On 16/03/2012 15:11, Neil Munro wrote: > Yeah, sorry, that's fixed too now. My first error is that I have my > server.xml realm almost set up, it's just when I try to load any page > it's protected and can't be loaded, including the login.jsp file. > Didn't even get to the login stage.
Did you post the security-constraint definition from your web.xml? You should not be able to directly access the login form JSP. You access the protected path, then the container saves the request and forwards to the defined login form URL, (which as I previously recommended, should be somewhere in WEB-INF where it is not directly accessible). p PS Please stop top-posting. > On 16 March 2012 15:07, Daniel Mikusa <dmik...@vmware.com> wrote: >> >> >> ----- Original Message ----- >> From: "Neil Munro" <neilmu...@gmail.com> >> To: "Tomcat Users List" <users@tomcat.apache.org> >> Sent: Friday, March 16, 2012 10:56:56 AM >> Subject: Re: Tomcat, JSP and LDAP >> >> On 16 March 2012 14:41, Pid <p...@pidster.com> wrote: >>> On 16/03/2012 14:13, Neil Munro wrote: >>>> I have since made some minor progress with LDAP query's this login.jsp >>>> file as you can see query's for a list of valid users and creates a >>>> drop down list to choose from >>>> >>>> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" >>>> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";> >>>> <%@page >>>> import="javax.naming.*,javax.naming.directory.*,java.util.ArrayList;"%> >>>> <html> >>>> <head> >>>> <title>Login</title> >>>> </head> >>>> <body> >>>> <form method="POST" action="j_security_check"> >>>> <select> >> >> If you're intending this to replace the standard login form's user name >> input text box then you'll need to set the name attribute of the select tag >> to 'j_username'. >> >> Like this... >> >> <select name="j_username"> >> >> Dan >> >>> >>> What are you expecting this select element to do? >> >> To do exactly what it does do, allow me to select from a list of users >> that's generated from the below jsp. It's about the only thing in my >> code that does work :S >> >>> >>> >>> p >>> >>>> <% >>>> DirContext ctx = new InitialDirContext(); >>>> NamingEnumeration answer = >>>> ctx.search("ldap://my.ldap.server.com:389/ou=my company >>>> users,dc=mycompany,dc=com","(uid=*)", null); >>>> ArrayList<String> als = new ArrayList(); >>>> >>>> >>>> while(answer.hasMore()) { >>>> // Take line in as string >>>> String output = >>>> answer.next().toString(); >>>> >>>> String[] tokens = output.split(","); >>>> for (String t : tokens) { >>>> if( t.contains("uid=uid:")) { >>>> String[] ids = >>>> t.split(" "); >>>> als.add(ids[2]); >>>> } >>>> } >>>> } >>>> >>>> for(String s: als) { >>>> out.println("<option>" + s + >>>> "</option>"); >>>> } >>>> >>>> // Close the context when we're done >>>> ctx.close(); >>>> %> >>>> </select> >>>> <br> >>>> <input type="password" name="j_password"> >>>> <br> >>>> <input type="submit"> >>>> </form> >>>> </body> >>>> </html> >>>> >>>> I am however still not able to get the server.xml file working with >>>> the realms, I did discover through some trial and error that my own >>>> ldap user had not been set up right and my system admin kindly fixed >>>> it for me, which could have lead to some working code not to work. >>>> >>>> This is how it currently works: >>>> <Realm className="org.apache.catalina.realm.JNDIRealm" >>>> connectionName="uid={0},ou=my company >>>> users,dc=mycompany,dc=com" >>>> connectionPassword="userPassword" >>>> connectionURL="ldap://my.ldap.server.com"; >>>> alternateURL="ldap://my.ldap.server.com"; >>>> roleBase="ou=my company >>>> users,dc=mycompany,dc=com" >>>> roleName="cn" >>>> roleSearch="(uniqueMember={0})" >>>> userPattern="uid={0},ou=my company >>>> users,dc=mycompany,dc=com" /> >>>> >>>> On 16 March 2012 12:05, Pid <p...@pidster.com> wrote: >>>>> On 16/03/2012 10:23, Neil Munro wrote: >>>>>> On 15 March 2012 18:24, Christopher Schultz >>>>>> <ch...