JDBC Authentication
Ok, bear with me. This is my first attempt at configuring Tomcat for any type of authentication. I've configured a host with a JDBCRealm to use a Sybase database for authentication. I added a security constraint, login-config and a security role, however when I point my browser to the URL, I don't see that little password box I'm so anxious to see. The relavant config snippets are below, anyone who can put me on the path to enlightenment would be deemed a most knowledgeable and esteemed person in my eyes :-) Ed Context className=org.apache.catalina.core.StandardContext cachingAllowed=true charsetMapperClass=org.apache.catalina.util.CharsetMapper cookies=true crossContext=true debug=2 docBase=/home/httpd/htdocs/erobbins/robbinsapps/IpnDownload mapperClass=org.apache.catalina.core.StandardContextMapper path=/IpnDownload privileged=false reloadable=true swallowOutput=false useNaming=false wrapperClass=org.apache.catalina.core.StandardWrapper Realm className=org.apache.catalina.realm.JDBCRealm connectionName=xxx connectionPassword=xxx connectionURL=jdbc:sybase:Tds:xx:1234 debug=2 driverName=com.sybase.jdbc2.jdbc.SybDriver roleNameCol=role_name userCredCol=user_pass userNameCol=user_name userRoleTable=user_roles userTable=user_names validate=true/ security-constraint web-resource-collection web-resource-nameIpnDownload/web-resource-name descriptionDownload location for Ipn web apps/description url-pattern/IpnDownload/*/url-pattern url-pattern*/url-pattern /web-resource-collection auth-constraint descriptionThese are the roles who have access/description role-namedownload/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method /login-config security-role descriptionDownload role/description role-namedownload/role-name /security-role /Context -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
JDBC authentication
Ok, bear with me. This is my first attempt at configuring Tomcat for any type of authentication. I've configured a host with a JDBCRealm to use a Sybase database for authentication. I added a security constraint, login-config and a security role, however when I point my browser to the URL, I don't see that little password box I'm so anxious to see. The relavant config snippets are below, anyone who can put me on the path to enlightenment would be deemed a most knowledgeable and esteemed person in my eyes :-) Ed Context className=org.apache.catalina.core.StandardContext cachingAllowed=true charsetMapperClass=org.apache.catalina.util.CharsetMapper cookies=true crossContext=true debug=2 docBase=/home/httpd/htdocs/erobbins/robbinsapps/IpnDownload mapperClass=org.apache.catalina.core.StandardContextMapper path=/IpnDownload privileged=false reloadable=true swallowOutput=false useNaming=false wrapperClass=org.apache.catalina.core.StandardWrapper Realm className=org.apache.catalina.realm.JDBCRealm connectionName=xxx connectionPassword=xxx connectionURL=jdbc:sybase:Tds:xx:1234 debug=2 driverName=com.sybase.jdbc2.jdbc.SybDriver roleNameCol=role_name userCredCol=user_pass userNameCol=user_name userRoleTable=user_roles userTable=user_names validate=true/ security-constraint web-resource-collection web-resource-nameIpnDownload/web-resource-name descriptionDownload location for Ipn web apps/description url-pattern/IpnDownload/*/url-pattern url-pattern*/url-pattern /web-resource-collection auth-constraint descriptionThese are the roles who have access/description role-namedownload/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method /login-config security-role descriptionDownload role/description role-namedownload/role-name /security-role /Context -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: JDBC authentication
I had a look through your config stuff and it looked fairly similar to mine. (Which is the only one I've configured - though it's form-based. Oh, and working.) I did have a realm-name entry, in login-config I think, but that didn't look like enough to cause a problem. One thing has just occurred to me, though: you seem to have everything in server.xml? I've got the realm defined there but my security-constraint / login-config etc. are all in web.xml. Might be worth a shot (in the absence of any other replies) Mike. - Original Message - From: Ed Robbins [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Tuesday, January 21, 2003 4:25 PM Subject: JDBC authentication Ok, bear with me. This is my first attempt at configuring Tomcat for any type of authentication. I've configured a host with a JDBCRealm to use a Sybase database for authentication. I added a security constraint, login-config and a security role, however when I point my browser to the URL, I don't see that little password box I'm so anxious to see. The relavant config snippets are below, anyone who can put me on the path to enlightenment would be deemed a most knowledgeable and esteemed person in my eyes :-) Ed Context className=org.apache.catalina.core.StandardContext cachingAllowed=true charsetMapperClass=org.apache.catalina.util.CharsetMapper cookies=true crossContext=true debug=2 docBase=/home/httpd/htdocs/erobbins/robbinsapps/IpnDownload mapperClass=org.apache.catalina.core.StandardContextMapper path=/IpnDownload privileged=false reloadable=true swallowOutput=false useNaming=false wrapperClass=org.apache.catalina.core.StandardWrapper Realm className=org.apache.catalina.realm.JDBCRealm connectionName=xxx connectionPassword=xxx connectionURL=jdbc:sybase:Tds:xx:1234 debug=2 driverName=com.sybase.jdbc2.jdbc.SybDriver roleNameCol=role_name userCredCol=user_pass userNameCol=user_name userRoleTable=user_roles userTable=user_names validate=true/ security-constraint web-resource-collection web-resource-nameIpnDownload/web-resource-name descriptionDownload location for Ipn web apps/description url-pattern/IpnDownload/*/url-pattern url-pattern*/url-pattern /web-resource-collection auth-constraint descriptionThese are the roles who have access/description role-namedownload/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method /login-config security-role descriptionDownload role/description role-namedownload/role-name /security-role /Context -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: JDBC authentication
