I want to enable form based authentication by using database as realm but I'm always getting that message whenever I try to authenticate as Tomcat manager in Tomcat 6. I have already created a table user_name and user_roles and mapped the username(blue) to admin and manager as role in user_roles table in mysql, but I'm still unable to authenticate. I've already recreated realm tag in server.xml
file:
<Realm className = "org.apache.catalina.realm.JDBCRealm"
debug = "99"
driverName = "com.mysql.jdbc.Driver"
connectionURL = "jdbc:mysql://localhost:3306/mail"
connectionName = "root"
userTable = "users"
userNameCol = "user_name"
userCredCol = "user_pass"
userRoleTable = "user_roles"
roleNameCol = "role_name"
/>
Could anyone please tell me what's wrong I'm doing, and how I enable form based authentication by using database?
I've declared the user "blue" as both admin and manager, and when I'm trying to login in tomcat manager page, it is giving me the message:
HTTP Status 403 - Access to the requested resource has been denied
When I enter wrong username or password, tomcat again asks for username and password instead of showing that message.
HTTP Status 403 (Access to the requested resource has been denied) can indicate that either you typed too many incorrect credentials or you've some problem with your configuration.
One possible issue could be that your browser could have your authentication credentials cached, because with BASIC auth, your browser will only prompt you for credentials the first time you authenticate to your site. After a successful authentication, it will not prompt you again and to force your browser to prompt you again, sometimes you need to completely close out the browser (or try with another web browser).
If you have not changed any configuration files, please examine the file conf/tomcat-users.xml
in your installation (locate tomcat-users.xml
). That file must contain the credentials to let you use Tomcat webapp.
For example, to add the manager-gui role to a user named tomcat
with a password of s3cret
, add the following to the config file listed above:
<role rolename="manager-gui"/>
<user username="tomcat" password="s3cret" roles="manager-gui"/>
Then you can access your webapps manager from /manager/html
(e.g. reloading after config changes).
Read more: Manager App HOW-TO
If you're trying to implement your own security constraint (in web.xml
), try the following example (add it before </web-app>
ending):
<!-- This security constraint protects your webapp interface. -->
<login-config>
<!-- Define the Login Configuration -->
<auth-method>BASIC</auth-method>
<realm-name>Webapp</realm-name>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<!-- Specifying a Secure Connection -->
<user-data-constraint>
<!-- transport-guarantee can be CONFIDENTIAL (forced SSL), INTEGRAL, or NONE -->
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- Authorization, see: tomcat-users.xml -->
<security-role>
<role-name>*</role-name>
</security-role>
The login-config element contains the
auth-method
element, which specifies the authentication method that we use, which isBASIC
. Thesecurity-constraint
element contains 3 elements:web-resource-collection
,auth-constraint
, anduser-data-constraint
. The web-resource-collection specifies the parts of our application that require authentication. The/*
indicates that the whole application requires authentication. The auth-constraint specifies the role that a user needs to have in order to access the protected resources. The user-data-constraint's transport-guarantee can beNONE
,CONFIDENTIAL
orINTEGRAL
. We set it toNONE
, which means that redirecting toSSL
is not required when you try to hit the protected resource.
Also make sure that you've line:
<Realm className="org.apache.catalina.realm.MemoryRealm" />
inside your conf/server.xml
(Engine
section).
If you still having the problem, try:
catalina.sh configtest
or xmlstarlet val /etc/tomcat?/*.xml /var/lib/tomcat7/webapps/*/WEB-INF/*.xml
,<url-pattern>
matches in your <security-constraint>
or set to /*
,/var/log/tomcat7
),INFO
-> FINE
/FINEST
) in logging.properties
or log4j.properties
(INFO, SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST or ALL), restart Tomat and check the logs,sudo lsof | grep -E "java.*(out|txt|log)$"
, tail -f /var/log/tomcat7/*.log /var/log/tomcat7/*.txt /var/log/tomcat7/*.out
),log4j
logging system, make sure you initialized it properly by placing libs and log4j.properties
into the right folder and configuring it,test BASIC authentication with cURL:
without credentials:
$ curl -vv http://example.com:8983/solr/
Normally request should return HTTP/1.1 401 Unauthorized and the "WWW-Authenticate" header should indicate Basic authentication is required.
with credentials:
$ curl -vv -u tomcat:tomcat http://example.com:8983/solr/
The request should be sent with an "Authorization" header and it should authenticate. If your credentials are invalid, you should get: HTTP/1.1 401 Unauthorized. If the user is authenticated, but does not have access to view the resource you should get: HTTP/1.1 403 Forbidden.
maybe a user lock out mechanism has been activated for too many failed authentication attempts (LockOutRealm),
stop and run Tomcat manually (in the same way as in: ps wuax | grep ^tomcat
), e.g.:
# ps wuax | grep ^tomcat
tomcat7 884 /usr/lib/jvm/java-7-openjdk-amd64/bin/java -Djava.util.logging.config.file=/var/lib/tomcat7/conf/logging.properties ... org.apache.catalina.startup.Bootstrap start
$ /etc/init.d/tomcat7 stop
$ sudo sudo -u tomcat7 /usr/lib/jvm/java-7-openjdk-amd64/bin/java ... -Dorg.apache.catalina.level=FINEST org.apache.catalina.startup.Bootstrap start
Alternatively start using catalina.sh
script like:
$ . /etc/default/tomcat7
$ export JAVA_HOME=/usr/lib/jvm/java-7-openjdk-amd64 CATALINA_HOME=/usr/share/tomcat7 CATALINA_BASE=/var/lib/tomcat7 CATALINA_PID=/var/run/tomcat7.pid CATALINA_TMPDIR=/tmp LOGGING_CONFIG="-Dorg.apache.catalina.level=FINEST"
$ /usr/share/tomcat7/bin/catalina.sh run
Or in debug mode:
$ JPDA_SUSPEND=y catalina.sh jpda start
and check your catalina.out
log.
last resort is to debug process by: sudo strace -fp PID
.