JSP web application form based authentication in tomcat.

Question

Hello Guys,

I have configured my application to use form based authentication and set up the needed settings in server.xml.

When I try to access a protected page I am correctly redirected to login page. On the login page I provide the correct userid and password but it does not log me in, instead shows the login error page.

I am using Eclipse to run the project in Tomcat alongwith MySQL database on Mac OS X.

Thanks in advance.

Answer 1

Guys,

Here is the part defining security for a resource in the web.xml and declaration of form based authentication.

<security-constraint>
     <web-resource-collection>    
        <web-resource-name>profile</web-resource-name> 

        <url-pattern>/myProfile</url-pattern>

     </web-resource-collection>    
     <auth-constraint>
      <role-name>member</role-name>   
     </auth-constraint>
    </security-constraint>

    <login-config>
     <auth-method>FORM</auth-method>
     <form-login-config>
     <form-login-page>/signin.jsp</form-login-page>
     <form-error-page>/signin_error.jsp</form-error-page>
     </form-login-config>
    </login-config>

    <security-role><role-name>member</role-name></security-role>

And here is the realm definition in server.xml.

<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
      driverName="com.mysql.jdbc.Driver"
   connectionURL="jdbc:mysql://localhost/dbname?user=root&amp;password=root"
       userTable="users" userNameCol="email" userCredCol="password"
   userRoleTable="user_roles" roleNameCol="role_name"/>

Additionally please note that I have included the required mysql jar file in tomcat's lib folder.

And here is my login form.

<form class="form" id="login_form" action="j_security_check" method="post">
<input class="element" id="element_1" style="WIDTH: 255px" maxlength="200" name="j_username"/> 
<input class="element" id="element_2" style="WIDTH: 255px" type="password" maxlength="200" name="j_password"/> 
</form>

Thanks guys for trying to help me here, I am really stuck on this!

Answer 2

Your configuration looks correct to me. Two possible issues:

1. Are you deploying your application to a non-root context? If so, you may want to change form action to /j_security_check. You may want to try this anyway, actually - I remember some Tomcat versions being rather finicky about this.

2. Are you sure you have users(email, password) and user_roles(email, role_name) tables with appropriate rows in them and they are accessible to the user specified in Realm configuration? I know you said that you do, but that's about the only other thing that can go wrong so it won't hurt to double check.

If neither of the above helps, the only thing I can suggest is for you to download Tomcat source and step through it while running under Eclipse. For Tomcat 6 you'd want to put a breakpoint in org.apache.catalina.realm.JDBCRealm.authenticate(String username, String credentials) (line 341, though I may not have the latest source) and step through open() and 2nd authenticate() method.

Answer 3

At last got this working!

As I am using eclipse to deploy my application, eclipse adds a project named Servers which contains server.xml which is in fact used by tomcat when the tomcat is started using eclipse.

So the solution is to make the realm changes to server.xml in Servers project in eclipse.

Thank you guys for all your help and support.

Best regards, Zaheer