Re: Tomcat and JAASRealm
Hello Jukka, Jukka Männistö wrote: Hello :) (this is my very first post to any mailing-list) Hope it will be a positive experience :-) I've been trying to get Tomcat and its JAASRealm to work for maybe four weeks now. Even though the JAAS authentication succeeds, Tomcat does not pass me through to the protected web-app, but says HTTP 403 instead! 403 means that authentication passed but authorization failed. In other words, the user logged in all right, but does not posess the role required to enter the webapp (in your case outlook-role), or at least that Tomcat can't determine that he does. I've tried fiddling with how and what Principals are added to the Subject and so on.. I've tried everyhing I've thought of and more.. Make sure that you add Principals not only for the user, but also for the role(s). I think if you didn't add the roles, that would explain the above 403 error. __ Realm className=org.apache.catalina.realm.JAASRealm appName=OutlookProxy userClassNames=org.apache.catalina.realm.GenericPrincipal roleClassNames=org.apache.catalina.realm.GenericPrincipal debug=99/ __ I think you need to make a distinction between user and role Principals, like UserPrincipal where the getName() returns the user name and a RolePrincipal that returns outlook-role in getName(). Both Principals need to be added in your LoginModule. Also, the first added Principal has to be the user, and the next one(s) the role(s). I found this in the Tomcat docs (http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html#JAASRealm): Although not specified in JAAS, you should create seperate classes to distinguish between users and roles and Regardless, the first Principal returned is /always/ treated as the user Principal. Here's a snippet of my web.xml: __ security-constraint web-resource-collection web-resource-nameOutlookProxy/web-resource-name url-pattern/exchange/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-nameoutlook-role/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameProtected Web-app/realm-name /login-config __ You might want to add a security-role role-nameoutlook-role/role-name /security-role directly below the /login-config, though I don't think that will make the difference. There's a user in tomcat-userx.xml that has been associated with the aforementioned role (outlook-role). Now I'm quite sure you don't need this file at all. If Tomcat keeps looking at this file, it means you're using MemoryRealm instead of JAASRealm. Unless you use JAAS to access this file, but then you probably wouldn't want to use JAAS in the first place. I assume you get the user/role data from elsewhere, like from a database. If I am right, better remove this file (or at least remove the users/roles that you're testing) to avoid confusion. Hope this helps. Please let me know either way, I'm also into JAAS lately :-) Regards, Jeroen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JAAS: LoginConfig file in webapp
The tomcat documentation about JAASRealm suggests to pass the location of the JAAS config file as a parameter to the JVM (with JAVA_OPTS=...). It also mentions that there are alternatives. Can anyone tell me how to place the config file under /WEB-INF of a specific webapp and how to reference it? I don't want to tweak webapp specific things in Tomcat. Jeroen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[OT] login form on directly referenced page
Hello, I think I already found the answer elsewhere (it is not possible!), but I would be very frustrated and disappointed, and that's why I'm trying here. What I want is to have a login form on the (publicly accessible) main page of my web site, so that a user can enter username/password whenever he feels like it, and gets more options after being logged in. When I put the form on the page, with j_usermane, j_password and j_security_check, I get a message Invalid direct reference to form login page. This is true, because the login page in this case is the main page. How can I solve this problem, or what are the cleanest possible work-arounds? Jeroen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
order of creation of JNDI datasource from context.xml and Filter.init() using it
