version="1.0" encoding="UTF-8"?>
<Context>
  <Resource
    name="jdbc/MyAppDB"
    type="javax.sql.DataSource"
    auth="Container"
    driverClassName="com.mysql.jdbc.Driver"
    maxActive="100"
    maxWait="10000"
    maxIdle="30"
    password="password"
    logAbandoned="true"
    username="username"
    removeAbandoned="true"
    removeAbandonedTimeout="60"
    url="jdbc:mysql://localhost:3306/databasename"
  />
  <Realm className="org.apache.catalina.realm.DataSourceRealm"
     dataSourceName="jdbc/MyAppDB"
     userTable="users"
     userNameCol="username"
     userCredCol="password"
     userRoleTable="roles"
     roleNameCol="rolename"
     digest="digestname"
     localDataSource="true"
 />
</Context>

------------------------------------------
$CATALINA_HOME/conf/context.xml
<?xml version="1.0" encoding="UTF-8"?>
<Context>
    <WatchedResource>WEB-INF/web.xml</WatchedResource>
    <!--  MY RESOURCE ELEMENT GOES HERE -->
</Context>
-----------------------------------------------------

$CATALINA_HOME/conf/server.xml

<?xml version="1.0" encoding="UTF-8"?>
<Server port="8005" shutdown="SHUTDOWN">
  <Listener SSLEngine="on"
className="org.apache.catalina.core.AprLifecycleListener"/>
  <Listener className="org.apache.catalina.core.JasperListener"/>
  <Listener
className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
  <Listener
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
  <Listener
className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
  <GlobalNamingResources>
    <Resource
auth="Container"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
name="UserDatabase"
pathname="conf/tomcat-users.xml"
type="org.apache.catalina.UserDatabase"/>

    <!-- MY RESOURCE ELEMENT GOES HERE -->

  </GlobalNamingResources>

  <Service name="Catalina">

    <Connector connectionTimeout="20000" port="80" protocol="HTTP/1.1"
redirectPort="8443"/>
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
    <Engine defaultHost="localhost" name="Catalina">
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<!-- MY REALM ELEMENT GOES HERE (A)-->
      </Realm>
      <Host appBase="webapps" autoDeploy="true" name="localhost"
unpackWARs="true">
        <Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b"
prefix="localhost_access_log." suffix=".txt"/>
<!-- MY REALM ELEMENT GOES HERE (B)-->
      </Host>
    </Engine>
  </Service>
</Server>


Thanks to all,
Aladin

On Sun, Oct 7, 2012 at 9:57 PM, Mark Eggers <its_toas...@yahoo.com> wrote:

