Geek Answers Handbook

Tomcat 7 Form-Based Authentication

given the HelloServlet servlet:

@WebServlet("/HelloServlet") public class HelloServlet extends HttpServlet { private static final long serialVersionUID = 1L; /** * Default constructor. */ public HelloServlet() { // TODO Auto-generated constructor stub } @Override protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // TODO Auto-generated method stub System.out.print("hello my Friend: " + request.getRemoteUser()); response.setContentType("text/html"); PrintWriter out = response.getWriter(); out.println("This is the Test Servlet"); Enumeration headerNames = request.getHeaderNames(); while (headerNames.hasMoreElements()) { String headerName = (String) headerNames.nextElement(); out.print("<br/>Header Name: <em>" + headerName); String headerValue = request.getHeader(headerName); out.print("</em>, Header Value: <em>" + headerValue); out.println("</em>"); } } .... }

with tomcat declared security policy in web.xml:

 <security-constraint> <web-resource-collection> <web-resource-name>my application</web-resource-name> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>tomcat</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/login-failed.jsp</form-error-page> </form-login-config> </login-config>

and definition of tomcat roles in conf / tomcat-users.xml

  <role rolename="tomcat"/> <role rolename="role1"/> <user username="tomcat" password="tomcat" roles="tomcat"/> <user username="both" password="tomcat" roles="tomcat,role1"/> <user username="role1" password="tomcat" roles="role1"/>

scope in "server.xml":

  <Realm className="org.apache.catalina.realm.LockOutRealm"> <!-- This Realm uses the UserDatabase configured in the global JNDI resources under the key "UserDatabase". Any edits that are performed against this UserDatabase are immediately available for use by the Realm. --> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> </Realm>

I tried to access the "HelloServlet" servlet with the url localhost / jsfWorkgroup / HelloServlet.

as expected, I was redirected to the login page:

 <form method="POST" action="j_security_check"> <table> <tr> <td colspan="2">Login to the Tomcat-Demo application:</td> </tr> <tr> <td>Name:</td> <td><input type="text" name="j_username" /></td> </tr> <tr> <td>Password:</td> <td><input type="password" name="j_password"/ ></td> </tr> <tr> <td colspan="2"><input type="submit" value="Go" /></td> </tr> </table> </form>

No matter which id token I used:

  • username: tomcat passwort: tomcat
  • username: both passwort: tomcat

I still get the / login -failed.jsp error.

here is my example: tomcat acts by redirecting me to the login page, but does not read conf / tomcat-users.xml for my actual login (even after several reboots).

What do you think about it?

: Tomcat 7.0.23, Eclipse-Indigo

+4
source share
4 answers

Following @ pd40's suggestion, I tried the examples / jsp / security / protected / examples, but not in the Eclipse IDE, where Tomcat is usually integrated with other servers (Glassfish, JBoss, ect ..), I rather started the tomcat server as a standalone (in / bin) .. and there it works.

but when he launched the security-based web application at Tomcat in Eclipse, he again failed, even using the configuration described above.

I don't know if I'm right, but web application protection is only supported when tomcat is running outside of eclipse.

+2
source

The tomcat web.xml example includes the following section below <login-config> :

 <!-- Security roles referenced by this web application --> <security-role> <role-name>role1</role-name> </security-role> <security-role> <role-name>tomcat</role-name> </security-role>

which you may need.

Tomcat includes an example war that contains auth using tomcat-users.xml , similar to what you are trying. If tomcat home / webapps / examples is deployed , try accessing http: // localhost / examples / jsp / security / protected / . Ensure that the XML comments around the role / user section of tomcat-users.xml are removed. They are commented out by default.

 <!-- Un comment me <role rolename="tomcat"/> <role rolename="role1"/> <user username="tomcat" password="tomcat" roles="tomcat"/> <user username="both" password="tomcat" roles="tomcat,role1"/> <user username="role1" password="tomcat" roles="role1"/> -->

You might consider raising logging to help diagnose an autoresponder problem.

+1
source

It’s too late for me to answer, but maybe someone will come here, it may be useful.

In fact, if you are faced with the inability of the tomcat configuration to work through eclipse and run outside it, simply remove the server from the eclipse servers tab and add it again. This should solve the problem.

+1
source

I found that if you change the user configuration in tomcat-users.xml built into eclipse, you must restart eclipse, not just the server to recognize new users. I think eclipse caches the tomact-user.xml file.

0
source

More articles:


All Articles