0

tomcat7: server.xml

<Realm className="org.apache.catalina.realm.LockOutRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <!--<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>-->
            <Realm 
            className="org.apache.catalina.realm.JDBCRealm"
            debug="99"
            driverName="oracle.jdbc.driver.OracleDriver" 
            connectionURL="jdbc:oracle:thin:@localhost:1521:orcl"
            connectionName="usertemp"
         connectionPassword="usertemp"
         userTable="users" 
         userNameCol="username" 
         userCredCol="password"
         userRoleTable="user_roles" 
         roleNameCol="rolename" />
      </Realm>

tomcat-users.xml:

<tomcat-users>

  <role rolename="manager"/>
  <user username="user1" password="password" roles="manager"/>
</tomcat-users>

web.xml:

<web-app>
    <security-constraint>
      <display-name>Example Security Constraint</display-name>
      <web-resource-collection>
         <web-resource-name>Protected Area</web-resource-name>
         <url-pattern>/protected/*</url-pattern>
         <url-pattern>/1/*</url-pattern>
       <http-method>DELETE</http-method>
         <http-method>GET</http-method>
         <http-method>POST</http-method>
       <http-method>PUT</http-method>
      </web-resource-collection>
      <auth-constraint>
           <role-name>manager</role-name>
      </auth-constraint>
      <user-data-constraint><transport-guarantee>NONE</transport-guarantee></user-data-constraint>
    </security-constraint>


    <!-- Default login configuration uses form-based authentication -->
    <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>Example Form-Based Authentication Area</realm-name>
      <form-login-config>
        <form-login-page>/login.jsp</form-login-page>
        <form-error-page>/error.jsp</form-error-page>
      </form-login-config>
    </login-config>
    <security-role>
        <description> An administrator </description>
        <role-name>manager</role-name>
    </security-role>
</web-app>

1) when i input url[http://localhost:8080/security-form-based/protected/index.jsp] in ie, 2) back to login ,then forword to login.jsp ,input username and password, 3) but back error page and i can't visit the index.jsp :

HTTP Status 403 - Access to the requested resource has been denied

so ,i don't konw why? can anyone help me ? thanks.

zjfgf
  • 3
  • 3
  • Hi,Cody Guldner:i want to ask why i have inputted corrent username and password ,the tomcat has validate ok from oracle,but i can't visit to the index.jsp,so can you understand me ?and i follow this example :http://www.onjava.com/pub/a/onjava/2002/06/12/form.html – zjfgf May 31 '13 at 06:06

1 Answers1

0

You have configured JDBCRealm, but attached the example of tomcat-users.xml, that is used for commented out UserDatabaseRealm. The problem (probably) that your JDBCRealm does not return role manager for your user. To be sure switch to UserDatabaseRealm.

Michael
  • 10,063
  • 18
  • 65
  • 104
  • hi,Michael,thanks,i will check it ,but how can i check wheather this tomcat get role from oracle? – zjfgf May 31 '13 at 07:25
  • Switch first :) According to your configuration `'roleNameCol="rolename"` – Michael May 31 '13 at 07:29
  • Michael:i just solve it ,you are right,tomcat does't get role from db,so i check my oracle table col and add primary key ,update users table col `'password'->'pass'`,then try it ,finally success.3Q – zjfgf May 31 '13 at 07:41