Hi all,
I am
testing form authentification with a very simple app that just prints out a message if you authenticate. I am using MySQL as a database Realm. I define 2 user roles in my web.xml file and authorize them for access. When I run with the 2 roles in the web.xml file, all works fine. If I enter a bad username or password I get my <form-error-page> as expected. However, if I try to remove (comment out) one of the roles from web.xml, then try to use that role to login, instead of my <form-error-page> I get a
Tomcat HTTP status 403 page, which is an access error, but I then navigate back to the login page and enter a valid credential, it too is rejected with the same Tomcat error page.
Here is my application context.xml file:
<?xml version="1.0" encoding="UTF-8"?>
<Context path="/ch17admin">
<!-- The following specifies a
JDBC Realm connecting to the murach
database using the root and admin login. Then it uses the murach
database columns from the UserPass and UserRole tables -->
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="com.mysql.jdbc.Driver"
connectionURL="jdbc:mysql://localhost:3306/murach"
connectionName="root" connectionPassword="sesame"
userTable="UserPass" userNameCol="Username" userCredCol="Password"
userRoleTable="UserRole" roleNameCol="Rolename" />
</Context>
Here is my application web.xml file:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<!-- Define two security roles -->
<security-role>
<description>customer service employees</description>
<role-name>service</role-name>
</security-role>
<security-role>
<description>system administrator</description>
<role-name>programmer</role-name>
</security-role>
<!-- Restrict access to all files in the /admin folder -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<!-- Authorize the programmer and service roles -->
<auth-constraint>
<role-name>service</role-name>
<!--<role-name>programmer</role-name> -->
</auth-constraint>
</security-constraint>
<!-- Use form-based authentication specifying the login and error forms -->
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/admin/login.html</form-login-page>
<form-error-page>/admin/login_error.html</form-error-page>
</form-login-config>
</login-config>
<!-- Use basic authentication -->
<!--
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Admin Login</realm-name>
</login-config>
-->
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
</web-app>
My login.html file:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Murach's
Java Servlets and
JSP</title>
</head>
<body>
<h1>Admin Login Form</h1>
<p>Please enter your username and password to continue.</p>
<table cellspacing="5" border="0">
<form action="j_security_check" method="get">
<tr>
<td align="right">Username</td>
<td><input type="text" name="j_username"></td>
</tr>
<tr>
<td align="right">Password</td>
<td><input type="password" name="j_password"></td>
</tr>
<tr>
<td><input type="submit" value="Login"></td>
</tr>
</form>
</table>
</body>
</html>
My login_error.html file:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Murach's Java Servlets and JSP</title>
</head>
<body>
<h1>Admin Login Form - Error</h1>
<p>You did not log in successfully.</p>
<p>Please check your username and password and try again.</p>
<p>If that doesn't work, you may need to <br>
implement the JDBC realm as described in chapter 17.</p>
<table cellspacing="5" border="0">
<form action="j_security_check" method="get">
<tr>
<td align="right">Username</td>
<td><input type="text" name="j_username"></td>
</tr>
<tr>
<td align="right">Password</td>
<td><input type="password" name="j_password"></td>
</tr>
<tr>
<td><input type="submit" value="Login"></td>
</tr>
</form>
</table>
</body>
</html>
As I said, when both roles are in the web.xml file and I enter a bad credential, I get my login_error.html file, but if I remove a role from the web.xml, say "programmer", and then try to log in with it I get a Tomcat HTTP status 403 page.
Anyone know the issue?
Thanks in advance
Mike