> Comments inline.
>
> On 10/7/2012 3:31 PM, Aladin Dajani wrote:
>
>> Hello Pid,
>>
>> I cannot dismiss that there may be inaccuracies as you mentioned in your
>> response, perhaps you could help me figure them out.
>>
>> Here are the cases I tried (the first three were outlined in the wiki
>> http://wiki.apache.org/tomcat/**TomcatDataSourceRealms<http://wiki.apache.org/tomcat/TomcatDataSourceRealms>
>> )
>>
>> MY REALM ELEMENT:
>>          <Realm className="org.apache.**catalina.realm.**DataSourceRealm"
>>              dataSourceName="jdbc/MyAppDB"
>>              userTable="users"
>>              userNameCol="username"
>>              userCredCol="password"
>>              userRoleTable="roles"
>>              roleNameCol="rolename"
>>              digest="digestname"
>>          />
>>
>> MY RESOURCE ELEMENT:
>> <Resource
>>   name="jdbc/MyAppDB"
>> type="javax.sql.DataSource"
>> auth="Container"
>> driverClassName="com.mysql.**jdbc.Driver"
>> maxActive="100"
>> maxWait="10000"
>> maxIdle="30"
>> password="password"
>> logAbandoned="true"
>> username="username"
>> removeAbandoned="true"
>> removeAbandonedTimeout="60"
>> url="jdbc:mysql://localhost:**3306/databasename"
>> />
>>
>>
> It might be nice to have a validation query here, so you know you're
> getting a connection to the database.
>
>
>> Case 1:
>> Everything in META-INF/context.xml
>> META-INF/context.xml contains:
>>   <Context>
>>      <MY RESOURCE ELEMENT GOES HERE>
>>      <MY REALM ELEMENT GOES HERE>
>>   </Context>
>>
>>
> Please note that you are missing a localDataSource="true" in your Realm
> element of context.xml. This is required when both the Realm and the
> Resource are defined in context.xml. The Wiki mentions this, but maybe it's
> not prominent enough.
>
>  $CATALINA_HOME/conf/server.xml contains:
>>    <GlobalNamingResources>
>>      <Resource
>> auth="Container"
>> description="User database that can be updated and saved"
>> factory="org.apache.catalina.**users.**MemoryUserDatabaseFactory"
>> name="UserDatabase"
>> pathname="conf/tomcat-users.**xml"
>> type="org.apache.catalina.**UserDatabase"/>
>>    </GlobalNamingResources>
>>
>>    and
>>    <Engine>
>>        <Realm className="org.apache.**catalina.realm.LockOutRealm">
>>          <Realm className="org.apache.**catalina.realm.**
>> UserDatabaseRealm"
>> resourceName="UserDatabase"/>
>>        </Realm>
>>        <Host>..</Host>
>>    </Engine>
>>
>> $CATALINA_HOME/conf.context.**xml conatins
>>   <Context>
>>      <WatchedResource>WEB-INF/web.**xml</WatchedResource>
>>   </Context>
>>
>> Result:  Login form is presented but login fails when valid credentials
>> are
>> used
>>
>>   $CATALINA_HOME/logs/localhos.**data.log contains:
>>   Oct 7, 2012 5:05:55 PM org.apache.catalina.realm.**DataSourceRealm open
>>   SEVERE: Exception performing authentication
>>   javax.naming.**NameNotFoundException: Name jdbc is not bound in this
>> Context
>>
>>   <Note> I suspect some issue with context.xml since tomcat did not copy
>> it
>> to $CATALINA_HOME/conf/localhost
>>
>> ==============================**===
>>
>> Case 2:
>>   Using GlobalNamingResources and META-INF/context.xml
>>
>>   META-INF/context.xml contains:
>>   <Context>
>>      <MY REALM ELEMENT GOES HERE>
>>   </Context>
>>
>>
>>
>> $CATALINA_HOME/conf/server.xml contains:
>>    <GlobalNamingResources>
>>      <Resource
>>          auth="Container"
>>          description="User database that can be updated and saved"
