This is my first attempt at using j_security check form authentication in a java web app. I am using Eclipse 3.6 and Apache Tomcat 6.0.28.
Problem description:
When I submit the login form with valid credentials, j_security check redirects me to the error page defined in error.html. When I submit with invalid credentials it also takes me to the error.html page. That is fine but for valid users, i expect to be taken to the protected resource after login.
login.html
<!DOCTYPE html>
<html>
<head>
<meta charset="ISO-8859-1">
<title>Login</title>
</head>
<body>
<form method=post action="j_security_check">
Username <input type="text" name="j_username"><br />
Password <input type="password" name= "j_password"><br />
<input type="submit" value="submit">
</form>
</body>
</html>
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<welcome-file-list>
<welcome-file>/ui/index.xhtml</welcome-file>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/security/login.html</form-login-page>
<form-error-page>/security/error.html</form-error-page>
</form-login-config>
</login-config>
<security-constraint>
<display-name>URLsConstraintMechanism</display-name>
<web-resource-collection>
<web-resource-name>clientURL</web-resource-name>
<url-pattern>/ui/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>tomcat</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>The Only Secure Role</description>
<role-name>tomcat</role-name>
</security-role>
</web-app>
tomcat-users.xml
<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="both" password="tomcat" roles="tomcat,role1"/>
<user username="role1" password="tomcat" roles="role1"/>
I also do not see any errors in my IDE's console or in $CATALINA_HOME/logs folder
Please pardon any omissions as I am a newbie to this forum. I have searched through existing threads but none of suggestions has worked for me so far.
One thing to check is the tomcat-users.xml file, If you are running tomcat from eclipse, eclipse create a separate pair of server.xml and tomcat-users.xml, that differs from the default one in the tomcat installation directory. Try to find the right configuration parameters by checking the Server configuration path double-clicking on your tomcat server under the Servers Tab.
Also check the Realm in the server.xml, if you are using the tomcat-users.xml file for store users and passwords use the Memory Realm
<Realm className="org.apache.catalina.realm.MemoryRealm" />
I know this question is over a year old but have you tried restarting Tomcat after altering the tomcat-users.xml file? I ran into a similar issue and after I restarted Tomcat, it worked fine.
The file tomcat-users.xml is not automatically re-read by Tomcat and requires a Tomcat restart to re-read it.
Related
I have 2 apps deployed to a tomcat server. One of them (app2) I want to be protected by tomcat.
Example of the resulting URLs:
localhost:8080/app1
localhost:8080/app2
i do not develop the apps itself, so i have no access to the application specific web.xml of the apps themselves.
So I'm using the "global" one in the /conf folder of tomcat. This is what I added:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd" version="4.0">
<security-constraint>
<display-name>app2 Users</display-name>
<web-resource-collection>
<web-resource-name>app2 Content</web-resource-name>
<url-pattern>/app2/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>*</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>jsp</servlet-name>
<servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>
<init-param>
<param-name>fork</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>xpoweredBy</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>3</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>jsp</servlet-name>
<url-pattern>*.jsp</url-pattern>
<url-pattern>*.jspx</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<!-- mime type mappings -->
</web-app>
IMHO this is all whats nessecary to protect app2, but i do not get a password promt, and app2 is accessible without basic auth. Here is the log:
15-Jul-2020 14:58:35.663 FINE [http-nio-8080-exec-1] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET /blabla2/
15-Jul-2020 14:58:35.664 FINE [http-nio-8080-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[blabla Content]' against GET /index.jsp --> false
15-Jul-2020 14:58:35.664 FINE [http-nio-8080-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[blabla Content]' against GET /index.jsp --> false
15-Jul-2020 14:58:35.664 FINE [http-nio-8080-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[blabla Content]' against GET /index.jsp --> false
15-Jul-2020 14:58:35.664 FINE [http-nio-8080-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[blabla Content]' against GET /index.jsp --> false
15-Jul-2020 14:58:35.665 FINE [http-nio-8080-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints No applicable constraint located
when setting the url-pattern to /* everything works, but (as expected) app1 is protected to.
Whats wrong with my url-pattern?
The web.xml is only for server-wide configuration. You couldn't define settings that are related to just one deployment/context.
Since security-constraint work on deployment level, settings like url-pattern are related to the deployment web root.
Example:
<security-constraint>
<display-name>Authorized Only</display-name>
<web-resource-collection>
<web-resource-name>Authorized Only</web-resource-name>
<url-pattern>/hello</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
Would block /app1/hello and /app2/hello.
If you would like to add authorization to just one deployment, you have to set this setting inside the configuration of the deployment.
See https://stackoverflow.com/a/17948661/8087167 for an other example.
Here is my code and the credentials are not working on the pop-up shown on application load.please have a look
tomcat-users.xml
<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users>
<role rolename="admin"/>
<user username="admin" password="admin" role="admin"/>
</tomcat-users>
web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Web Application</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
Plus this Application is deployed on Heroku, so I might need help with this too
Make sure codes are not commented.
