• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Liutauras Vilda
  • Jeanne Boyarsky
  • paul wheaton
Sheriffs:
  • Ron McLeod
  • Devaka Cooray
  • Henry Wong
Saloon Keepers:
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Tim Moores
  • Mikalai Zaikin
Bartenders:
  • Frits Walraven

Basic authentication security in java web project

 
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi all

First of all i don't know in which forum i should have posted this issue, so i choose this forum randomly.

The problem i m facing is that i am getting an exception which looks like this.
java.lang.SecurityException: Unable to locate a login configuration
at com.sun.security.auth.login.ConfigFile.<init>(Unknown Source)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at java.lang.Class.newInstance0(Unknown Source)
at java.lang.Class.newInstance(Unknown Source)
at javax.security.auth.login.Configuration$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.Configuration.getConfiguration(Unknown Source)
at javax.security.auth.login.LoginContext$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.init(Unknown Source)
at javax.security.auth.login.LoginContext.<init>(Unknown Source)

I am trying to implement basic window authentication in my web project on tomcat 6. When i start the server, the window pops up for
user name and password. My tomcat-users.xml looks like this.

<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="both" password="tomcat" roles="tomcat,role1"/>
<user username="role1" password="tomcat" roles="role1"/>
<user username="anurag" password="tomcat" roles="tomcat,role1"/>

and when i enter the credentials i get the above exception.

FYI i have set the following environments variable
1. catalina_home to tomcat root path.
2. catalina_opts to tomcat's conf file path.

Please help me because its driving me crazy.

Regards
Anurag
 
Saloon Keeper
Posts: 28323
210
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
J2EE supports security authentication via plugin security modules. The tomcat-users.xml file isn't actually a tomcat-specific thing, it's a data file that's used by the MemoryRealm and one or 2 later enhancements of MemoryRealm to build an in-memory database of userIDs, passwords, and roles.

There are lots of other Realms as well, such as the JDBCRealm, LDAPRealm, JAASRealm, and so forth. None of them even care if you delete tomcat-users.xml completely.

As shipped, Tomcat doesn't have any Realms configured, although there are some sample configurations statements in comment form in the TOMCAT_HOME/conf/server.xml file. You can configure a Realm on a per-webapp (Context) basis or on a per-host basis, depending on where you place your Realm configuration.
 
Anurag Malaviya
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:J2EE supports security authentication via plugin security modules. The tomcat-users.xml file isn't actually a tomcat-specific thing, it's a data file that's used by the MemoryRealm and one or 2 later enhancements of MemoryRealm to build an in-memory database of userIDs, passwords, and roles.

There are lots of other Realms as well, such as the JDBCRealm, LDAPRealm, JAASRealm, and so forth. None of them even care if you delete tomcat-users.xml completely.

As shipped, Tomcat doesn't have any Realms configured, although there are some sample configurations statements in comment form in the TOMCAT_HOME/conf/server.xml file. You can configure a Realm on a per-webapp (Context) basis or on a per-host basis, depending on where you place your Realm configuration.



Thanks Tim for your reply , i have solved the problem.

I actually want to develop a login authentication module for a web project using JAASRealm. I have made my three following classes:

1. MyLoginModule extends LoginModule
2. MyRealm extends JAASRealm
3. MyPrincipal implements Principal

then i made the .jar file for these three classes and put it in the lib folder of tomcat.

I added this realm class information in the server.xml file as follows:

<Realm className="sample.MYRealm" appName="Mylogin" jaasConfig=" E:\tomcat\Apache Software Foundation\Tomcat 6.0\conf"/>

I then made my configuration file as jaas-login.config with the appname as Mylogin.

My first question is what do i have to mention in the <login-config> tag of web.xml so that i get the pop up window for user name and password.

Second question is how should i initialise my logincontext class and who calls the login() of MyLoginModule class.



 
Tim Holloway
Saloon Keeper
Posts: 28323
210
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The Realm does not govern how credentials are acquired. Other mechanisms do the data acquisition and present them to the Realm's authenticate() method, which confirms or rejects them.

The "pop-up window" is not part of J2EE at all. It's managed entirely by the client when the server responds to a request with a security challenge. This challenge is indicated when the web.xml specific an authorization-type of BASIC. BASIC authorization has certain drawbacks, however, so form-based authentication (using the login/loginfail pages) is preferred.

Because this security system is managed by the container, the container determines when to prompt for authentication (login). This happens when a request is made for a secured URL (as defined by the security patterns specified in web.xml) when the user session is not already in a secure state. The authentication process is transparent: the original user's request is placed on hold until the user logs in, then the original request resumes processing. No user code is involved.
 
If a regular clown is funny, then a larger clown would be funnier. Math. Verified by this tiny ad:
Gift giving made easy with the permaculture playing cards
https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
reply
    Bookmark Topic Watch Topic
  • New Topic