Hi, I'm running Tomcat 6.0.20 on Windows 2003 Server, with JRE 1.6.0_14.
I have a working Tomcat configuration using MySQL authentication to access to ROOT webapp. I'm using DataSourceRealm just like the one in the Tomcat docs (http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#DataSourceRealm). What I previously didn't have was a method for users to change their passwords through the web interface. I managed to figure out a way to do it using a jdbc resource and sql:query and sql:update tags in a couple JSP files. I basically started out with example code from the tomcat wiki for DataSource (datasourcedemo.war). I deployed my modified code on the server as a separate application (i.e. not in the ROOT app) under "/changepass" Well, the code works wonderfully when I don't have any security constraints on the application. However, when I try adding security constraints (using the same security constraints as the ROOT app), it stops working! To be more specific, Tomcat requires me to login to access the app, but the sql stuff no longer works. I reduced the problem code down to a simple SQL query which works w/o security constraints, but fails when I implement constraints. The code below (dbtest.jsp) just prints the contents of the authority table. At least, it does when I don't have security constraints. However, when I add security constraints, it instead prints only (literally): ${row.user_name} ${row.user_pass} And that's it! I imagine I'm doing something wrong (well, I'm sure there's multiple things...) -- can someone please clue me in? I obviously do not want people accessing the /changepass application w/o logging in first. (BTW, I can post the changepass code if someone cares, but it doesn't seem relevant here...) I'm not sure if it's relevant, but I'm using a different JDBC Resource for server authentication and for changepass. Obviously they are both accessing the same database, but I wanted to make sure that the login process used a read-only account, and /changepass using a different account with UPDATE privs. The authentication resource is in the GlobalNamingResources, while the /changepass resource is defined in the webapp's context.xml. ---- BEGIN dbtest.jsp <%@ page language="java" contentType="text/html; charset=ISO-8859-1"%> <%@ taglib prefix="sql" uri="http://java.sun.com/jsp/jstl/sql" %> <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %> <%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt" %> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>Assignment List</title> </head> <body> <sql:setDataSource dataSource="jdbc/chngpass" /> <table> <sql:query var="qryAsmts" > SELECT * FROM users </sql:query> <c:forEach var="row" items="${qryAsmts.rows}"> <tr> <td>${row.user_name}</td> <td>${row.user_pass}</td> </tr> </c:forEach> </table> </body> </html> ---- END JSP --- BEGIN web.xml for /changepass <web-app> <!-- Security constraint for the webapp --> <security-constraint> <web-resource-collection> <web-resource-name>changepass Web</web-resource-name> <url-pattern>/changepass/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>appuser</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>Tomcat Manager Application</realm-name> </login-config> <security-role> <description> The role that is required to log in to APP </description> <role-name>appuser</role-name> </security-role> </web-app> --- END web.xml --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org