Also add below line instead of < role rolename="admin"/>
< role rolename="admin-gui"/>
< role rolename="manager-gui"/>
< user username="admin" password="admin" role="manager-gui,admin-gui"/>
restart tomcat and then check
We have what I believe to be a pretty standard form based authentication for a web application running on wildfly 8.2.
The authentication works well, except that when we stop&start the server some users are unable to log in again.
I have managed to reproduce one variant of this:
If I open the login page, /xxxx/app, before I restart, and then try to log in after the server is up again, I end up on a blank /xxxx/j_security_check page.
In my logs I can see that the actual authentication is run OK.
If I have understood this j_security_check mechanism properly, it goes something like this:
I access /xxxx/app
Wildfly sees that this url requires authentication. It remembers it and forwards me to login.jsp.
When I submit my login form to the magical j_security_check address it replaces it with the remembered /xxxx/app address.
If this is conceptually correct, I can see that a restart can be troublesome; The web server no longer remembers the /xxxx/app address and doesn't know where to redirect me to.
Does anyone have a workaround for this problem?
Any way to give wildfly a default page to go to after j_security_check?
Edit: I found this one: It is probably the same underlying cause:
Jboss Wildfly 8.1 session timeout on login page
jboss-web.xml:
<jboss-web>
<security-domain>ptsmc</security-domain>
<default-encoding>UTF-8</default-encoding>
</jboss-web>
web.xml:
<servlet-mapping>
<servlet-name>main</servlet-name>
<url-pattern>/app/*</url-pattern>
</servlet-mapping>
<!-- -->
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>ptsmc</display-name>
<web-resource-collection>
<web-resource-name>ptsmc</web-resource-name>
<url-pattern>/app/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>WEB</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Users must have this role to be granted access to Application</description>
<role-name>WEB</role-name>
</security-role>
login.jsp:
<form name="login_form" method="POST" action="<%=response.encodeURL(request.getContextPath() + "/j_security_check")%>">
<table>
<tr><td>User id:</td><td><input type=text name=j_username autofocus onblur="this.value = this.value.toUpperCase();"></td></tr>
<tr><td>Password:</td><td><input type=password name=j_password></td></tr>
<tr><td> </td><td><input type=submit value="Submit"></td></tr>
</table>
</form>
i am trying to implement BASIC auth in Apache Tomcat, but encounter a strange problem.
when i access the http://localhost:8080. The box is show allow to enter username and password, the problem is it seens can not auth success, the box show again and again.
below is my setting:
/WEB-INF/web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" id="WebApp_ID" version="3.1">
<display-name>test</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name></web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>my realm</realm-name>
</login-config>
</web-app>
apache-tomcat-8.0.14/conf/tomcat-users.xml
<?xml version='1.0' encoding='utf-8'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<tomcat-users>
<!--
NOTE: By default, no user is included in the "manager-gui" role required
to operate the "/manager/html" web application. If you wish to use this app,
you must define such a user - the username and password are arbitrary.
-->
<!--
NOTE: The sample user and role entries below are wrapped in a comment
and thus are ignored when reading this file. Do not forget to remove
<!.. ..> that surrounds them.
-->
<!--
<role rolename="tomcat"/>
<role rolename="role1"/>
-->
<role rolename="manager" />
<!--
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="both" password="tomcat" roles="tomcat,role1"/>
<user username="role1" password="tomcat" roles="role1"/>
-->
<user username="manager" password="manager" roles="manager"/>
</tomcat-users>
this is my project structure
WebContent/index.jsp
just a welcome file.
what did i do wrong? or what did i miss? i have searched much for this but still can not find a solution.
i am new to stackoverflow, hope my question is clear, and some body can help!
If you are using Eclipse integrated Tomcat, then configure tomcat-users.xml file that you can see in left navigation panel of your project. Servers --> Tomcat --> tomcat-users.xml
Remove my realm from your web.xml if you have not configured a realm called 'my realm' or set my-realm value as 'default'.
does anyone knows if tomcat is able to password protect file (like apache .htaccess )?
i mean when user request a file from tomcat webapp its prompt a dialogue to enter user-name and password and made this using configuration.
or protect the file depend on its IP address .
hope someone can help me ?
regads
you can set basic authentication in tomcat.
Add your user to tomcat-users.xml. Something like :
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="tomcat"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="myname" password="mypassword" roles="tomcat"/>
<user username="test" password="test"/>
</tomcat-users>
And Add configuration to your apps web.xml. like:
<!-- Define a Security Constraint on this Application -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/references/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>your-role</role-name>
</auth-constraint>
</security-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Application</realm-name>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<description>
The role that is required to log in to the Manager Application
</description>
<role-name>your-role</role-name>
</security-role>
links to understand more:
http://www.avajava.com/tutorials/lessons/how-do-i-use-basic-authentication-with-tomcat.html