-----Original Message----- From: Neven Cvetkovic [mailto:neven.cvetko...@gmail.com] Sent: Friday, 5 September 2014 11:40 PM To: Tomcat Users List Subject: Re: web.xml authentication and Tomcat Realm
Hey Janusz, On Thu, Sep 4, 2014 at 8:02 PM, Dalecki, Janusz <jdale...@tycoint.com> wrote: Follow the link Chris provided. It will give you some ideas about how Realms work. (Note that using JDBCRealm will give you terrible performance: use a > DataSourceRealm instead with a JNDI DataSource.) > > You really need to read this: > http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html > > - -chris > Hi, > Sorry I need to explain my problem more clearly. > I have put JDBCRealm configuration with all details in the META-INF > folder: <Realm className="org.apache.catalina.realm.JDBCRealm" > driverName="org.postgresql.Driver" > connectionURL="jdbc:postgresql://localhost:5432/df_Scheduler?user=postgres&password=admin" > userTable="users" userNameCol="userName" userCredCol="password" > userRoleTable="user_roles" roleNameCol="roleName"/> > > Where specifically did you put in this Realm information? Is it YourApp.war/META-INF/context.xml file? What this configuration means is that your users/passwords for authentication and users/roles for authorization are going to be stored in the JDBCRealm, i.e. in your Postgres database called "df_Scheduler", more specifically in your "users" table and in your "user_roles" table. You can connect to your database and see specifically what users and roles are defined in these tables, e.g. psql -U postgres -W -h localhost df_Scheduler (prompted for password) SELECT userName,password FROM users; Should give you all the users and their passwords, e.g. janusz / mypassword1 john / mypassword2 ... SELECT * FROM user_roles; Should give you all users and their respective roles, one combo per row/record, e.g. janusz TPA_USER janusz TPA_ADMIN janusz SYSADMIN john TPA_USER ... You need to inspect and see that the actual username/password combinations actually exist in the database. In my web.xml I have login-config element and security constraint as > follows: > <security-constraint> > <web-resource-collection> > <web-resource-name>Admin</web-resource-name> > <url-pattern>/auth/*</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>SYSADMIN</role-name> > </auth-constraint> > </security-constraint> > > <security-role> > <role-name>SYSADMIN</role-name> > </security-role> > <login-config> > <auth-method>BASIC</auth-method> > <!--realm-name>Admin</realm-name--> > </login-config> > What this configuration in YourApp.war/WEB-INF/web.xml file does, is that it configures that all requests made to "/auth/*", e.g. http://blahblah/YourApp/auth/.... So, all these requests will need to know who makes the call (Authorization) and once you login, logged user needs to have "SYSADMIN" role defined in the Realm. Also, the login-config mandates "BASIC" login mechanism, i.e. window popup with username/password. So, once you make the first request, your browser will popup authentication window asking you for username and password, it would have said "Admin" but you commented out the <realm-name>Admin</realm-name> in the <login-config> configuration. Once you submit username/password it will try to authenticate against whatever Realm was setup (I will get to this point later). If the username/password combination does not match, it asks again, and again, and again, until you press ESC, which you will get redirected to 401 (Not Authenticated) page. Next, if the username/password combination was successful, the user is Authenticated, next - it needs to be Authorized, i.e. it needs to be associated with the Role defined in the auth-constraint, e.g. SYSADMIN. So, whoever logged in - they need to have SYSADMIN role in order to get to the resources ("/auth/*" pages). If they don't have required role - the server would return 403 (Forbidden) page. If they do have the required role - the server would proceed with the request (i.e. happy path). > I have defined users and passwords as explained in the TOMCAT Realm > Configuration – HOW TO. > When I ask for a page */auth/* the user/password dialog box pops up > and no matter what I type in in user name field and password field and > pops up again for ever. > What am I doing wrong? > Now, there are two things that could be the reason of the behaviour you described: (1) The realm defined for this application is ignored or not setup properly. The easiest test would be to change the password, and try restarting the server and try logging in again. See if the console/logfile shows any errors. If it does, you will know your Realm configuration is being read. (That's a good thing, you know your configuration is being read!) If you don't observe any errors, and you get the same type of behaviour, that means your realm configuration is being ignored, and you are using the default realm as defined in TOMCAT_HOME/conf/server.xml file, e.g. org.apache.catalina.realm.UserDatabaseRealm with defined resource "UserDatabase". Out of the box Tomcat Realm configuration uses conf/tomcat-users.xml file that defines users, passwords and associated roles. I tend to call that "poor-man's security realm", as most enterprises are using more sophisticated identity management systems (LDAP servers, Active Directory, etc...) (2) Username/password combinations do not match what you are trying to submit. Make sure you have users and roles defined in your tables. Hope that helps! Cheers! Neven Thank you all for the reply. I found the problem. I was missing attribute digest="SHA-1". It's all good now, Regards, Janusz ________________________________ This e-mail contains privileged and confidential information intended for the use of the addressees named above. If you are not the intended recipient of this e-mail, you are hereby notified that you must not disseminate, copy or take any action in respect of any information contained in it. If you have received this e-mail in error, please notify the sender immediately by e-mail and immediately destroy this e-mail and its attachments.
