FAQ
Hello there. Very new to realms and java, so sorry if this is too
stupid.

I have set up a JDBCRealm using PostgreSQL and it all seems to work, It
does connect and load the roles, and when I try to access protected
resources, it does go to the Form based login I specigy in web.xml and
the error page for that works too.

My question is, since the form action in the login page points to <%=
response.encodeURL("j_security_check") %>, how, or where do I specify
where my app goes after a succesful login?

Thanks in advance!




--
To unsubscribe, e-mail:
For additional commands, e-mail:

Search Discussions

  • Craig McClanahan at Aug 27, 2002 at 3:59 pm

    On 27 Aug 2002, Alexander Wallace wrote:

    Date: 27 Aug 2002 09:17:58 +0100
    From: Alexander Wallace <tomcater@rwsoft-online.com>
    Reply-To: Tomcat Users List <tomcat-user@jakarta.apache.org>
    To: Tomcat Users List <tomcat-user@jakarta.apache.org>
    Subject: JDBCRealm + Form Based Auth. How do I tell it were to go if
    login is ok?

    Hello there. Very new to realms and java, so sorry if this is too
    stupid.

    I have set up a JDBCRealm using PostgreSQL and it all seems to work, It
    does connect and load the roles, and when I try to access protected
    resources, it does go to the Form based login I specigy in web.xml and
    the error page for that works too.

    My question is, since the form action in the login page points to <%=
    response.encodeURL("j_security_check") %>, how, or where do I specify
    where my app goes after a succesful login?
    Short answer - your application should *never* reference the URL of the
    login page, or the "j_security_check" page directly.

    Longer answer - the basic philosohpy of form-based login is to mimic BASIC
    login. The formal definition of the algorithm is in the servlet spec:

    http://java.sun.com/products/servlet/download.html

    in Chapter 12. Essentially, it goes like this on each request:

    * Client submits a request for a particular URI

    * Server determines of there is a security constraint
    covering that URI
    --> If none, allow the request to proceed

    * Server determins if the user is already logged on
    --> If so, check roles and allow or disallow access

    * Server SAVES the original request and sends back
    the form login page

    * User submits the login credentials

    * Server checks the credentials
    --> If incorrect, send back the form error page
    --> If correct, RESTORES the original request and proceeds

    So, the answer to the question "where do I go after logging in" is "the
    page you originally asked for that triggered the authentication dialog."

    If the flow is still confusing, temporarily switch your application to use
    BASIC authentication instead (where the browser pops up a
    username/password dialog box). There is no way to address that dialog
    box, right? Or to say where it should go afterwards? That's because the
    browser (in the case of BASIC) is doing the same thing -- it will resubmit
    your original request for you along with the username/password.

    Thanks in advance!
    Craig


    --
    To unsubscribe, e-mail:
    For additional commands, e-mail:
  • Alexander Wallace at Aug 27, 2002 at 5:12 pm
    Cool! I get it, thank you very much.

    Now I have another problem. Wheny my app redirects to the login page, no
    matter what I enter, (an existing or inexisting user in the database), I
    am taken to the login error page. The user is null. How can I make sure
    the users are being pulled from the db? Thank you in advance. Following
    are my realm def in my context and then web.xml:

    <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
    driverName="org.postgresql.Driver"
    connectionURL="jdbc:postgresql://10.100.101.1/awallace?user=awallace;password=pass"
    userTable="tbl_users" userNameCol="user_name" userCredCol="password"
    userRoleTable="user_roles" roleNameCol="role_name"
    digest="MD5"/>

    And my web.xml goes:

    <web-app>

    <!-- PostgreSQL resource for Connection Pooling -->
    <resource-ref>
    <description>postgreSQL Datasource</description>
    <res-ref-name>jdbc/postgres</res-ref-name>
    <res-type>javax.sql.DataSource</res-type>
    <res-auth>Container</res-auth>
    </resource-ref>

    <!-- For the login -->
    <servlet>
    <servlet-name>Login</servlet-name>
    <servlet-class>com.lto.servlets.Login</servlet-class>
    </servlet>


    <servlet-mapping>
    <servlet-name>
    Login
    </servlet-name>
    <url-pattern>
    /login
    </url-pattern>
    </servlet-mapping>


    <!-- Security Realm -->

    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Java Application</web-resource-name>
    <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>Admin</role-name>
    </auth-constraint>
    </security-constraint>

    <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>Java Application</realm-name>
    <form-login-config>
    <form-login-page>/login</form-login-page>
    <form-error-page>/loginError.jsp</form-error-page>
    </form-login-config>
    </login-config>

    <!-- Security roles referenced by this web application -->
    <security-role>
    <role-name>Admin</role-name>
    </security-role>
    <security-role>
    <role-name>GM</role-name>
    </security-role>
    <security-role>
    <role-name>Sales</role-name>
    </security-role>

    <welcome-file-list>
    <welcome-file>/servlet/TestPGPool</welcome-file>
    </welcome-file-list>

    <session-config>
    <session-timeout>
    30
    </session-timeout>
    </session-config>

    </web-app>

    Thanks again!
    On Tue, 2002-08-27 at 16:59, Craig R. McClanahan wrote:

    On 27 Aug 2002, Alexander Wallace wrote:

    Date: 27 Aug 2002 09:17:58 +0100
    From: Alexander Wallace <tomcater@rwsoft-online.com>
    Reply-To: Tomcat Users List <tomcat-user@jakarta.apache.org>
    To: Tomcat Users List <tomcat-user@jakarta.apache.org>
    Subject: JDBCRealm + Form Based Auth. How do I tell it were to go if
    login is ok?

    Hello there. Very new to realms and java, so sorry if this is too
    stupid.

    I have set up a JDBCRealm using PostgreSQL and it all seems to work, It
    does connect and load the roles, and when I try to access protected
    resources, it does go to the Form based login I specigy in web.xml and
    the error page for that works too.

    My question is, since the form action in the login page points to <%=
    response.encodeURL("j_security_check") %>, how, or where do I specify
    where my app goes after a succesful login?
    Short answer - your application should *never* reference the URL of the
    login page, or the "j_security_check" page directly.

    Longer answer - the basic philosohpy of form-based login is to mimic BASIC
    login. The formal definition of the algorithm is in the servlet spec:

    http://java.sun.com/products/servlet/download.html

    in Chapter 12. Essentially, it goes like this on each request:

    * Client submits a request for a particular URI

    * Server determines of there is a security constraint
    covering that URI
    --> If none, allow the request to proceed

    * Server determins if the user is already logged on
    --> If so, check roles and allow or disallow access

    * Server SAVES the original request and sends back
    the form login page

    * User submits the login credentials

    * Server checks the credentials
    --> If incorrect, send back the form error page
    --> If correct, RESTORES the original request and proceeds

    So, the answer to the question "where do I go after logging in" is "the
    page you originally asked for that triggered the authentication dialog."

    If the flow is still confusing, temporarily switch your application to use
    BASIC authentication instead (where the browser pops up a
    username/password dialog box). There is no way to address that dialog
    box, right? Or to say where it should go afterwards? That's because the
    browser (in the case of BASIC) is doing the same thing -- it will resubmit
    your original request for you along with the username/password.

    Thanks in advance!
    Craig


    --
    To unsubscribe, e-mail: For additional commands, e-mail:


    --
    To unsubscribe, e-mail:
    For additional commands, e-mail:

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupusers @
categoriestomcat
postedAug 27, '02 at 2:18p
activeAug 27, '02 at 5:12p
posts3
users2
websitetomcat.apache.org
irc#tomcat

People

Translate

site design / logo © 2021 Grokbase