Hello, My problem is so basic that I have no doubt other people have experienced it. Still, I can't find any solutions on the web. I want Tomcat to provide my webapp with DataSources through JNDI. I want Hibernate to use these DataSources. Nothing exciting so far. I configured the BasicDataSourceFactory in the META-INF/context.xml like this: Resource name=jdbc/mydb auth=Container driverClassName=org.postgresql.Driver factory=org.apache.commons.dbcp.BasicDataSourceFactory username=* password=* type=javax.sql.Datasource url=jdbc:postgresql://localhost:5432/mywebapp scope=Shareable maxActive=10 maxIdle=100 maxWait=3000 / In the web.xml I put: filter filter-nameHibernateSessionFilter/filter-name filter-classnl.kransen.mywebapp.context.HibernateSessionFilter/filter-class /filter filter-mapping filter-nameHibernateSessionFilter/filter-name url-pattern/*/url-pattern /filter-mapping ... resource-ref descriptionMy database/description res-ref-namejdbc/mydb/res-ref-name res-typejavax.sql.DataSource/res-type res-authContainer/res-auth /resource-ref In the hibernate.cfg.xml I make a JNDI reference to the datasource: hibernate-configuration session-factory property name=connection.datasourcejava:comp/env/jdbc/mydb/property property name=dialectnet.sf.hibernate.dialect.PostgreSQLDialect/property property name=show_sqltrue/property mapping resource=hibernate-mappings/Aap.hbm.xml / mapping resource=hibernate-mappings/Noot.hbm.xml / mapping resource=hibernate-mappings/Mies.hbm.xml / /session-factory /hibernate-configuration Now I created a HibernateSessionFilter that will filter any request to the webapp and provide it with a Hibernate Session. In the init() the Hibernate SessionFactory is configured by doing a lookup on JNDI for a DataSource. My problem is that Hibernate can't find the JNDI datasource: 17:44:14,745 INFO [nl.kransen.mywebapp.context.HibernateSessionFilter] Failed to initialize Hibernate! net.sf.hibernate.HibernateException: Could not find datasource: java:comp/env/jdbc/mydb Instead, I tried to put the Datasource in the GlobalNamingResources/ of the server.xml. In the context.xml I put: ResourceLink name=My Database global=jdbc/mydb type=javax.sql.Datasource / The error I get then is: 20:31:09,550 WARN [net.sf.hibernate.cfg.SettingsFactory] Could not obtain connection metadata org.apache.tomcat.dbcp.dbcp.SQLNestedException: Cannot create JDBC driver of class '' for connect URL 'null' at org.apache.tomcat.dbcp.dbcp.BasicDataSource.createDataSource(BasicDataSource.java:780) Instead of initializing the Hibernate SessionFactory in the Filter's init() method, I do it the first time the doFilter() is called. Then I get a similar error: 20:42:35,324 DEBUG [net.sf.hibernate.util.JDBCExceptionReporter] Cannot open connection org.apache.tomcat.dbcp.dbcp.SQLNestedException: Cannot create JDBC driver of class '' for connect URL 'null' at org.apache.tomcat.dbcp.dbcp.BasicDataSource.createDataSource(BasicDataSource.java:780) ... Caused by: org.apache.tomcat.dbcp.dbcp.SQLNestedException: Cannot create JDBC driver of class '' for connect URL 'null' at org.apache.tomcat.dbcp.dbcp.BasicDataSource.createDataSource(BasicDataSource.java:780) at org.apache.tomcat.dbcp.dbcp.BasicDataSource.getConnection(BasicDataSource.java:540) at net.sf.hibernate.connection.DatasourceConnectionProvider.getConnection(DatasourceConnectionProvider.java:59) at net.sf.hibernate.impl.BatcherImpl.openConnection(BatcherImpl.java:289) ... 54 more Caused by: java.lang.NullPointerException at java.util.StringTokenizer.init(StringTokenizer.java:182) at org.postgresql.Driver.parseURL(Driver.java:251) at org.postgresql.Driver.acceptsURL(Driver.java:159) at java.sql.DriverManager.getDriver(DriverManager.java:232) at org.apache.tomcat.dbcp.dbcp.BasicDataSource.createDataSource(BasicDataSource.java:773) What I really want is the first solution with the JNDI datasource declaration in the webapp context.xml, and preferably initialization of Hibernate in the init() of the Filter. Is it possible that the reason that it doesn't work is that the Filter is first created (and its init() called) BEFORE the DatasourceFactory is created and bound to JNDI? If that is the case, wouldn't it make more sense to turn that around? After all, it's the CONTEXT.xml :-) The second and third structures brought me closer, but why does the Postgresql driver think that URL 'null' was passed, when I put a correct URL in the config? I hope anyone can help me. Jeroen Kransen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]