This was exactly my problem, I moved the security constraint out of the server.xml file and put it into the web.xml for the web app and it magically started working:-) The only problem I have now is that I can't do a blanket url-mapping like url-mapping/*/url-mapping or url-mapping/IpnDownload/*/url-mapping These cause the XML parser to bomb and the web app fails to load, if I specify url-mapping/*.jsp/url-mapping, all is good with the world. However I want to protect everything so I was looking for a shortcut, which I see references to on the net. Thanks for the response. You have been deemed a most knowledgeable and esteemed person, don't forget to add that to your resume! :-) Ed On Tue, 2003-01-21 at 20:00, mwm wrote: I had a look through your config stuff and it looked fairly similar to mine. (Which is the only one I've configured - though it's form-based. Oh, and working.) I did have a realm-name entry, in login-config I think, but that didn't look like enough to cause a problem. One thing has just occurred to me, though: you seem to have everything in server.xml? I've got the realm defined there but my security-constraint / login-config etc. are all in web.xml. Might be worth a shot (in the absence of any other replies) Mike. - Original Message - From: Ed Robbins [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Tuesday, January 21, 2003 4:25 PM Subject: JDBC authentication Ok, bear with me. This is my first attempt at configuring Tomcat for any type of authentication. I've configured a host with a JDBCRealm to use a Sybase database for authentication. I added a security constraint, login-config and a security role, however when I point my browser to the URL, I don't see that little password box I'm so anxious to see. The relavant config snippets are below, anyone who can put me on the path to enlightenment would be deemed a most knowledgeable and esteemed person in my eyes :-) Ed Context className=org.apache.catalina.core.StandardContext cachingAllowed=true charsetMapperClass=org.apache.catalina.util.CharsetMapper cookies=true crossContext=true debug=2 docBase=/home/httpd/htdocs/erobbins/robbinsapps/IpnDownload mapperClass=org.apache.catalina.core.StandardContextMapper path=/IpnDownload privileged=false reloadable=true swallowOutput=false useNaming=false wrapperClass=org.apache.catalina.core.StandardWrapper Realm className=org.apache.catalina.realm.JDBCRealm connectionName=xxx connectionPassword=xxx connectionURL=jdbc:sybase:Tds:xx:1234 debug=2 driverName=com.sybase.jdbc2.jdbc.SybDriver roleNameCol=role_name userCredCol=user_pass userNameCol=user_name userRoleTable=user_roles userTable=user_names validate=true/ security-constraint web-resource-collection web-resource-nameIpnDownload/web-resource-name descriptionDownload location for Ipn web apps/description url-pattern/IpnDownload/*/url-pattern url-pattern*/url-pattern /web-resource-collection auth-constraint descriptionThese are the roles who have access/description role-namedownload/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method /login-config security-role descriptionDownload role/description role-namedownload/role-name /security-role /Context -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- Ed Robbins [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: JDBC authentication
On 21 Jan 2003, Ed Robbins wrote: Date: 21 Jan 2003 21:49:00 -0500 From: Ed Robbins [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: Re: JDBC authentication This was exactly my problem, I moved the security constraint out of the server.xml file and put it into the web.xml for the web app and it magically started working:-) The only problem I have now is that I can't do a blanket url-mapping like url-mapping/*/url-mapping or url-mapping/IpnDownload/*/url-mapping What's a url-mapping? The valid element in a web.xml file is url-pattern, and either of the above would be valid. But /*.jsp would not be valid -- you have to use *.jsp instead. Craig -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: JDBC authentication
Oops I'm mixing my elements, kinda like mixing my metaphors, I meant url-pattern. Sure enough, I just put the /IpnDownload/* and /* back in and it works this time. I must have fat fingered it earlier today. Thanks. Ed On Tue, 2003-01-21 at 22:20, Craig R. McClanahan wrote: On 21 Jan 2003, Ed Robbins wrote: Date: 21 Jan 2003 21:49:00 -0500 From: Ed Robbins [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: Re: JDBC authentication This was exactly my problem, I moved the security constraint out of the server.xml file and put it into the web.xml for the web app and it magically started working:-) The only problem I have now is that I can't do a blanket url-mapping like url-mapping/*/url-mapping or url-mapping/IpnDownload/*/url-mapping What's a url-mapping? The valid element in a web.xml file is url-pattern, and either of the above would be valid. But /*.jsp would not be valid -- you have to use *.jsp instead. Craig -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- Ed Robbins [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Problem with REALM JNDI JDBC AUTHENTICATION
I thank you for your support in advice; I have a very big problem in my project: My application on W2K , TOMCAT 4.1 ALPHA , JBUILDER 4 AND JNDI EXTENSION doesn't run when acces to resource JDBC to connect db to check authentication via REALM(i use j_security_check action form and i access to mysql db for authentication) error is CANNOT CREATE RESOURCE I THINK IT'S A CONFIGURATION PROBLEM CAN YOU HELP ME PLEASE. thank you i can give you other details if it's necessary. thanks again.
