• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Tomcat Security

 
Ranch Hand
Posts: 59
Hibernate Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi, all. I'm trying to configure the security of my app using Tomcat but it's not working.

I have 2 jsps:

login.jsp
main.jsp

my xml is:


The first page of my app is main.jsp. The constraint is on this .jsp but when the application starts, the login.jsp is not called. The browser throws an error. There is something wrong too because my port is :8080 and when I call this page, it redirects to :8443.
The url wold be http://localhost:8080/MyApp
Netbeans is redirecting to http://localhost:8443/MyApp

I don't know what is happening.
Some idea?
Thanks.
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Setting a transport-guarantee of CONFIDENTIAL will cause SSL to be required. If you're only interested in authentication, but not encryption, you should remove that line.
 
Danilo Dadonas
Ranch Hand
Posts: 59
Hibernate Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank's Ulf, it's working now. But now I have another problem. I called main.jsp, the app was redirected to login.jsp, I submited the user and password, the app was redirected to main.jsp again. I'm logged in Tomcat but I have to submit user and password to a servlet that connects the application to the database.

How can I do it?
Thanks.
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What kind of username/password is this, or rather, who knows it? I assume it's different from the one used to log into the web app (at least it should be). If only the user knows it, then you need to put up a page containing a form that collects it from the user. If the system can look it up based on the Tomcat credentials, then, well, it can look it up and there's no need for the user to enter it.
 
Danilo Dadonas
Ranch Hand
Posts: 59
Hibernate Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The user have user an password in Tomcat and user and password in Oracle database. They are the same. My intencion is when someone type the url of the application (/MyApp/MainMenu.jsp), it's redirected to login.jsp. In this moment the page will submit the user and password to Tomcat. The action of the form is j_security_check. After submit this page, Tomcat will redirect again to /MyApp/MainMenu.jsp because the user tried to access it but it wasn't logged. In the MainMenu.jsp, the user will select a report to show. In this moment I will connect the user to the Oracle using Hibernate. For it, I have a Servlet named Authentication.class. It's the problem, how will I submit the user and password the user typed in login.jsp? I can't take the parameters because the action of login.jsp is j_security_check.
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
First off, I'd keep the web password separate (and distinct) from the database password, and not tell the user their DB password. You can have the user log into the web app, and then look up their DB password from some secure storage. (It's more common to have just a single DB user for all web users, but that's a different discussion.)

If you are set on implementing what you describe, you'll need to do something server-specific, because there is no way to access j_security_check info using servlet spec-compliant ways. For Tomcat -which does not allow filtering of j_security_check- you could use a Valve, or create your own Realm that gives you access to the username/password. (An article I wrote for the JavaRanch Journal describes the Realm approach.)
[ February 23, 2008: Message edited by: Ulf Dittmer ]
 
Danilo Dadonas
Ranch Hand
Posts: 59
Hibernate Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Ok, Ulf. I think is better I create just one user and password for the application to connect to database. After, I'll create a table for Tomcat users to authentication.
Is it better?
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

I think is better I create just one user and password for the application to connect to database. After, I'll create a table for Tomcat users to authentication. Is it better?


I'd say so, unless you have very specific (and uncommon) reasons to create DB accounts for each user.
 
Danilo Dadonas
Ranch Hand
Posts: 59
Hibernate Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Ok, Ulf. You helped me a lot.
Thanks.
 
reply
    Bookmark Topic Watch Topic
  • New Topic