Hello,
I'm new to Tomcat and I need some help.
I have to configure tomcat to authenticate users of a single web application
against MySql Database tables of users and roles.
Following Tomcat guide I made this steps:
1) Create users and roles table as described in tomcat guide and copping
Connector/j jar to /CATALINA_HOME/common/lib.
2) Configure MysqlDB and table as DataSourceResource in the application
context in /META-INF/context.xml
3) Define Datasource realm to use the Reosource
4) add in /WEB-INF/web.xml a <resource-ref> to the resource
5) add in /WEB-INF/web.xml <security-constraint>, <login-config> and
<security-role> configuration
6) write login.jsp with the standard form action and fields
The problem is that I could get the login page correctly whenever i try to
request a protected page, but I always get the Error page even if I insert
the right username/password.
I've tried to reconfigure the DB resource as Global resource in server.xml
(jdbc/PMSGlobal instead of jdbc/PMSRead) but I still get the same
behaviour...I guess that non authentication ever happen..
These are my server.xml, context.xml and web.xml (sorry, auto comments are
in english but the ones adde by myself are in italian :-/ ...)
SERVER.XML:
<?xml version="1.0" encoding="UTF-8"?>
<!-- Example Server Configuration File --><!-- Note that component elements
are nested corresponding to their
parent-child relationships with each other --><!-- A "Server" is a
singleton element that represents the entire JVM,
which may contain one or more "Service" instances. The Server
listens for a shutdown command on the indicated port.
Note: A "Server" is not itself a "Container", so you may not
define subcomponents such as "Valves" or "Loggers" at this level.
--><Server port="8005" shutdown="SHUTDOWN" debug="0">
<!-- Comment these entries out to disable JMX MBeans support -->
<!-- You may also configure custom components (e.g. Valves/Realms) by
including your own mbean-descriptor file(s), and setting the
"descriptors" attribute to point to a ';' seperated list of paths
(in the ClassLoader sense) of files to add to the default list.
e.g. descriptors="/com/myfirm/mypackage/mbean-descriptor.xml"
-->
<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"
debug="0"/>
<Listener
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
debug="0"/>
<!-- Global JNDI resources -->
<GlobalNamingResources>
<!-- Test entry for demonstration purposes -->
<Environment name="simpleValue" type="java.lang.Integer" value="30"/>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users -->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase" description="User database that can
be updated and saved">
</Resource>
<ResourceParams name="UserDatabase">
<parameter>
<name>factory</name>
<value>org.apache.catalina.users.MemoryUserDatabaseFactory</value>
</parameter>
<parameter>
<name>pathname</name>
<value>conf/tomcat-users.xml</value>
</parameter>
</ResourceParams>
<Resource name="jdbc/PMSGlobal" auth="Container"
type="javax.sql.DataSource" scope="Shareable">
</Resource>
<ResourceParams name="jdbc/PMSGlobal">
<parameter>
<name>factory</name>
<value>
org.apache.commons.dbcp.BasicDataSourceFactory
</value>
</parameter>
<!-- Don't set this any higher than max_connections on your
MySQL server, usually this should be a 10 or a few
10's
of connections, not hundreds or thousands -->
<parameter>
<name>maxActive</name>
<value>10</value>
</parameter>
<!-- You don't want to many idle connections hanging around
if you can avoid it, only enough to soak up a spike
in
the load -->
<parameter>
<name>maxIdle</name>
<value>5</value>
</parameter>
<!-- Don't use autoReconnect=true, it's going away
eventually
and it's a crutch for older connection pools that
couldn't
test connections. You need to decide if your
application is
supposed to deal with SQLExceptions (hint, it
should), and
how much of a performance penalty you're willing to
pay
to ensure 'freshness' of the connection -->
<parameter>
<name>validationQuery</name>
<value>SELECT 1</value>
</parameter>
<!-- The most conservative approach is to test connections
before they're given to your application. For most
applications
this is okay, the query used above is very small and
takes
no real server resources to process, other than the
time used
to traverse the network.
