CONFIGURATION OF REALM

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

CONFIGURATION OF REALM

Jonathan Kilach
Hi all,

I have tomcat 8.5 installed on windows 7. The unit is functional, no
errors. I am working with an open source web app(Open Baraza from
https://sourceforge.net/projects/obsacco/files/?source=navbar) and have it
successfully installed, I suppose the database is correctly set as it is
able to open the web app interface.

However, in the login screen of the webapp(Open baraza) once I input the
log in prompts for user name and password I am unable to login in due to
password/username do not match. I am sure of the username and password
since I can access the table from pg admin to see them and also it is the
default for the app as per initial setup. I suppose there is more
configuration needed to be done on realm authentication as below is the
errors generated on the *log file* by tomcat

Help me configure realm if that is where the error is so that i can log in
to the app

*Error message generated by catalina logfiles.*

08-Jun-2018 00:27:52.856 INFO [localhost-startStop-1]
org.apache.catalina.startup.HostConfig.deployDirectory Deploying web
application directory [C:\tomcat8.5\webapps\baraza]
08-Jun-2018 00:27:52.884 WARNING [localhost-startStop-1]
org.apache.tomcat.util.digester.SetPropertiesRule.begin
[SetPropertiesRule]{Context/Realm} Setting property 'digest' to 'md5' did
not find a matching property.

-------------------------------------------------------
*realm class configuration in /config/server.xml*

<Realm className="org.apache.catalina.realm.DataSourceRealm"
dataSourceName="jdbc/authority"
userTable="entitys"
userNameCol="user_name"
userCredCol="entity_password"
userRoleTable="entitys"
roleNameCol="function_role"/>

      </Realm>
____________________________________
*context configuration in /config/context.xml*

<Context>

<Resource name="jdbc/postgres" auth="Container"
          type="javax.sql.DataSource" driverClassName="org.
postgresql.Driver"
          url="jdbc:postgresql://127.0.0.1:5432/sacco"
          username="postgres" password="********" maxTotal="20" maxIdle="10"
maxWaitMillis="-1"/>


</Context>

_______________________________
*context configuration in /META-INF/context.xml*

<Context crossContext="true" reloadable="true">

<Realm userTable="entitys" connectionURL="jdbc:
postgresql://localhost/sacco"
connectionPassword="*******" userNameCol="user_name"
roleNameCol="function_role"
userCredCol="entity_password" digest="md5" className="org.apache.
catalina.realm.JDBCRealm"
userRoleTable="entitys" driverName="org.postgresql.Driver"
connectionName="postgres"></Realm>

<Resource maxActive="150" maxIdle="50" username="postgres"
name="jdbc/postgres" maxWait="50"
removeAbandoned="true" driverClassName="org.postgresql.Driver"
type="javax.sql.DataSource" password="********"
   url="jdbc:postgresql://localhost/sacco" auth="Container"
removeAbandonedTimeout="50"></Resource>

</Context>
_______________________________
*web configuration in /WEB-INF/web.xml*
<security-constraint>
<display-name>Users Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Users Protected Area</web-resource-name>
<url-pattern>/b_export.jsp</url-pattern>
<url-pattern>/b_passwordchange.jsp</url-pattern>
<url-pattern>/b_print.jsp</url-pattern>
<url-pattern>/b_report.jsp</url-pattern>
<url-pattern>/b_searchlist.jsp</url-pattern>
<url-pattern>/form.exel.jsp</url-pattern>
<url-pattern>/form.jsp</url-pattern>
<url-pattern>/form.report.jsp</url-pattern>
<url-pattern>/index.jsp</url-pattern>
<url-pattern>/billing.jsp</url-pattern>
<url-pattern>/show_report</url-pattern>
<url-pattern>/grid_export</url-pattern>
<url-pattern>/jsondata</url-pattern>
<url-pattern>/ajax</url-pattern>

<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>member</role-name>
<role-name>staff</role-name>
<role-name>applicant</role-name>
<role-name>director</role-name>
<role-name>subscription</role-name>
</auth-constraint>
</security-constraint>

<!-- Default login configuration uses form-based authentication -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/logon.jsp</form-login-page>
<form-error-page>/logonError.jsp</form-error-page>
</form-login-config>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<role-name>admin</role-name>
<role-name>member</role-name>
<role-name>staff</role-name>
<role-name>applicant</role-name>
<role-name>director</role-name>
<role-name>subscription</role-name>
</security-role>

--------------------------------------------


*Regards,*

*Jonathan Kilach*



--

*Regards,*

*Jonathan Kilach*

P.O. Box 28083 00200, Nairobi Kenya

Cell:    +254-702-085-852

Email: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: CONFIGURATION OF REALM

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Jonathan,

On 6/8/18 10:33 AM, Jonathan Kilach wrote:

> I have tomcat 8.5 installed on windows 7. The unit is functional,
> no errors. I am working with an open source web app(Open Baraza
> from
> https://sourceforge.net/projects/obsacco/files/?source=navbar) and
> have it successfully installed, I suppose the database is correctly
> set as it is able to open the web app interface.
>
> However, in the login screen of the webapp(Open baraza) once I
> input the log in prompts for user name and password I am unable to
> login in due to password/username do not match. I am sure of the
> username and password since I can access the table from pg admin
> to see them and also it is the default for the app as per initial
> setup. I suppose there is more configuration needed to be done on
> realm authentication as below is the errors generated on the *log
> file* by tomcat

Do you know if the application manages logins or if the container
(Tomcat) does?