Re: JDBC authentication configuration
This may or may not be the full problem, but one glaring error is in the connectionURL of your server.xml file. It should read as follows. Note the URL for making a connection to a MySQL database uses an symbol before 'password' and in XML it has to be encoded. Hope this helps you out. Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=org.gjt.mm.mysql.Driver connectionURL=jdbc:mysql://localhost/rmta?user=myuseramp;password=mypasswor d userTable=tablename userNameCol=login userCredCol=password userRoleTable=rolestable roleNameCol=role / --David On Sunday 13 January 2002 08:12 pm, you wrote: Hello, I am relatively new to servlet/jsp programming, and struggling with JDBC authentication. I have a tiny test application that works fine using form authentication against passwords and names in the tomcat-users.xml file. However, when I reconfigure the server.xml file for JDBC authentication (following the instructions on the Apache/Tomcat site) the server hangs during startup. My little app is in a folder called /rmta-test. Specifically, in the log, the hang comes early on in the startup process, right after a line saying: Standard Manager [:/rmta-test]: Seeding of random number generator has completed. Below I have quoted the relavant lines from the server.xml file, and the web.xml file for this application. I don't think this has anything to do with the database, as Tomcat seems to hang on startup well before any interaction with the database. However, the database tables are setup correctly per the docs, and I can query it manually. I have also used a small stand-alone java program to create a table using the JDBC driver, so I know that the driver is installed correctly (in the tomcat library). If I simply remove the Realm statement, then Tomcat starts up normally. I'm pretty sure I've got something wrong in the configuration, of server.xml or web.xml, but i can't figure out what it is. I would be grateful for anyone's help. By the way, I'm using Tomcat 4.0.1 on unix. Thanks! Paul Phillips ___ Here are the lines that I inserted in my server.xml file to try and get JDBC authentication going: Context path=/rmta-test docBase=rmta-test debug=99 reloadable=true Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=org.gjt.mm.mysql.Driver connectionURL=jdbc:mysql://localhost/rmta?user=myuser;password=mypassword userTable=tablename userNameCol=login userCredCol=password userRoleTable=rolestable roleNameCol=role / /Context ___ Here is my web.xml file: ?xml version=1.0 encoding=ISO-8859-1? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN http://java.sun.com/dtd/web-app_2_3.dtd; web-app servlet servlet-nameGreetingServlet/servlet-name servlet-classfenced.GreetingServlet/servlet-class /servlet servlet-mapping servlet-nameGreetingServlet/servlet-name url-pattern/greeting/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-nameEntire Application/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namethename/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/error.jsp/form-error-page /form-login-config /login-config /web-app ___ Paul Phillips Director of Orchestral Activities, Meadows School of the Arts Southern Methodist University You must sing every note you play, sing even through the rests! Arturo Toscanini -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: JDBC authentication configuration
Thanks to David! This fixed my authentication problem! --On Monday, January 14, 2002 10:22 AM -0500 David Smith [EMAIL PROTECTED] wrote: This may or may not be the full problem, but one glaring error is in the connectionURL of your server.xml file. It should read as follows. Note the URL for making a connection to a MySQL database uses an symbol before 'password' and in XML it has to be encoded. Hope this helps you out. connectionURL=jdbc:mysql://localhost/rmta?user=myuseramp;password=mypa ssword I copied the URL directly from the Apache-Jakarta-Tomcat Realm Configuration How-To, and it shows only the semicolon following the user=username pair. It doesn't mention the ampersand at all. Should this be changed in the docs (since the example is showing a connection to a mysql database)? Thanks Paul Phillips -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
JDBC authentication configuration
Hello, I am relatively new to servlet/jsp programming, and struggling with JDBC authentication. I have a tiny test application that works fine using form authentication against passwords and names in the tomcat-users.xml file. However, when I reconfigure the server.xml file for JDBC authentication (following the instructions on the Apache/Tomcat site) the server hangs during startup. My little app is in a folder called /rmta-test. Specifically, in the log, the hang comes early on in the startup process, right after a line saying: Standard Manager [:/rmta-test]: Seeding of random number generator has completed. Below I have quoted the relavant lines from the server.xml file, and the web.xml file for this application. I don't think this has anything to do with the database, as Tomcat seems to hang on startup well before any interaction with the database. However, the database tables are setup correctly per the docs, and I can query it manually. I have also used a small stand-alone java program to create a table using the JDBC driver, so I know that the driver is installed correctly (in the tomcat library). If I simply remove the Realm statement, then Tomcat starts up normally. I'm pretty sure I've got something wrong in the configuration, of server.xml or web.xml, but i can't figure out what it is. I would be grateful for anyone's help. By the way, I'm using Tomcat 4.0.1 on unix. Thanks! Paul Phillips ___ Here are the lines that I inserted in my server.xml file to try and get JDBC authentication going: Context path=/rmta-test docBase=rmta-test debug=99 reloadable=true Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=org.gjt.mm.mysql.Driver connectionURL=jdbc:mysql://localhost/rmta?user=myuser;password=mypassword userTable=tablename userNameCol=login userCredCol=password userRoleTable=rolestable roleNameCol=role / /Context ___ Here is my web.xml file: ?xml version=1.0 encoding=ISO-8859-1? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN http://java.sun.com/dtd/web-app_2_3.dtd; web-app servlet servlet-nameGreetingServlet/servlet-name servlet-classfenced.GreetingServlet/servlet-class /servlet servlet-mapping servlet-nameGreetingServlet/servlet-name url-pattern/greeting/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-nameEntire Application/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namethename/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/error.jsp/form-error-page /form-login-config /login-config /web-app ___ Paul Phillips Director of Orchestral Activities, Meadows School of the Arts Southern Methodist University You must sing every note you play, sing even through the rests! Arturo Toscanini -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
JDBC Authentication Broken in 3.2.3?