If you have a high-load application you'll need to
rely on
something else. -->
<parameter>
<name>testOnBorrow</name>
<value>true</value>
</parameter>
<!-- Otherwise, or in addition to testOnBorrow, you can test
while connections are sitting idle -->
<parameter>
<name>testWhileIdle</name>
<value>true</value>
</parameter>
<!-- You have to set this value, otherwise even though
you've asked connections to be tested while idle,
the idle evicter thread will never run -->
<parameter>
<name>timeBetweenEvictionRunsMillis</name>
<value>10000</value>
</parameter>
<!-- Don't allow connections to hang out idle too long,
never longer than what wait_timeout is set to on the
server...A few minutes or even fraction of a minute
is sometimes okay here, it depends on your
application
and how much spikey load it will see -->
<parameter>
<name>minEvictableIdleTimeMillis</name>
<value>60000</value>
</parameter>
<!-- Username and password used when connecting to MySQL -->
<parameter>
<name>username</name>
<value>user</value>
</parameter>
<parameter>
<name>password</name>
<value>pass</value><!-- Aggioranre se viene cambiata
nel DB -->
</parameter>
<!-- Class name for the Connector/J driver -->
<parameter>
<name>driverClassName</name>
<value>com.mysql.jdbc.Driver</value>
</parameter>
<!-- The JDBC connection url for connecting to MySQL, notice
that if you want to pass any other MySQL-specific
parameters
you should pass them here in the URL, setting them
using the
parameter tags above will have no effect, you will
also
need to use & to separate parameter values as
the
ampersand is a reserved character in XML -->
<parameter>
<name>url</name>
<value>jdbc:mysql://localhost:3306/pms</value>
</parameter>
</ResourceParams>
</GlobalNamingResources>
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" (and therefore the web applications visible
within that Container). Normally, that Container is an "Engine",
but this is not required.
Note: A "Service" is not itself a "Container", so you may not
define subcomponents such as "Valves" or "Loggers" at this level.
-->
<!-- Define the Tomcat Stand-Alone Service -->
<Service name="Catalina">
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Each Connector passes requests on to
the
associated "Container" (normally an Engine) for processing.
By default, a non-SSL HTTP/1.1 Connector is established on port
8080.
You can also enable an SSL HTTP/1.1 Connector on port 8443 by
following the instructions below and uncommenting the second
Connector
entry. SSL support requires the following steps (see the SSL
Config
HOWTO in the Tomcat 5 documentation bundle for more detailed
instructions):
* If your JDK version 1.3 or prior, download and install JSSE 1.0.2
or
later, and put the JAR files into "$JAVA_HOME/jre/lib/ext".
* Execute:
%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA
(Windows)
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
(Unix)
with a password value of "changeit" for both the certificate and
the keystore itself.
By default, DNS lookups are enabled when a web application calls
request.getRemoteHost(). This can have an adverse impact on
performance, so you can disable it by setting the
"enableLookups" attribute to "false". When DNS lookups are
disabled,
request.getRemoteHost() will return the String version of the
IP address of the remote client.
-->
<!-- Define a non-SSL Coyote HTTP/1.1 Connector on the port specified
during installation -->
<Connector port="8080" maxThreads="150" minSpareThreads="25"
maxSpareThreads="75" enableLookups="false" redirectPort="8443"
acceptCount="100" debug="0" connectionTimeout="20000"
disableUploadTimeout="true" compression="on"/>
<!-- Note : To disable connection timeouts, set connectionTimeout value
to 0 -->
<!-- Note : To use gzip compression you could set the following
properties :
compression="on"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml"
-->
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector port="8443" maxThreads="150" minSpareThreads="25"
maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true" clientAuth="false"
sslProtocol="TLS" compression="on"/>
<!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -->
<Connector port="8009" enableLookups="false" redirectPort="8443"
debug="0" protocol="AJP/1.3"/>
<!-- Define a Proxied HTTP/1.1 Connector on port 8082 -->
<!-- See proxy documentation for more information about using this. -->
<!--
<Connector port="8082"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false"
acceptCount="100" debug="0" connectionTimeout="20000"
proxyPort="80" disableUploadTimeout="true" />
-->
<!-- An Engine represents the entry point (within Catalina) that
processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes
them
on to the appropriate Host (virtual host). -->
<!-- You should set jvmRoute to support load-balancing via JK/JK2 ie :
<Engine name="Standalone" defaultHost="localhost" debug="0"
jvmRoute="jvm1">
-->
<!-- Define the top level container in our container hierarchy -->
<Engine name="Catalina" defaultHost="localhost" debug="0">
<!-- The request dumper valve dumps useful debugging information about
the request headers and cookies that were received, and the
response
headers and cookies that were sent, for all requests received by
this instance of Tomcat. If you care only about requests to a
particular virtual host, or a particular application, nest this
element inside the corresponding <Host> or <Context> entry
instead.
For a similar mechanism that is portable to all Servlet 2.4
containers, check out the "RequestDumperFilter" Filter in the
example application (the source for this filter may be found in
"$CATALINA_HOME/webapps/examples/WEB-INF/classes/filters").
