JSP web application form based authentication in tomcat

3
votes

I have configured my application to use form based authentication and set up the needed settings in server.xml.

When I try to access a protected page I am correctly redirected to login page. On the login page I provide the correct userid and password but it does not log me in, instead shows the login error page.

I am using Eclipse to run the project in Tomcat alongwith MySQL database on Mac OS X.

Thanks in advance.

3
tomcat
Can you post your web.xml and maybe some log snippets?chotchki
Also post your server.xml (the part of it where you define Realm) and your form declaration on login pageChssPly76
Guys please see my response below. I cannot see any logs when I start tomcat using eclipse. But when I start tomcat standalone I see logs and dont see anything unusual there. I should also mention that I have defined the necessary tables as well as referenced in the realm definition.Zaheer Baloch

3 Answers

4
votes

At last got this working!

As I am using eclipse to deploy my application, eclipse adds a project named Servers which contains server.xml which is in fact used by tomcat when the tomcat is started using eclipse.

So the solution is to make the realm changes to server.xml in Servers project in eclipse.

Thank you guys for all your help and support.

Best regards, Zaheer

2
votes

Here is the part defining security for a resource in the web.xml and declaration of form based authentication.

<security-constraint>
        <web-resource-collection>       
            <web-resource-name>profile</web-resource-name>  

            <url-pattern>/myProfile</url-pattern>

        </web-resource-collection>          
        <auth-constraint>
            <role-name>member</role-name>           
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
        <form-login-page>/signin.jsp</form-login-page>
        <form-error-page>/signin_error.jsp</form-error-page>
        </form-login-config>
    </login-config>

    <security-role><role-name>member</role-name></security-role>

And here is the realm definition in server.xml.

<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
      driverName="com.mysql.jdbc.Driver"
   connectionURL="jdbc:mysql://localhost/dbname?user=root&amp;password=root"
       userTable="users" userNameCol="email" userCredCol="password"
   userRoleTable="user_roles" roleNameCol="role_name"/>

Additionally please note that I have included the required mysql jar file in tomcat's lib folder.

And here is my login form.

<form class="form" id="login_form" action="j_security_check" method="post">
<input class="element" id="element_1" style="WIDTH: 255px" maxlength="200" name="j_username"/> 
<input class="element" id="element_2" style="WIDTH: 255px" type="password" maxlength="200" name="j_password"/> 
</form>

Thanks guys for trying to help me here, I am really stuck on this!

0
votes

Your configuration looks correct to me. Two possible issues:

  1. Are you deploying your application to a non-root context? If so, you may want to change form action to /j_security_check. You may want to try this anyway, actually - I remember some Tomcat versions being rather finicky about this.

  2. Are you sure you have users(email, password) and user_roles(email, role_name) tables with appropriate rows in them and they are accessible to the user specified in Realm configuration? I know you said that you do, but that's about the only other thing that can go wrong so it won't hurt to double check.

If neither of the above helps, the only thing I can suggest is for you to download Tomcat source and step through it while running under Eclipse. For Tomcat 6 you'd want to put a breakpoint in org.apache.catalina.realm.JDBCRealm.authenticate(String username, String credentials) (line 341, though I may not have the latest source) and step through open() and 2nd authenticate() method.