wood burning stoves 2.0*
The moose likes Tomcat and the fly likes Tomcat Security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Tomcat Security" Watch "Tomcat Security" New topic
Author

Tomcat Security

Danilo Dadonas
Ranch Hand

Joined: Aug 24, 2007
Posts: 59

Hi, all. I'm trying to configure the security of my app using Tomcat but it's not working.

I have 2 jsps:

login.jsp
main.jsp

my xml is:


The first page of my app is main.jsp. The constraint is on this .jsp but when the application starts, the login.jsp is not called. The browser throws an error. There is something wrong too because my port is :8080 and when I call this page, it redirects to :8443.
The url wold be http://localhost:8080/MyApp
Netbeans is redirecting to http://localhost:8443/MyApp

I don't know what is happening.
Some idea?
Thanks.


Dadonas<br /> <br />Don't gain the world and lose your soul.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41102
    
  45
Setting a transport-guarantee of CONFIDENTIAL will cause SSL to be required. If you're only interested in authentication, but not encryption, you should remove that line.


Ping & DNS - my free Android networking tools app
Danilo Dadonas
Ranch Hand

Joined: Aug 24, 2007
Posts: 59

Thank's Ulf, it's working now. But now I have another problem. I called main.jsp, the app was redirected to login.jsp, I submited the user and password, the app was redirected to main.jsp again. I'm logged in Tomcat but I have to submit user and password to a servlet that connects the application to the database.

How can I do it?
Thanks.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41102
    
  45
What kind of username/password is this, or rather, who knows it? I assume it's different from the one used to log into the web app (at least it should be). If only the user knows it, then you need to put up a page containing a form that collects it from the user. If the system can look it up based on the Tomcat credentials, then, well, it can look it up and there's no need for the user to enter it.
Danilo Dadonas
Ranch Hand

Joined: Aug 24, 2007
Posts: 59

The user have user an password in Tomcat and user and password in Oracle database. They are the same. My intencion is when someone type the url of the application (/MyApp/MainMenu.jsp), it's redirected to login.jsp. In this moment the page will submit the user and password to Tomcat. The action of the form is j_security_check. After submit this page, Tomcat will redirect again to /MyApp/MainMenu.jsp because the user tried to access it but it wasn't logged. In the MainMenu.jsp, the user will select a report to show. In this moment I will connect the user to the Oracle using Hibernate. For it, I have a Servlet named Authentication.class. It's the problem, how will I submit the user and password the user typed in login.jsp? I can't take the parameters because the action of login.jsp is j_security_check.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41102
    
  45
First off, I'd keep the web password separate (and distinct) from the database password, and not tell the user their DB password. You can have the user log into the web app, and then look up their DB password from some secure storage. (It's more common to have just a single DB user for all web users, but that's a different discussion.)

If you are set on implementing what you describe, you'll need to do something server-specific, because there is no way to access j_security_check info using servlet spec-compliant ways. For Tomcat -which does not allow filtering of j_security_check- you could use a Valve, or create your own Realm that gives you access to the username/password. (An article I wrote for the JavaRanch Journal describes the Realm approach.)
[ February 23, 2008: Message edited by: Ulf Dittmer ]
Danilo Dadonas
Ranch Hand

Joined: Aug 24, 2007
Posts: 59

Ok, Ulf. I think is better I create just one user and password for the application to connect to database. After, I'll create a table for Tomcat users to authentication.
Is it better?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41102
    
  45
I think is better I create just one user and password for the application to connect to database. After, I'll create a table for Tomcat users to authentication. Is it better?

I'd say so, unless you have very specific (and uncommon) reasons to create DB accounts for each user.
Danilo Dadonas
Ranch Hand

Joined: Aug 24, 2007
Posts: 59

Ok, Ulf. You helped me a lot.
Thanks.
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Tomcat Security
 
Similar Threads
WebLogic Form-Based Authentication Problem
Jboss ldap
[Q][Web Security][Login Form doesn't display]
why my login page is not using SSL?
Form based login