I've been fighting with the JDBC authentication in 3.2.2 and 3.2.3 using Windows 2000, MySQL 3.23.39, the mm-mysql 2.0.6 drivers and JDK 1.3.1. I just can't get it to work. I get the messages in the console: 2001-07-17 15:21:20 - ContextManager: JDBCRealm: Starting JDBCRealm, trying to acquire JDBC Driver class and DB Connection2001-07-17 15:21:21 - ContextManager: JDBCRealm: JDBCRealm has been started succesfully2001-07-17 15:21:22 - PoolTcpConnector: Starting HttpConnectionHandler on 802001-07-17 15:21:22 - PoolTcpConnector: Starting Ajp12ConnectionHandler on 80072001-07-17 15:21:31 - ContextManager: JDBCRealm: The database connection is null or was found to be closed. Trying to re-open it.2001-07-17 15:21:31 - ContextManager: JDBCRealm: JDBCRealm.authenticate: SELECT user_pass FROM users WHERE user_name = ?2001-07-17 15:21:31 - ContextManager: JDBCRealm: Authentication successful for user michaelm2001-07-17 15:21:31 - ContextManager: JDBCRealm: Auth ok, user=michaelm but it won't take me to the page I want to go to...in other words, it says I'm successfully authenticated, but the login window just keeps popping up. After 3 tries, I get to the page, but it's blank. Same for form login...keep logging in and keep getting sent to the error page. What's up? When I put a garbage login/pass I see: 2001-07-17 15:24:29 - ContextManager: JDBCRealm: Authentication unsuccessful foruser asdf so I know that it is talking to the database correctly. Here the security part of my web.xml: security-constraintweb-resource-collection web-resource-nameProtected Area/web-resource-name url-pattern/main/pgMain.html/url-pattern http-methodDELETE/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method/web-resource-collectionauth-constraint role-nameviewer/role-name/auth-constraint/security-constraint login-configauth-methodBASIC/auth-methodrealm-nameAdmin/realm-name/login-config Here is the database stuff: Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 4 to server version: 3.23.39-nt Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql use testdbDatabase changedmysql select * from users;+---+---+| user_name | user_pass |+---+---+| michaelm | indonesia |+---+---+1 row in set (0.00 sec) mysql select * from roles;+---+| role_name |+---+| viewer |+---+1 row in set (0.04 sec) mysql select * from user_roles;+---+---+| user_name | role_name |+---+---+| michaelm | viewer |+---+---+1 row in set (0.04 sec) mysql Any clues? Mike
AW: User login logging (JDBC authentication)
Hi, yeah this is more or less OK. For my application i have a servlet acting as a controller (like a portal) - all functions are accessed thru the controller, which dispatches the request to the correct JSP (in your case), for my part i'm using Velocity and templates. This controller servlet initializes - initialize the user session - the logging system - messages - Database pools - The events the application can handle For every request to a protected resource (JSP), the controller checks if the user is identified. If not, the request is dispatched to the login event. After a successfull login, the login event redirects to the protected resources (which was saved from the controller before redirecting to the login JSP. I'm using a login object in the session context which knows about - the username - the language - preferences - . Hope this helps Reto -Ursprüngliche Nachricht- Von: Rajehswar V. Rao [mailto:[EMAIL PROTECTED]] Gesendet: Freitag, 6. Juli 2001 07:20 An: '[EMAIL PROTECTED]' Betreff: RE: User login logging (JDBC authentication) Hi Reto, Could you please explain it more clearly And from your words i got one idea... please tell me whether it is right way or not... when ever a user access any JSP or Servlet other that LoginServlet(which is controller servlet).. I will check the session for some username if it is null then i redirect the request Login.jsp... Before this i will create a session in LogonServlet and set the username in the session whenever user is authenticated... is this OK -raj- -Original Message- From: Reto Badertscher [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 7:53 PM To: [EMAIL PROTECTED] Subject: AW: User login logging (JDBC authentication) Hello, If you have a controller servlet it can check for authenticated user and if a user is not logged in you can redirect to your login screen, and after a successfull login, redirect back to the protected target. For security reason (accessing a JSP directly without going thru the controller servlet), every protected resource can check if a user is logged in. Reto -Ursprüngliche Nachricht- Von: Rajehswar V. Rao [mailto:[EMAIL PROTECTED]] Gesendet: Donnerstag, 5. Juli 2001 15:33 An: '[EMAIL PROTECTED]' Betreff: RE: User login logging (JDBC authentication) Hi randy, I would appreciate your patience... I am coming from first... This is my prblem I have 10 JSPs under myCon/jsp folder in Tomcat.. One of them is Login.jsp...which does authentication of user... i check the username and password against data which lies in SQLServer 7.0... Once the user is authenticated only...I want to give access to remaining JSPs.. But he/she should not access any JSP unless authenticated by Login.jsp... This is my problem... what is your best possible solution Is it anyway related to Java or Tomcat security? If yes, how can i achieve it? Or is there any other way around to achieve it... Thanks for listening... -raj- -Original Message- From: Randy Layman [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 6:18 PM To: [EMAIL PROTECTED] Subject: RE: User login logging (JDBC authentication) From IIS you can only set the access to Tomcat as a whole, not individually. Tomcat controls access to