Hi, do you want to know how to use "container managed" authentication? And your container is the Tomcat? Then, you have to put something in the Tomcat's server.xml file.
Or, you want to know how to use "form" to authenticate users? Then, you have to put something in the web.xml file.
I can show you some code if you tell me what you really want to know.
posted 14 years ago
If you have anything, I would appreciate it. What I want to do is use a Tomcat filter to protect a directory of JSP/JSF pages. There will be a login page that I will send users to in order to authenticate themselves. I plan on using a JDBC Realm in tomcat for this. But once the user is logged in, they will have access to the protected area of my site. I think the way I will check that the user has been authenticated is via a cookie, object in session, ..etc.
Thanks for the response!!!
posted 14 years ago
There must be a table, referenced below as the users table, that contains one row for every valid user that the JDBC Realm should recognize. The users table must contain at least two columns (it may contain more if your existing applications required it):
Username to be recognized by Tomcat when the user logs in. Password to be recognized by Tomcat when the user logs in.
This value may in cleartext or digested. There must be a table, referenced below as the user roles table, that contains one row for every valid role that is assigned to a particular user. It is legal for a user to have zero, one, or more than one valid role. The user roles table must contain at least two columns (it may contain more if your existing applications required it): Username to be recognized by Tomcat (same value as is specified in the users table). Role name of a valid role associated with this user.
An example SQL script to create the needed tables might look something like this (adapt the syntax as required for your particular database):
create table users ( user_name varchar(15) not null primary key, user_pass varchar(15) not null );
create table user_roles ( user_name varchar(15) not null, role_name varchar(15) not null, primary key (user_name, role_name) );
Then, set up a <Realm> element in your $CATALINA_HOME/conf/server.xml file. Restart Tomcat 4 if it is already running.
form-based login is triggered the first time that an unauthenticated user requests a URL that is protected by a security constraint.
(1) Unauthenticated user requests a protected resource (*NOT* the login page!)
(2) Container remembers the protected resource that was requested in a private variable.
(3) Container displays the login page, which must have a destination of "j_security_check", and waits for the user submit. For some containers, including Tomcat, this is the one-and-only time that submitting to "j_security_check" will not return a 404.
(4) User enters username and password, and presses the submit button.
(5) the post to j_security_check is intercepted by your servlet container, which performs Container Managed Authentication - it looks for the j_username and j_password, authenticates the combination, and forwards to the originally requested resource, or to a configurable error page if the authentication
(6) Container authenticates the username (j_username) and password (j_password) combination. If valid, container recalls the originally requested resource saved in (2) and displays *that* to the user in response to the login submit. Or forwards to a configurable error page if the authentication fails.
The important point is that, at no time, did anyone ever submit a request to the URL of the login page, because there is no such thing. Also think of the login page as part of the container, not part of your app.
Your web.xml file be like this:
Hope you are able to set it up without any problem.