tomcat datasource realm and form based authentication

[kenp21]

First off, I am using Tomcat 5.5.12

I have gone through much trouble trying to get this to work, however, I
have configured my JNDI JDBC datasource. Tested and worked. Now I am
attempting to configure a datasourcerealm. I stuck the following into
the tomcat/conf/server.xml file

<Realm className="org.apach.catalina.realm.DataSourceRealm"
dataSourceName="java:/comp/env/jdbc/myDB"
userTable="users"
userNameCol="userId"
userCredCol="password"
userRoleTable="users"
roleColName="role"
/>

I updated my web.xml file in my application (WEB-INF/web.xml) with the
following

<security-constraint>
<web-resource-collection>
<web-resource-name>Admin tool page</web-resource-name>
<url-patter>adminTool.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/logon.jsp</form-login-page>
<form-error-page>/error.jsp</form-login-page>
</form-login-config>
</login-config>

then i created the logon.jsp which a form whose method is post and
action is j_security_check.

Tomcat starts with no errors, but as soon as I type in a user name and
password that should be in the database and push submit I receive a 404
error stating /myApplication/j_security_check is not available. I
understand that a 404 error means the server (tomcat in this case)
could not locate the specified resource. However, I thought the
j_security_check is in the java servlet specification and that tomcat
is a certified java servlet container? Shouldn't the j_security_check
servlet be available?

 

[kenp21]

I am no longer getting the error, however, it seems as though it is not
locating the information in the database correctly. I am returning an
error but I am sure what I have specified in both the database and the
logon form are correct.

The databse I have setup I have one table called users... it have the
userID password, and role. Should I have the role column in its own
table as the tomcat documentation proposes and relate the two by PK and
FK?

 

[Juha Laiho]

(e-mail address removed) said:

The databse I have setup I have one table called users... it have the
userID password, and role. Should I have the role column in its own
table as the tomcat documentation proposes and relate the two by PK and
FK?

Looks like the documentation is pretty clear on this:

: JDBCRealm is an implementation of the Tomcat 5 Realm interface that looks
: up users in a relational database accessed via a JDBC driver. There is
: substantial configuration flexibility that lets you adapt to existing
: table and column names, as long as your database structure conforms to
: the following requirements:
:
: * There must be a table, referenced below as the users table,
: that contains one row for every valid user that this Realm should
: recognize.
: * The users table must contain at least two columns (it may contain
: more if your existing applications required it):
: o Username to be recognized by Tomcat when the user logs in.
: o Password to be recognized by Tomcat when the user logs
: in. This value may in cleartext or digested - see below for
: more information.
: * There must be a table, referenced below as the user roles table,
: that contains one row for every valid role that is assigned to a
: particular user. It is legal for a user to have zero, one, or more
: than one valid role.
: * The user roles table must contain at least two columns (it may
: contain more if your existing applications required it):
: o Username to be recognized by Tomcat (same value as is
: specified in the users table).
: o Role name of a valid role associated with this user.

In short, two tables are needed - one with username and password columns,
and another with username and role columns. In the first table, there must
be only one row per each user; in the second table there can be any number
of rows (including zero!) per each user.

The username is the factor Tomcat uses to correlate information in the two
tables.

For convenience of any other software that might access this data, you could
also consider a PK/FK relation (FK on the roles table referring to a PK on
the users table), but Tomcat wouldn't even see this.

 

[kenp]

The problem turned out to be that I was running an instance of tomcat
via the eclipse ide. After deploying my war and starting the catalina
service, the lookup was successful. I did not need to create two
tables. Of course, in my production environment, I will setup the
databse and server as per the documentation. But, for development
purposes I did not need to create two tables.