the individual resources (IIS doesn't know what they are). You can view (and modify) the username and password in the session, I think the session field names are j_security_username and j_security_password, but don't remember right now - you can get a session object back for a secured user and then iterate over the fields. Randy -Original Message- From: Rajehswar V. Rao [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 9:11 AM To: '[EMAIL PROTECTED]' Subject: RE: User login logging (JDBC authentication) Hi Randy and all, if that is the case where can i set username and password And one more thing, i am using tomcat with IIS ...can i restrict resources(JSPs and Servlets) on tomcat from IIS... Any help would be appreciated -raj- -Original Message- From: Randy Layman [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 5:32 PM To: [EMAIL PROTECTED] Subject: RE: User login logging (JDBC authentication) What is happening is that Tomcat is using the user's credentials (username/password) in the Session to authenticate. If they are not there or invalid, then the user is prompted to log in again. Randy -Original Message- From: Mark Muffett [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 8:33 AM To: [EMAIL PROTECTED] Subject: Re: User login logging (JDBC authentication) Raj and all I've managed to make the changes (very easy), but of course it doesn't work exactly as I wanted it (isn't life always like that...) I've got a database which is filling up fast since a new log gets written to it every time a user accesses a new page
Re: User login logging (JDBC authentication)
Raj and all I've managed to make the changes (very easy), but of course it doesn't work exactly as I wanted it (isn't life always like that...) I've got a database which is filling up fast since a new log gets written to it every time a user accesses a new page (probably about 100 times each session). Tomcat clearly knows what a session is (since it doesn't ask the user to log in again for each page) - any idea where it does this? Thanks for any help. Mark - Original Message - From: Rajehswar V. Rao [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, July 05, 2001 12:21 PM Subject: RE: User login logging (JDBC authentication) Hi Mark and all, I think my situation is also almost same I have set of JSPs under my \myContext\jsp... I dont want to give access to the users to these JSPs once they have been authnticated... One of the JSPs authenticate the user please do help... -raj- -Original Message- From: Mark Muffett [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 04, 2001 1:59 PM To: [EMAIL PROTECTED] Subject: Re: User login logging (JDBC authentication) Sorry! - found it now (in tomcat_modules.jar). Mark - Original Message - From: Mark Muffett [EMAIL PROTECTED] To: [EMAIL PROTECTED]; Antony Bowesman [EMAIL PROTECTED] Sent: Wednesday, July 04, 2001 8:37 AM Subject: Re: User login logging (JDBC authentication) Antony Many thanks for the suggestion, but where can I find this - I've looked through the jar files in the common and container directories of $TOMCAT_HOME/lib, but nothing stands out. Maybe I've missed it? Any help appreciated. Thanks Mark - Original Message - From: Antony Bowesman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 28, 2001 4:58 PM Subject: Re: User login logging (JDBC authentication) Mark Muffett wrote: Any ideas how best to log succesful (or unsuccesful) logins via JDBC authentication. The big problem is that the user may have bookmarked any one of a number of protected pages, and it isn't practical to put code on each of them. Just change the JDBC realm authenticate() method to log the result of the authentication. Antony
RE: User login logging (JDBC authentication)
What is happening is that Tomcat is using the user's credentials (username/password) in the Session to authenticate. If they are not there or invalid, then the user is prompted to log in again. Randy -Original Message- From: Mark Muffett [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 8:33 AM To: [EMAIL PROTECTED] Subject: Re: User login logging (JDBC authentication) Raj and all I've managed to make the changes (very easy), but of course it doesn't work exactly as I wanted it (isn't life always like that...) I've got a database which is filling up fast since a new log gets written to it every time a user accesses a new page (probably about 100 times each session). Tomcat clearly knows what a session is (since it doesn't ask the user to log in again for each page) - any idea where it does this? Thanks for any help. Mark - Original Message - From: Rajehswar V. Rao [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, July 05, 2001 12:21 PM Subject: RE: User login logging (JDBC authentication) Hi Mark and all, I think my situation is also almost same I have set of JSPs under my \myContext\jsp... I dont want to give access to the users to these JSPs once they have been authnticated... One of the JSPs authenticate the user please do help... -raj- -Original Message- From: Mark Muffett [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 04, 2001 1:59 PM To: [EMAIL PROTECTED] Subject: Re: User login logging (JDBC authentication) Sorry! - found it now (in tomcat_modules.jar). Mark - Original Message - From: Mark Muffett [EMAIL PROTECTED] To: [EMAIL PROTECTED]; Antony Bowesman [EMAIL PROTECTED] Sent: Wednesday, July 04, 2001 8:37 AM Subject: Re: User login logging (JDBC authentication) Antony Many thanks for the suggestion, but where can I find this - I've looked through the jar files in the common and container directories of $TOMCAT_HOME/lib, but nothing stands out. Maybe I've missed it? Any help appreciated. Thanks Mark - Original Message - From: Antony Bowesman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 28, 2001 4:58 PM Subject: Re: User login logging (JDBC authentication) Mark Muffett wrote: Any ideas how best to log succesful (or unsuccesful) logins via JDBC authentication. The big problem is that the user may have bookmarked any one of a number of protected pages, and it isn't practical to put code on each of them. Just change the JDBC realm authenticate() method to log the result of the authentication. Antony
