There must be a table, referenced below as the users table, that contains one row for every valid user that the JDBC Realm should recognize. The users table must contain at least two columns (it may contain more if your
existing applications required it):
Username to be recognized by Tomcat when the user logs in.
Password to be recognized by Tomcat when the user logs in.
This value may in cleartext or digested. There must be a table, referenced below as the user roles table, that contains one row for every valid role that is assigned to a particular user. It is legal for a user to have zero, one, or more than one valid role. The user roles table must contain at least two columns (it may contain more if your existing applications required it): Username to be recognized by Tomcat (same value as is specified in the users table). Role name of a valid role associated with this user.
An example SQL script to create the needed tables might look something like
this (adapt the syntax as required for your particular database):
create table users (
user_name varchar(15) not null primary key,
user_pass varchar(15) not null
);
create table user_roles (
user_name varchar(15) not null,
role_name varchar(15) not null,
primary key (user_name, role_name)
);
Then, set up a <Realm> element in your $CATALINA_HOME/conf/server.xml file.
Restart Tomcat 4 if it is already running.
The explanation can be found at
http://tomcat.apache.org/tomcat-4.1-doc/realm-howto.html form-based login is triggered the first time that an unauthenticated user requests a URL that is protected by a security constraint.
(1) Unauthenticated user requests a protected resource (*NOT* the login page!)
(2) Container remembers the protected resource that was requested in a private variable.
(3) Container displays the login page, which must have a destination of "j_security_check", and waits for the user submit. For some containers, including Tomcat, this is the one-and-only time that submitting to "j_security_check" will not return a 404.
(4) User enters username and password, and presses the submit button.
(5) the post to j_security_check is intercepted by your
servlet container, which performs Container Managed Authentication - it looks for the j_username and j_password, authenticates the combination, and forwards to the originally requested resource, or to a configurable error page if the authentication
(6) Container authenticates the username (j_username) and password (j_password) combination. If valid, container recalls the originally requested resource saved in (2) and displays *that* to the user in response to the login submit. Or forwards to a configurable error page if the authentication fails.
The important point is that, at no time, did anyone ever submit a request to the URL of the login page, because there is no such thing. Also think of the login page as part of the container, not part of your app.
Your web.xml file be like this:
Hope you are able to set it up without any problem.