Request dumping is disabled by default. Uncomment the following
element to enable it. -->
<!--
<Valve className="org.apache.catalina.valves.RequestDumperValve"/>
-->
<!-- Global logger unless overridden at lower levels -->
<Logger className="org.apache.catalina.logger.FileLogger"
prefix="catalina_log." suffix=".txt" timestamp="true"/>
<!-- Because this Realm is here, an instance will be shared globally
-->
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
debug="0" resourceName="UserDatabase"/>
<!-- Comment out the old realm but leave here for now in case we
need to go back quickly -->
<!--
<Realm className="org.apache.catalina.realm.MemoryRealm" />
-->
<!-- Replace the above Realm with one of the following to get a Realm
stored in a database and accessed via JDBC -->
<!--
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="org.gjt.mm.mysql.Driver"
connectionURL="jdbc:mysql://localhost/authority"
connectionName="test" connectionPassword="test"
userTable="users" userNameCol="user_name"
userCredCol="user_pass"
userRoleTable="user_roles" roleNameCol="role_name" />
-->
<!--
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="oracle.jdbc.driver.OracleDriver"
connectionURL="jdbc:oracle:thin:@ntserver:1521:ORCL"
connectionName="scott" connectionPassword="tiger"
userTable="users" userNameCol="user_name"
userCredCol="user_pass"
userRoleTable="user_roles" roleNameCol="role_name" />
-->
<!--
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="sun.jdbc.odbc.JdbcOdbcDriver"
connectionURL="jdbc:odbc:CATALINA"
userTable="users" userNameCol="user_name"
userCredCol="user_pass"
userRoleTable="user_roles" roleNameCol="role_name" />
-->
<!-- Define the default virtual host
Note: XML Schema validation will not work with Xerces 2.2.
-->
<Host name="localhost" debug="0" appBase="webapps" unpackWARs="true"
autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false">
<!-- Normally, users must authenticate themselves to each web app
individually. Uncomment the following entry if you would like
a user to be authenticated the first time they encounter a
resource protected by a security constraint, and then have that
user identity maintained across *all* web applications
contained
in this virtual host. -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn"
debug="0"/>
-->
<!-- Access log processes all requests for this virtual host. By
default, log files are created in the "logs" directory relative
to
$CATALINA_HOME. If you wish, you can specify a different
directory with the "directory" attribute. Specify either a
relative
(to $CATALINA_HOME) or absolute path to the desired directory.
-->
<!--
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs" prefix="localhost_access_log."
suffix=".txt"
pattern="common" resolveHosts="false"/>
-->
<!-- Logger shared by all Contexts related to this virtual host. By
default (when using FileLogger), log files are created in the
"logs"
directory relative to $CATALINA_HOME. If you wish, you can
specify
a different directory with the "directory" attribute. Specify
either a
relative (to $CATALINA_HOME) or absolute path to the desired
directory.-->
<Logger className="org.apache.catalina.logger.FileLogger"
directory="logs" prefix="localhost_log." suffix=".txt"
timestamp="true"/></Host>
</Engine>
</Service>
</Server>
CONTEXT.XML
<?xml version="1.0" encoding="UTF-8"?>
<!-- Definizione del contesto applicativo per l'applicazione web.
in questo file sono specificate tutte le impostazioni specifiche di
tomcat
per l'applicazione
-->
<context docBase="/PMS" path="/PMS" override="true" relodable="true"
directory="/logs/pms" debug="5" swallowOutput="true"
useNaming="true">
<!-- Definisco un logger per l'applicazione -->
<Logger className="org.apache.catalina.logger.FileLogger"
verbosity="3" directory="/log/pms" timestamp="true">
</Logger>
<!-- registro mySQL come risorsa global -->
<ResourceLink name="jdbc/PMSGlobal"
type="javax.sql.DataSource"
global="jdbc/PMSGlobal"/>
<!-- Registro mysql come risorsa JNDI.Tomcat gestirà il pooling
delle
connessioni. Servono 3 risorse diverse a seconda dell'utente
DB,
(e quindi del suo livello di protezione) che accede a mySQL
-->
<Resource name="jdbc/PMSRead" auth="Container"
type="javax.sql.DataSource" scope="Shareable">
</Resource>
<ResourceParams name="jdbc/PMSRead">
<parameter>
<name>factory</name>
<value>
org.apache.commons.dbcp.BasicDataSourceFactory
</value>
</parameter>
<!-- Don't set this any higher than max_connections on your
MySQL server, usually this should be a 10 or a few
10's
of connections, not hundreds or thousands -->
<parameter>
<name>maxActive</name>
<value>10</value>
</parameter>
<!-- You don't want to many idle connections hanging around
if you can avoid it, only enough to soak up a spike
in
the load -->
<parameter>
<name>maxIdle</name>
<value>5</value>
</parameter>
<!-- Don't use autoReconnect=true, it's going away
eventually
and it's a crutch for older connection pools that
couldn't
test connections. You need to decide if your
application is
supposed to deal with SQLExceptions (hint, it
should), and
how much of a performance penalty you're willing to
pay
to ensure 'freshness' of the connection -->
<parameter>
<name>validationQuery</name>
<value>SELECT 1</value>
</parameter>
<!-- The most conservative approach is to test connections
before they're given to your application. For most
applications
this is okay, the query used above is very small and
takes
no real server resources to process, other than the
time used
to traverse the network.