RE: User login logging (JDBC authentication)
Hi Randy and all, if that is the case where can i set username and password And one more thing, i am using tomcat with IIS ...can i restrict resources(JSPs and Servlets) on tomcat from IIS... Any help would be appreciated -raj- -Original Message- From: Randy Layman [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 5:32 PM To: [EMAIL PROTECTED] Subject: RE: User login logging (JDBC authentication) What is happening is that Tomcat is using the user's credentials (username/password) in the Session to authenticate. If they are not there or invalid, then the user is prompted to log in again. Randy -Original Message- From: Mark Muffett [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 8:33 AM To: [EMAIL PROTECTED] Subject: Re: User login logging (JDBC authentication) Raj and all I've managed to make the changes (very easy), but of course it doesn't work exactly as I wanted it (isn't life always like that...) I've got a database which is filling up fast since a new log gets written to it every time a user accesses a new page (probably about 100 times each session). Tomcat clearly knows what a session is (since it doesn't ask the user to log in again for each page) - any idea where it does this? Thanks for any help. Mark - Original Message - From: Rajehswar V. Rao [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, July 05, 2001 12:21 PM Subject: RE: User login logging (JDBC authentication) Hi Mark and all, I think my situation is also almost same I have set of JSPs under my \myContext\jsp... I dont want to give access to the users to these JSPs once they have been authnticated... One of the JSPs authenticate the user please do help... -raj- -Original Message- From: Mark Muffett [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 04, 2001 1:59 PM To: [EMAIL PROTECTED] Subject: Re: User login logging (JDBC authentication) Sorry! - found it now (in tomcat_modules.jar). Mark - Original Message - From: Mark Muffett [EMAIL PROTECTED] To: [EMAIL PROTECTED]; Antony Bowesman [EMAIL PROTECTED] Sent: Wednesday, July 04, 2001 8:37 AM Subject: Re: User login logging (JDBC authentication) Antony Many thanks for the suggestion, but where can I find this - I've looked through the jar files in the common and container directories of $TOMCAT_HOME/lib, but nothing stands out. Maybe I've missed it? Any help appreciated. Thanks Mark - Original Message - From: Antony Bowesman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 28, 2001 4:58 PM Subject: Re: User login logging (JDBC authentication) Mark Muffett wrote: Any ideas how best to log succesful (or unsuccesful) logins via JDBC authentication. The big problem is that the user may have bookmarked any one of a number of protected pages, and it isn't practical to put code on each of them. Just change the JDBC realm authenticate() method to log the result of the authentication. Antony
RE: User login logging (JDBC authentication)
Hi randy, I would appreciate your patience... I am coming from first... This is my prblem I have 10 JSPs under myCon/jsp folder in Tomcat.. One of them is Login.jsp...which does authentication of user... i check the username and password against data which lies in SQLServer 7.0... Once the user is authenticated only...I want to give access to remaining JSPs.. But he/she should not access any JSP unless authenticated by Login.jsp... This is my problem... what is your best possible solution Is it anyway related to Java or Tomcat security? If yes, how can i achieve it? Or is there any other way around to achieve it... Thanks for listening... -raj- -Original Message- From: Randy Layman [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 6:18 PM To: [EMAIL PROTECTED] Subject: RE: User login logging (JDBC authentication) From IIS you can only set the access to Tomcat as a whole, not individually. Tomcat controls access to the individual resources (IIS doesn't know what they are). You can view (and modify) the username and password in the session, I think the session field names are j_security_username and j_security_password, but don't remember right now - you can get a session object back for a secured user and then iterate over the fields. Randy -Original Message- From: Rajehswar V. Rao [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 9:11 AM To: '[EMAIL PROTECTED]' Subject: RE: User login logging (JDBC authentication) Hi Randy and all, if that is the case where can i set username and password And one more thing, i am using tomcat with IIS ...can i restrict resources(JSPs and Servlets) on tomcat from IIS... Any help would be appreciated -raj- -Original Message- From: Randy Layman [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 5:32 PM To: [EMAIL PROTECTED] Subject: RE: User login logging (JDBC authentication) What is happening is that Tomcat is using the user's credentials (username/password) in the Session to authenticate. If they are not there or invalid, then the user is prompted to log in again. Randy -Original Message- From: Mark Muffett [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 8:33 AM To: [EMAIL PROTECTED] Subject: Re: User login logging (JDBC