• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Tim Cooke
  • Devaka Cooray
Sheriffs:
  • Liutauras Vilda
  • paul wheaton
  • Rob Spoor
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Piet Souris
  • Mikalai Zaikin
Bartenders:
  • Carey Brown
  • Roland Mueller

Basic form-based authentication question...

 
Ranch Hand
Posts: 67
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi, I'm a newbie to authentication. I've heard of form-based authentication, what is the difference between this and the "old way"? From my knowledge, for the "old way", if you had 10 pages with confidential information, you would've had to put authentication like "if (userLoggedin)" conditions for all 10 pages. Now with form-based authentication, we could configure something for a particalur section of your webapp (i.e a folder called protected) inside the web.xml, so we would no longer need the conditions.

Can someone please elaborate on this or clear it up a little more?

Thanks so much,
Carmen
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm not quite sure about the old-style scheme you mention (HTTP authentication as used by servlets has been the same for quite a while), but the Tomcat FAQ has a section on web app authentication. It is largely independent of Tomcat, and has links to a number of other helpful resources and articles.
 
Carmen Brianick
Ranch Hand
Posts: 67
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you so much Ulf! I will check out the site you recommended!

Thanks,
C
 
Carmen Brianick
Ranch Hand
Posts: 67
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi, I'm looking at a form-based authentication example (downloaded from http://www.onjava.com/lpt/a/1024 near bottom of page). I check my Tomcat logs and I see that I have logged in successfully but after I log in, I get message "HTTP Status 403 - Access to the requested resource has been denied". I'm using a SQL Server 2000 ODBC datasource.

I downloaded the above webapp and made the following changes:

1. In Sql Server 2000: I have a "users" table with username and pswd columns

2. Added realm to Tomcat's \conf\server.xml:<
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="sun.jdbc.odbc.JdbcOdbcDriver"
connectionURL="jdbc dbc:testMarvel"
connectionName="marveluser" connectionPassword="marveluser"
userTable="users" userNameCol="username" userCredCol="pswd"
userRoleTable="user_roles" roleNameCol="rolename" />

3. Added "manager" from my "user_roles" table to a role in my web.xml:

<security-constraint>
<web-resource-collection>
<web-resource-name>SecurePages</web-resource-name>
<description>Security constraint for resources in the secure directory</description>
<url-pattern>/secure/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>

<auth-constraint><description>only let the system user login </description>
<role-name>manager</role-name>
</auth-constraint>
<user-data-constraint>
<description>SSL not required</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/LoginForm.html</form-login-page>
<form-error-page>/LoginError.html</form-error-page>
</form-login-config>
</login-config>

<security-role>
<description>The Secure ROLE</description>
<role-name>manager</role-name>
</security-role>

4. When I try to login using "ghostrider" and "password" (values from my 'username' and 'pswd' columns in my users table). I check the Tomcat logs, I get: "Username ghostrider successfully authenticated" but I get message "HTTP Status 403 - Access to the requested resource has been denied".


Can anyone give me an idea what is wrong? If I take out my realm configuration from servers.xml and use the default Tomcat login ("admin" with no password), I get in perfect.

Thanks so much,
Carmen
 
I need a new interior decorator. This tiny ad just painted every room in my house purple.
We need your help - Coderanch server fundraiser
https://coderanch.com/wiki/782867/Coderanch-server-fundraiser
reply
    Bookmark Topic Watch Topic
  • New Topic