> Help me configure realm if that is where the error is so that i
> can log in to the app
>
> *Error message generated by catalina logfiles.*
>
> 08-Jun-2018 00:27:52.856 INFO [localhost-startStop-1]
> org.apache.catalina.startup.HostConfig.deployDirectory Deploying
> web application directory [C:\tomcat8.5\webapps\baraza]
> 08-Jun-2018 00:27:52.884 WARNING [localhost-startStop-1]
> org.apache.tomcat.util.digester.SetPropertiesRule.begin
> [SetPropertiesRule]{Context/Realm} Setting property 'digest' to
> 'md5' did not find a matching property.

That's a BIG RED FLAG right there.

If the application is using md5 hashes to store its passwords, it's
very poorly written. Fortunately, there is a migration path to
non-crappy security[1].

> ------------------------------------------------------- *realm
> class configuration in /config/server.xml*
>
> <Realm className="org.apache.catalina.realm.DataSourceRealm"
> dataSourceName="jdbc/authority" userTable="entitys"
> userNameCol="user_name" userCredCol="entity_password"
> userRoleTable="entitys" roleNameCol="function_role"/>
>
> </Realm>

Tomcat doesn't use /config/server.xml. Is that a part of a local
customization?

The content looks okay, other than "entities" being misspelled. I'd be
surprised if the "userTable" and the "userRoleTable" are supposed to
be the same thing. Usually, user-to-role is a many-to-many
relationship, not a one-to-one kind of thing. Unless users have
exactly one role.

> ____________________________________ *context configuration in
> /config/context.xml*
>
> <Context>
>
> <Resource name="jdbc/postgres" auth="Container"
> type="javax.sql.DataSource" driverClassName="org.
> postgresql.Driver" url="jdbc:postgresql://127.0.0.1:5432/sacco"
> username="postgres" password="********" maxTotal="20" maxIdle="10"
>  maxWaitMillis="-1"/>
>
>
> </Context>

That looks okay except:

1. /config/context.xml isn't a usual Tomcat configuration file. Local
customization?

2. If /config/context.xml is really CATALINA_BASE/conf/context.xml,
then that <Resource> is available to every single web application in
the whole container. It would be better to put that <Resource> into
your application's META-INF/context.xml file instead of the global one.

> _______________________________ *context configuration in
> /META-INF/context.xml*
>
> <Context crossContext="true" reloadable="true">
>
> <Realm userTable="entitys" connectionURL="jdbc:
> postgresql://localhost/sacco" connectionPassword="*******"
> userNameCol="user_name" roleNameCol="function_role"
> userCredCol="entity_password" digest="md5" className="org.apache.
> catalina.realm.JDBCRealm" userRoleTable="entitys"
> driverName="org.postgresql.Driver"
> connectionName="postgres"></Realm>
>
> <Resource maxActive="150" maxIdle="50" username="postgres"
> name="jdbc/postgres" maxWait="50" removeAbandoned="true"
> driverClassName="org.postgresql.Driver"
> type="javax.sql.DataSource" password="********"
> url="jdbc:postgresql://localhost/sacco" auth="Container"
> removeAbandonedTimeout="50"></Resource>
>
> </Context>

Okay, so all of that stuff is in two places at once. Given the warning
you are getting about the digest="md5" in the log file, Tomcat is
clearly building the DataSource in your META-INF/context.xml file.

If you are going to be defining both the <Realm> and the <Resource> in
META-INF/context.xml, then you need to add localDataSource="true" to
the <Realm> so it knows it's not a "global data source", coming from
server.xml in <GlobalNamingResources>. I would recommend not putting
any of this in server.xml.

Hope that helps,
- -chris

[1] http://tomcat.apache.org/presentations.html [search for "seamless
upgrades"]
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsa3E8ACgkQHPApP6U8
pFjOyQ/8DfGEarbnVtB+QihKt21BuchDmvr1RB9d6xFtsCjY5z6qHd2mKHhPFCMN
LOlrs6xoewfVIAtAKx37854e8x2/4sgQNkRmbVHybIlG5TyAziClLo2+LAvY5LFU
nO+YH7i3TX89tskBFqlo0wVY8HEL/FKffkFU0ekCKuThYKB0MKPFwAFAgDXNg136
mV1ixzskpC5sBqQwySRsJYFJ7xmyKF7kdhcenQymuuXZfSvGZekTfk3xDhEMomcB
Ki5vbH7T1y6wz+OAch1hLeOPqavt+p0QqZ/yaRU8ownleCIaZ8b0T7tGGzCzLwMt
dSufC3qFkEbl1yTLIKHRo7bScUm+eXx8nzHxrQZOSioh5HFais6VZgV6uqXi7jGk
OC73JowSK5gFIjowTMkUW9IFdeHIX5inyCwoRNY7yTnld88TQnC8OhRYQ+EU5oJ9
/WvAvNpd8bwd4bAGQgMApdB3uUq8Mn7rUf258qdKm1K5sZt2agnOvZSKbcn1vllW
ldROMndhfBwbLTMIYfQfYyK31yMcGJ85V4lquiYKXxTiJoRYOj0/NG52ZKAZACXW
To9vEZtNfsdKNX67OjKsfMpCtTpRlhvapsh1f5X2zhjqYmUzEc8TFy7FZTrqFjKh
FQdj3gY+KxN4nHAmTrKX4gKBz+wUdZfF0zInmbFmHv0Piw+LLKA=
=Nxbc
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]