@christopherschultz.net> wrote: >>>>>> Neil, >>>>>> >>>>>> On 3/15/12 1:05 PM, Neil Munro wrote: >>>>>>>>> <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" >>>>>>>>> connectionURL="ldap://my.ldap.server.com"; >>>>>>>>> alternateURL="ldap://my.ldap.server.com"; userPattern="uid={0},ou=my >>>>>>>>> company users,dc=mycompany,dc=com" /> >>>>>>>>> >>>>>> >>>>>> The "debug" attribute does not exist any more. Were you following some >>>>>> kind of old example? >>>>>> >>>>>>> Yeah I must have been, I have removed it. >>>>>> >>>>>> >>>>>> I think you may need roleBase, roleName, and roleSearch attributes to >>>>>> have a prayer of making this work. Also, with no userSearch parameter, >>>>>> you are instructing the realm to connect in "bind" mode where the >>>>>> user's credentials are used directly to bind to the LDAP server. Is >>>>>> this appropriate? >>>>>> >>>>>>> <Realm className="org.apache.catalina.realm.JNDIRealm" >>>>>>> connectionName="uid={0},ou=my company users,dc=mycompany,dc=com >>>>>>> " >>>>>>> connectionPassword="userPassword" >>>>>>> connectionURL="ldap://my.ldap.server"; >>>>>>> alternateURL="ldap://my.ldap.server"; >>>>>>> roleBase="ou=my company users,dc=mycompany,dc=com" >>>>>>> roleName="cn" >>>>>>> roleSearch="(uniqueMember={0})" >>>>>>> userPattern="uid={0},ou=my company users,dc=mycompany,dc=com" /> >>>>>> >>>>>>> I have added those changes, as for which connection mode I need, I >>>>>>> think bind would be ok for now just to check to see if I can establish >>>>>>> a connection, but looking at it I think if I will be querying ldap for >>>>>>> a user name and password then comparison mode is what I need. >>>>>> >>>>>>> However with this configuration my whole app become inaccessible, I >>>>>>> imagine it's some form of protection or permissions thing, but in my >>>>>>> floundering around trying things, this is the only thing that seems to >>>>>>> have any effect on the whole app. >>>>>> >>>>>> You might want to re-read this section of the realm-howto: >>>>>> >>>>>> http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm >>>>>> >>>>>> Can you run any queries against the LDAP server outside of Tomcat that >>>>>> give you results that you might expect? For instance, can you do a >>>>>> search of the LDAP tree for a particular user? What does that query >>>>>> look like? When you do that search, are you using anonymous bind or >>>>>> are you using user bind? If user, which user? Some administrative user >>>>>> or the user whose credentials should be checked? >>>>>> >>>>>>> I can connect with a tool called JXplorer, but I have not had any luck >>>>>>> from other applications, but that's due to inability to find any up to >>>>>>> date documentation on the libraries I was using. >>>>>> >>>>>>>>> <login-config> <auth-method>FORM</auth-method> <form-login-config> >>>>>>>>> <form-login-page>/login.jsp</form-login-page> >>>>>>>>> <form-error-page>/fail_login.jsp</form-error-page> >>>>>>>>> </form-login-config> </login-config> >>>>> >>>>> Side note: I usually recommend putting those files in WEB-INF, in their >>>>> own directory, say: WEB-INF/login. >>>>> >>>>> p >>>>> >>>>>> That looks just fine: configuring the credential-gathering system is >>>>>> usually trivial. It's configuring the authentication system that is >>>>>> usually the problem. >>>>>> >>>>>>> Cool, at least some of this is working right, do you need to see those >>>>>>> files btw? >>>>>> >>>>>> >>>>>> -chris >>>>>>> >>>>>>> --------------------------------------------------------------------- >>>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>>>> >>>>>> >>>>>> --------------------------------------------------------------------- >>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>>> >>>>> >>>>> -- >>>>> >>>>> [key:62590808] >>>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>> >>> >>> >>> -- >>> >>> [key:62590808] >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -- [key:62590808]
signature.asc
Description: OpenPGP digital signature
