aspose file tools*
The moose likes Tomcat and the fly likes Basic authentication security in java web project Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Basic authentication security in java web project" Watch "Basic authentication security in java web project" New topic
Author

Basic authentication security in java web project

Anurag Malaviya
Greenhorn

Joined: Jul 01, 2009
Posts: 19
Hi all

First of all i don't know in which forum i should have posted this issue, so i choose this forum randomly.

The problem i m facing is that i am getting an exception which looks like this.
java.lang.SecurityException: Unable to locate a login configuration
at com.sun.security.auth.login.ConfigFile.<init>(Unknown Source)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at java.lang.Class.newInstance0(Unknown Source)
at java.lang.Class.newInstance(Unknown Source)
at javax.security.auth.login.Configuration$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.Configuration.getConfiguration(Unknown Source)
at javax.security.auth.login.LoginContext$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.init(Unknown Source)
at javax.security.auth.login.LoginContext.<init>(Unknown Source)

I am trying to implement basic window authentication in my web project on tomcat 6. When i start the server, the window pops up for
user name and password. My tomcat-users.xml looks like this.

<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="both" password="tomcat" roles="tomcat,role1"/>
<user username="role1" password="tomcat" roles="role1"/>
<user username="anurag" password="tomcat" roles="tomcat,role1"/>

and when i enter the credentials i get the above exception.

FYI i have set the following environments variable
1. catalina_home to tomcat root path.
2. catalina_opts to tomcat's conf file path.

Please help me because its driving me crazy.

Regards
Anurag
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16134
    
  21

J2EE supports security authentication via plugin security modules. The tomcat-users.xml file isn't actually a tomcat-specific thing, it's a data file that's used by the MemoryRealm and one or 2 later enhancements of MemoryRealm to build an in-memory database of userIDs, passwords, and roles.

There are lots of other Realms as well, such as the JDBCRealm, LDAPRealm, JAASRealm, and so forth. None of them even care if you delete tomcat-users.xml completely.

As shipped, Tomcat doesn't have any Realms configured, although there are some sample configurations statements in comment form in the TOMCAT_HOME/conf/server.xml file. You can configure a Realm on a per-webapp (Context) basis or on a per-host basis, depending on where you place your Realm configuration.


Customer surveys are for companies who didn't pay proper attention to begin with.
Anurag Malaviya
Greenhorn

Joined: Jul 01, 2009
Posts: 19
Tim Holloway wrote:J2EE supports security authentication via plugin security modules. The tomcat-users.xml file isn't actually a tomcat-specific thing, it's a data file that's used by the MemoryRealm and one or 2 later enhancements of MemoryRealm to build an in-memory database of userIDs, passwords, and roles.

There are lots of other Realms as well, such as the JDBCRealm, LDAPRealm, JAASRealm, and so forth. None of them even care if you delete tomcat-users.xml completely.

As shipped, Tomcat doesn't have any Realms configured, although there are some sample configurations statements in comment form in the TOMCAT_HOME/conf/server.xml file. You can configure a Realm on a per-webapp (Context) basis or on a per-host basis, depending on where you place your Realm configuration.


Thanks Tim for your reply , i have solved the problem.

I actually want to develop a login authentication module for a web project using JAASRealm. I have made my three following classes:

1. MyLoginModule extends LoginModule
2. MyRealm extends JAASRealm
3. MyPrincipal implements Principal

then i made the .jar file for these three classes and put it in the lib folder of tomcat.

I added this realm class information in the server.xml file as follows:

<Realm className="sample.MYRealm" appName="Mylogin" jaasConfig=" E:\tomcat\Apache Software Foundation\Tomcat 6.0\conf"/>

I then made my configuration file as jaas-login.config with the appname as Mylogin.

My first question is what do i have to mention in the <login-config> tag of web.xml so that i get the pop up window for user name and password.

Second question is how should i initialise my logincontext class and who calls the login() of MyLoginModule class.



Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16134
    
  21

The Realm does not govern how credentials are acquired. Other mechanisms do the data acquisition and present them to the Realm's authenticate() method, which confirms or rejects them.

The "pop-up window" is not part of J2EE at all. It's managed entirely by the client when the server responds to a request with a security challenge. This challenge is indicated when the web.xml specific an authorization-type of BASIC. BASIC authorization has certain drawbacks, however, so form-based authentication (using the login/loginfail pages) is preferred.

Because this security system is managed by the container, the container determines when to prompt for authentication (login). This happens when a request is made for a secured URL (as defined by the security patterns specified in web.xml) when the user session is not already in a secure state. The authentication process is transparent: the original user's request is placed on hold until the user logs in, then the original request resumes processing. No user code is involved.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Basic authentication security in java web project