authentication) Raj and all I've managed to make the changes (very easy), but of course it doesn't work exactly as I wanted it (isn't life always like that...) I've got a database which is filling up fast since a new log gets written to it every time a user accesses a new page (probably about 100 times each session). Tomcat clearly knows what a session is (since it doesn't ask the user to log in again for each page) - any idea where it does this? Thanks for any help. Mark - Original Message - From: Rajehswar V. Rao [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, July 05, 2001 12:21 PM Subject: RE: User login logging (JDBC authentication) Hi Mark and all, I think my situation is also almost same I have set of JSPs under my \myContext\jsp... I dont want to give access to the users to these JSPs once they have been authnticated... One of the JSPs authenticate the user please do help... -raj- -Original Message- From: Mark Muffett [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 04, 2001 1:59 PM To: [EMAIL PROTECTED] Subject: Re: User login logging (JDBC authentication) Sorry! - found it now (in tomcat_modules.jar). Mark - Original Message - From: Mark Muffett [EMAIL PROTECTED] To: [EMAIL PROTECTED]; Antony Bowesman [EMAIL PROTECTED] Sent: Wednesday, July 04, 2001 8:37 AM Subject: Re: User login logging (JDBC authentication) Antony Many thanks for the suggestion, but where can I find this - I've looked through the jar files in the common and container directories of $TOMCAT_HOME/lib, but nothing stands out. Maybe I've missed it? Any help appreciated. Thanks Mark - Original Message - From: Antony Bowesman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 28, 2001 4:58 PM Subject: Re: User login logging (JDBC authentication) Mark Muffett wrote: Any ideas how best to log succesful (or unsuccesful) logins via JDBC authentication. The big problem is that the user may have bookmarked any one of a number of protected pages, and it isn't practical to put code on each of them. Just change the JDBC realm authenticate() method to log the result of the authentication. Antony
RE: User login logging (JDBC authentication)
You can use the Realms security infrastructure of Tomcat to achieve what you are trying to do - you will need to modify your web.xml file, but its pretty easy. http://jakarta.apache.org/cvsweb/index.cgi/jakarta-tomcat/src/doc/ is the documentation for Tomcat in the CVS repository. A quick glance there shows a howto for the JDBCRealm (authenticating against a database). Randy -Original Message- From: Rajehswar V. Rao [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 9:33 AM To: '[EMAIL PROTECTED]' Subject: RE: User login logging (JDBC authentication) Hi randy, I would appreciate your patience... I am coming from first... This is my prblem I have 10 JSPs under myCon/jsp folder in Tomcat.. One of them is Login.jsp...which does authentication of user... i check the username and password against data which lies in SQLServer 7.0... Once the user is authenticated only...I want to give access to remaining JSPs.. But he/she should not access any JSP unless authenticated by Login.jsp... This is my problem... what is your best possible solution Is it anyway related to Java or Tomcat security? If yes, how can i achieve it? Or is there any other way around to achieve it... Thanks for listening... -raj- -Original Message- From: Randy Layman [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 6:18 PM To: [EMAIL PROTECTED] Subject: RE: User login logging (JDBC authentication) From IIS you can only set the access to Tomcat as a whole, not individually. Tomcat controls access to the individual resources (IIS doesn't know what they are). You can view (and modify) the username and password in the session, I think the session field names are j_security_username and j_security_password, but don't remember right now - you can get a session object back for a secured user and then iterate over the fields. Randy -Original Message- From: Rajehswar V. Rao [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 9:11 AM To: '[EMAIL PROTECTED]' Subject: RE: User login logging (JDBC authentication) Hi Randy and all, if that is the case where can i set username and password And one more thing, i am using tomcat with IIS ...can i restrict resources(JSPs and Servlets) on tomcat from IIS... Any help would be appreciated -raj- -Original Message- From: Randy Layman [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 5:32 PM To: [EMAIL PROTECTED] Subject: RE: User login logging (JDBC authentication) What is happening is that Tomcat is using the user's credentials (username/password) in the Session to authenticate. If they are not there or invalid, then the user is prompted to log in again. Randy -Original Message- From: Mark Muffett [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 8:33 AM To: [EMAIL PROTECTED] Subject: Re: User login logging (JDBC authentication) Raj and all I've managed to make the changes (very easy), but of course it doesn't work exactly as I wanted it (isn't life always like that...) I've got a database which is filling up fast since a new log gets written to it every time a user accesses a new page (probably about 100 times each session). Tomcat clearly knows what a session is (since it doesn't ask the user to log in again for each page) - any idea where it does this? Thanks for any help. Mark - Original Message - From: Rajehswar V. Rao [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, July 05, 2001 12:21 PM Subject: RE: User login logging (JDBC authentication) Hi Mark and all, I think my situation is also almost same I have set of JSPs under my \myContext\jsp... I dont want to give access to the users to these JSPs once they have been authnticated... One of the JSPs authenticate the user please do help... -raj- -Original Message- From: Mark Muffett [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 04, 2001 1:59 PM To: [EMAIL PROTECTED] Subject: Re: User login logging (JDBC authentication) Sorry! - found it now (in tomcat_modules.jar). Mark - Original Message - From: Mark Muffett [EMAIL PROTECTED] To: [EMAIL PROTECTED]; Antony Bowesman [EMAIL PROTECTED] Sent: Wednesday, July 04, 2001 8:37 AM Subject: Re: User login logging (JDBC authentication) Antony Many thanks for the suggestion, but where can I find this - I've looked through the jar files in the common and container directories of $TOMCAT_HOME/lib, but nothing stands out. Maybe I've missed it? Any help appreciated. Thanks Mark - Original Message