>>          factory="org.apache.catalina.**users.**
>> MemoryUserDatabaseFactory"
>>          name="UserDatabase"
>>          pathname="conf/tomcat-users.**xml"
>>          type="org.apache.catalina.**UserDatabase"/>
>>
>>       <MY RESOURCE ELEMENT GOES HERE>
>>
>>    </GlobalNamingResources>
>>
>>     No changes to <Engine> or <Host> elements
>>     No change to $CATALINA_HOME/conf.context.**xml conatins
>>
>> Result:
>>   Fails.  Application's login form fails to display.
>>   tomcat7-stdout.date.log contains:
>>   Cannot get connection: javax.naming.**NameNotFoundException: Name jdbc
>> is
>> not bound in this Context
>>
>>   <Note> I suspect some issue with context.xml since tomcat did not copy
>> it
>> to $CATALINA_HOME/conf/localhost
>> ==============================**==
>>
>> case 3:
>> Using $CATALINA_HOME/conf/server.xml only:
>>
>>   META-INF/context.xml : Does not exist.
>>
>> $CATALINA_HOME/conf/server.xml contains:
>>    <GlobalNamingResources>
>>      <Resource
>> auth="Container"
>> description="User database that can be updated and saved"
>> factory="org.apache.catalina.**users.**MemoryUserDatabaseFactory"
>> name="UserDatabase"
>> pathname="conf/tomcat-users.**xml"
>> type="org.apache.catalina.**UserDatabase"/>
>>
>>          <MY RESOURCE ELEMENT GOES HERE>
>>    </GlobalNamingResources>
>>
>>    and
>>    <Engine>
>>        <Realm className="org.apache.**catalina.realm.LockOutRealm">
>>          <Realm className="org.apache.**catalina.realm.**
>> UserDatabaseRealm"
>> resourceName="UserDatabase"/>
>>
>>          <MY REALM ELEMENT GOES HERE>
>>
>>        </Realm>
>>        <Host>..</Host>
>>    </Engine>
>>
>>     No change to $CATALINA_HOME/conf.context.**xml conatins
>>
>> Result:
>>   Same as result in case #2
>>
>> ==============================**====
>> Case 4:
>>   Using $CATALINA_HOME/conf/server.xml only part II:
>>   Same as in case 3 above except that the REALM element goes inside the
>> <Host> element:
>>    <Engine>
>>        <Realm className="org.apache.**catalina.realm.LockOutRealm">
>>          <Realm className="org.apache.**catalina.realm.**
>> UserDatabaseRealm"
>> resourceName="UserDatabase"/>
>>        </Realm>
>>        <Host>
>>          <MY REALM ELEMENT GOES HERE>
>>        </Host>
>>    </Engine>
>>
>>     No change to $CATALINA_HOME/conf.context.**xml conatins
>>     META-INF/context.xml : Not used (does not exist)
>>
>> Result:
>>    Same as cases #2 and 3 above
>>
>> ==============================**========
>>
>> Case 5:
>>   Using $CATALINA_HOME/conf/server.xml and $CATALINA_HOME/conf/context.**
>> xml
>>   Same as in case 3 above with another copy of resource element added to
>> $CATALINA_HOME/conf/context.**xml (in addition to the one in server.xml)
>>
>> $CATALINA_HOME/conf.context.**xml conatins
>>   <Context>
>>      <WatchedResource>WEB-INF/web.**xml</WatchedResource>
>>      <MY RESOURCE ELEMENT GOES HERE>
>>   </Context>
>>
>> Result:
>> SUCCESS. Login form is presented and login succeeds when valid credentials
>> are used.
>>
>>
>> Thanks
>> Aladin
>>
>>
> I'm assuming that this is really $CATALINA_HOME/conf/context.**xml.
>
> This is the global context.xml for all applications (Engines, Hosts) in
> the JVM. It's interesting that this works, but the others do not.
>
> It sounds like you're missing a resource-ref element in web.xml. I don't
> know if it's necessary in the servlet 3.0 spec (I should really read it),
> but something like this may be required.