If you have a high-load application you'll need to
rely on
something else. -->
<parameter>
<name>testOnBorrow</name>
<value>true</value>
</parameter>
<!-- Otherwise, or in addition to testOnBorrow, you can test
while connections are sitting idle -->
<parameter>
<name>testWhileIdle</name>
<value>true</value>
</parameter>
<!-- You have to set this value, otherwise even though
you've asked connections to be tested while idle,
the idle evicter thread will never run -->
<parameter>
<name>timeBetweenEvictionRunsMillis</name>
<value>10000</value>
</parameter>
<!-- Don't allow connections to hang out idle too long,
never longer than what wait_timeout is set to on the
server...A few minutes or even fraction of a minute
is sometimes okay here, it depends on your
application
and how much spikey load it will see -->
<parameter>
<name>minEvictableIdleTimeMillis</name>
<value>60000</value>
</parameter>
<!-- Username and password used when connecting to MySQL -->
<parameter>
<name>username</name>
<value>user</value>
</parameter>
<parameter>
<name>password</name>
<value>pass</value><!-- Aggioranre se viene cambiata
nel DB -->
</parameter>
<!-- Class name for the Connector/J driver -->
<parameter>
<name>driverClassName</name>
<value>com.mysql.jdbc.Driver</value>
</parameter>
<!-- The JDBC connection url for connecting to MySQL, notice
that if you want to pass any other MySQL-specific
parameters
you should pass them here in the URL, setting them
using the
parameter tags above will have no effect, you will
also
need to use & to separate parameter values as
the
ampersand is a reserved character in XML -->
<parameter>
<name>url</name>
<value>jdbc:mysql://localhost:3306/pms</value>
</parameter>
</ResourceParams>
<!-- Definisco il Realm dell'applicazione per mapparsi sulle tabelle
degli
utenti e dei ruoli definita nel DB -->
<Realm classname="org.apache.catalina.realm.DataSourceRealm"
dataSourceName="java:comp/env/jdbc/PMSGlobal"
debug="99"
roleNameCol="role" userCredCol="password"
userNameCol="username"
userRoleTable="roles" userTable="users"
/>
<!--
<Realm classname="org.apache.catalina.realm.JDBCRealm"
debug="99"
driverName="com.mysql.jdbc.Driver"
connectionURL="jdbc:mysql://localhost:3306/pms"
connectionName="PMSREad" connectionPassword="read"
userTable="users"
userRoleTable="roles" userNameCol="username"
userCredCol="password"
roleNameCol="role">
</Realm> -->
</context>
WEB.XML:
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";>
<display-name>PSM</display-name>
<welcome-file-list>
<welcome-file>home.jsp</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
<!-- Definisco le reference al database Mysql -->
<resource-ref>
<description>PMS DBRead connection</description>
<res-ref-name>jdbc/PMSRead</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-sharing-scope>Shareable</res-sharing-scope>
<res-auth>Container</res-auth>
</resource-ref>
<resource-ref>
<description>PMS DBRead connection Global</description>
<res-ref-name>java:comp/env/jdbc/PMSGlobal</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-sharing-scope>Shareable</res-sharing-scope>
<res-auth>Container</res-auth>
</resource-ref>
<!-- Sezione di gestione dell'accesso. l'autorizzazione è verificata
utilizzando un'autenticazione basata su form -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire
Application</web-resource-name>
<description>
L'accesso è consentito solo agli utenti
autorizzati
</description>
<url-pattern>/*</url-pattern><!-- Tutti i file
dell'applicazione -->
</web-resource-collection>
<auth-constraint>
<description>
Questi sono i ruoli che hanno accesso al
sito
</description>
<role-name>root</role-name>
</auth-constraint>
<!-- seleziona la forma di sicureza a livello di trasporto
dati:
NONE = nessuna CONFIDENTIAL o INTEGRAL = SSL Tunnel
-->
<user-data-constraint>
<!-- dovrà essere almeno CONFIDENTIAL se non
INTEGRAL.. -->
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- login via Form Authentication -->
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>
/ErrorPages/loginError.jsp
</form-error-page>
</form-login-config>
</login-config>
<!-- <login-config>
<auth-method>BASIC</auth-method>
</login-config>
-->
<!-- Ruoli ammessi ad accedere al sito -->
<security-role>
<description>Administrator </description>
<role-name>root</role-name>
</security-role>
</web-app>
I'm using tomcat 5.0.28, MySql 5, Connector/J 3.1.12, java 1.4.2_08 SDK and
Eclipse with Web plugins
Please Help me!
Ale
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