Re: User login logging (JDBC authentication)
Antony Many thanks for the suggestion, but where can I find this - I've looked through the jar files in the common and container directories of $TOMCAT_HOME/lib, but nothing stands out. Maybe I've missed it? Any help appreciated. Thanks Mark - Original Message - From: Antony Bowesman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 28, 2001 4:58 PM Subject: Re: User login logging (JDBC authentication) Mark Muffett wrote: Any ideas how best to log succesful (or unsuccesful) logins via JDBC authentication. The big problem is that the user may have bookmarked any one of a number of protected pages, and it isn't practical to put code on each of them. Just change the JDBC realm authenticate() method to log the result of the authentication. Antony
Re: User login logging (JDBC authentication)
Sorry! - found it now (in tomcat_modules.jar). Mark - Original Message - From: Mark Muffett [EMAIL PROTECTED] To: [EMAIL PROTECTED]; Antony Bowesman [EMAIL PROTECTED] Sent: Wednesday, July 04, 2001 8:37 AM Subject: Re: User login logging (JDBC authentication) Antony Many thanks for the suggestion, but where can I find this - I've looked through the jar files in the common and container directories of $TOMCAT_HOME/lib, but nothing stands out. Maybe I've missed it? Any help appreciated. Thanks Mark - Original Message - From: Antony Bowesman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 28, 2001 4:58 PM Subject: Re: User login logging (JDBC authentication) Mark Muffett wrote: Any ideas how best to log succesful (or unsuccesful) logins via JDBC authentication. The big problem is that the user may have bookmarked any one of a number of protected pages, and it isn't practical to put code on each of them. Just change the JDBC realm authenticate() method to log the result of the authentication. Antony
Re: User login logging (JDBC authentication)
Mark, Antony Many thanks for the suggestion, but where can I find this - I've looked through the jar files in the common and container directories of $TOMCAT_HOME/lib, but nothing stands out. Maybe I've missed it? Any help appreciated. Perhaps I should have elucidated a little more... I'm assuming you have configured JDBCRealm as your interceptor in conf/server.xml and we are talking about tomcat 3.x. The JDBCRealm is part of webserver.jar. You can either modify the source of JDBCRealm.java which is (org.apache.tomcat.request.JDBCRealm) to implement your own specific logging or set the debug level of the JDBCRealm to 2 or greater. At least the existing JDBCRealm with tomcat 3.2.2 supports logging success and failures by setting the debug level to 2 or greater. If you want to implement your own then modify the source, rebuild the class and add it to the $TOMCAT_HOME/classes HTH. Antony - Original Message - From: Antony Bowesman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 28, 2001 4:58 PM Subject: Re: User login logging (JDBC authentication) Mark Muffett wrote: Any ideas how best to log succesful (or unsuccesful) logins via JDBC authentication. The big problem is that the user may have bookmarked any one of a number of protected pages, and it isn't practical to put code on each of them. Just change the JDBC realm authenticate() method to log the result of the authentication. Antony -- Antony Bowesman Teamware Group [EMAIL PROTECTED] tel: +358 9 5128 2562 fax: +358 9 5128 2705
User login logging (JDBC authentication)
Any ideas how best to log succesful (or unsuccesful) logins via JDBC authentication. The big problem is that the user may have bookmarked any one of a number of protected pages, and it isn't practical to put code on each of them. Any help would be appreciated Mark Muffett
RE: User login logging (JDBC authentication)
If you store the login information in the session object you could simply check that object on each of your pages (or you could include a page at the top of your pages which does this check) and redirect them back to the login page if the check fails -Original Message-From: Mark Muffett [mailto:[EMAIL PROTECTED]]Sent: Thursday, June 28, 2001 5:54 AMTo: [EMAIL PROTECTED]Subject: User login logging (JDBC authentication) Any ideas how best to log succesful (or unsuccesful) logins via JDBC authentication. The big problem is that the user may have bookmarked any one of a number of protected pages, and it isn't practical to put code on each of them. Any help would be appreciated Mark Muffett
Re: User login logging (JDBC authentication)
Mark Muffett wrote: Any ideas how best to log succesful (or unsuccesful) logins via JDBC authentication. The big problem is that the user may have bookmarked any one of a number of protected pages, and it isn't practical to put code on each of them. Just change the JDBC realm authenticate() method to log the result of the authentication. Antony