>
>     <resource-ref>
>         <description>Your database</description>
>         <res-ref-name>jdbc/MyAppDB</**res-ref-name>
>         <res-type>javax.sql.**DataSource</res-type>
>         <res-auth>Container</res-auth>
>         <res-sharing-scope>Shareable</**res-sharing-scope>
>     </resource-ref>
>
> Missing that usually gives the type of non-bound error messages you're
> seeing in the log files.
>
> Also, I'm wondering why your context.xml file is not being copied over to
> $CATALINA_BASE/conf/Catalina/**localhost/app-name.xml (assuming localhost
> and the default Engine name).
>
> Post your complete web.xml and context.xml with any sensitive information
> obfuscated.
>
> . . . . just my two cents.
>
> /mde/
>
>  On Sun, Oct 7, 2012 at 4:35 PM, Pid <p...@pidster.com> wrote:
>>
>>  On 07/10/2012 19:40, Aladin Dajani wrote:
>>>
>>>> Thank you all for your help.  I now have DataSourceRealm based
>>>> authentication up and running with my connection pool.
>>>>
>>>> One thing I want to mention is that I was unable to make teh scenarios
>>>> described in the wiki work until I duplicated the Resource definition in
>>>> both server.xml and in context.xml.
>>>>
>>>
>>> That is unlikely to be accurate unless you are using the datasource for
>>> something else.  The GlobalResources definition will be the one working.
>>>
>>> The tomcat/conf/context.xml definition will only be valid for Realms
>>> created inside the Context; and will create a separate pool for each
>>> application deployed.
>>>
>>>
>>> p
>>>
>>>
>>> I tried several combinations as
>>>
>>>> described in the wiki and outside and this is the one that worked, for
>>>>
>>> now
>>>
>>>> this is what matters to me.
>>>>
>>>> Thanks....
>>>>
>>>>
>>>>
>>>> On Sun, Oct 7, 2012 at 11:33 AM, Mark Eggers <its_toas...@yahoo.com>
>>>>
>>> wrote:
>>>
>>>>
>>>>  On 10/7/2012 8:22 AM, Pid * wrote:
>>>>>
>>>>>  On 7 Oct 2012, at 15:26, Aladin Dajani <aladin.daj...@gmail.com>
>>>>>>
>>>>> wrote:
>>>
>>>>
>>>>>>   OK So I tried to use DataSourceRealm.  Seems simple enough. but I
>>>>>> get
>>>>>>
>>>>> the
>>>
>>>> following exception:
>>>>>>>
>>>>>>> Oct 7, 2012 9:54:51 AM org.apache.catalina.realm.****DataSourceRealm
>>>>>>>
>>>>>> open
>>>
>>>> SEVERE: Exception performing authentication
>>>>>>> javax.naming.****NameNotFoundException: Name jdbc is not bound in
>>>>>>> this
>>>>>>> Context
>>>>>>>
>>>>>>> Here is my configuration.  context.xml is unchanged from previous
>>>>>>>
>>>>>> setup
>>>
>>>> (works well for pooled database access within the app)
>>>>>>>
>>>>>>> {catalina-base}\conf\context.****xml:
>>>>>>>      <Resource
>>>>>>> name="jdbc/MyAppDB"
>>>>>>> auth="Container"
>>>>>>> driverClassName="com.mysql.****jdbc.Driver"
>>>>>>> logAbandoned="true"
>>>>>>> maxActive="100"
>>>>>>> maxIdle="30"
>>>>>>> maxWait="10000"
>>>>>>> password="password"
>>>>>>> username="user"
>>>>>>> removeAbandoned="true"
>>>>>>> removeAbandonedTimeout="60"
>>>>>>> type="javax.sql.DataSource"
>>>>>>> url="jdbc:mysql://localhost:****3306/databasename"
>>>>>>> />
>>>>>>>
>>>>>>> Server.xml replaces the JDBCRealm with the DataSourceRealm as below
>>>>>>>
>>>>>>> {catalina-base}\conf\server.****xml:
>>>>>>>        <Realm className="org.apache.****
>>>>>>> catalina.realm.LockOutRealm">
>>>>>>> <Realm className="org.apache.****catalina.realm.****DataSourceRealm"
>>>>>>> dataSourceName="jdbc/MyAppDB"
>>>>>>> userTable="users"
>>>>>>> userNameCol="username"
>>>>>>> userCredCol="password"
>>>>>>> userRoleTable="roles"
>>>>>>> roleNameCol="rolename"
>>>>>>>          digest="MD5"
>>>>>>> />
>>>>>>>        </Realm>
>>>>>>>
>>>>>>> Have I missed a configuration somewhere ?
>>>>>>>
>>>>>>>
>>>>>> Yes, define the Resource in GlobalResources in server.xml.
>>>>>>
>>>>>>
>>>>>> p
>>>>>>
>>>>>>
>>>>> Here's the Wiki document on the various combinations:
>>>>>
>>>>> http://wiki.apache.org/tomcat/****TomcatDataSourceRealms<http://wiki.apache.org/tomcat/**TomcatDataSourceRealms>
>>>>> <
>>>>>
>>>> http://wiki.apache.org/tomcat/**TomcatDataSourceRealms<http://wiki.apache.org/tomcat/TomcatDataSourceRealms>
>>> >
>>>
>>>>
>>>>> /mde/
>>>>>
>>>>>
>>>>>  Thanks.
>>>>>>> On Sun, Oct 7, 2012 at 9:36 AM, Felix Schumacher <
>>>>>>> felix.schumacher@**internetall**ee.de <http://internetallee.de> <
>>>>>>>
>>>>>> felix.schumacher@**internetallee.de<felix.schumac...@internetallee.de>
>>> >>
>>>
>>>> wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Aladin Dajani <aladin.daj...@gmail.com> schrieb:
>>>>>>>>
>>>>>>>>   Hello List,
>>>>>>>>
>>>>>>>>>
>>>>>>>>> My application is configured for JDBCRealm authentication uses a
>>>>>>>>>
>>>>>>>> MySQL
>>>
>>>> database.
>>>>>>>>> For my own use inside the application, I have setup a connection
>>>>>>>>>
>>>>>>>> pool
>>>
>>>> to
>>>>>>>>> access the database,  However, the configuration of JDBCRealm in
>>>>>>>>> server.xml
>>>>>>>>> uses astand-alone connection.  Since MySQL times-out connections
>>>>>>>>>
>>>>>>>> after
>>>
>>>> 8
>>>>>>>>> hours, I get the following error in tomcat logs as I try to log-in
>>>>>>>>> after
>>>>>>>>> the connection times out:
>>>>>>>>>
>>>>>>>>> Oct 7, 2012 8:36:51 AM org.apache.catalina.realm.****JDBCRealm
>>>>>>>>> getPassword
>>>>>>>>> SEVERE: Exception performing authentication
>>>>>>>>> com.mysql.jdbc.exceptions.****jdbc4.****
>>>>>>>>> MySQLNonTransientConnectionExc****
>>>>>>>>> eption:
>>>>>>>>> No
>>>>>>>>> operations allowed after connection closed.Connection was
>>>>>>>>> implicitly
>>>>>>>>> closed
>>>>>>>>> by the driver.
>>>>>>>>>
>>>>>>>>> Users do not notice this error (I presume tomcat's JDBCRealm will
>>>>>>>>> create a
>>>>>>>>> new connection), but it US disconcerting to have all these
>>>>>>>>>
>>>>>>>> exceptions
>>>
>>>> in
>>>>>>>>> tomcat logs, especially that when the server goes into production
>>>>>>>>>
>>>>>>>> mode,
>>>
>>>> I
>>>>>>>>> fear this will have adverse effects.
>>>>>>>>>
>>>>>>>>> Is it possible to have JDBDRealm use the same connection pool which
>>>>>>>>>
>>>>>>>> my
>>>
>>>> application uses (which is setup in tomcat's context.xml so it
>>>>>>>>>
>>>>>>>> should
>>>
>>>> be accessible to all applications in tomcat).
>>>>>>>>>
>>>>>>>>>
>>>>>>>> Have a look at DatasourceRealm.
>>>>>>>>
>>>>>>>> Regards
>>>>>>>> Felix
>>>>>>>>
>>>>>>>>
>>>>>>>>> Thanks.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>
>>>>>  ------------------------------****----------------------------**
>>> --**---------
>>>
>>>> To unsubscribe, e-mail: 
>>>> users-unsubscribe@tomcat.**apa**che.org<http://apache.org>
>>>>> <
>>>>>
>>>> users-unsubscribe@tomcat.**apache.org<users-unsubscr...@tomcat.apache.org>
>>> >
>>>
>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>> --
>>>
>>> [key:62590808]
>>>
>>>
>>>
>>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: 
> users-unsubscribe@tomcat.**apache.org<users-unsubscr...@tomcat.apache.org>
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Reply via email to