5 Replies Latest reply on Sep 17, 2001 5:55 PM by starksm64

tomcat - HypothermicRealm RequestInterceptor

rbrindl Sep 7, 2001 7:34 PM

I hope this is the correct forum for my question,

I have been using the HypothermicRealm Request-Inteceptor for tomcat to authenticate users logging in into tomcat.It worked very well up to JBoss Version 2.2.2.
now I upgraded to 2.4 and get the following Exception when a user tries to log in:

java.lang.NoClassDefFoundError: org/jboss/security/auth/UsernamePasswordHandler
at com.hypothermic.security.HypothermicRealm.authenticate(HypothermicRealm.java:107)
at org.apache.tomcat.core.ContextManager.doAuthenticate(ContextManager.java:852)
at org.apache.tomcat.core.RequestImpl.getRemoteUser(RequestImpl.java:341)
at com.hypothermic.security.HypothermicRealm.authorize(HypothermicRealm.java:147)
at org.apache.tomcat.core.ContextManager.doAuthorize(ContextManager.java:870)
at org.apache.tomcat.core.ContextManager.internalService(ContextManager.java:804)
at org.apache.tomcat.core.ContextManager.service(ContextManager.java:758)
at org.apache.tomcat.service.connector.Ajp13ConnectionHandler.processConnection(Ajp13ConnectionHandler.java:160)
at org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:416)
at org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java:501)
at java.lang.Thread.run(Thread.java:484)

It is obvious to me, that this happens because of a change in the internal structure of JBoss (which i am not quite familiar with).
So I tried the standard JBossSecurityMgrRealm request interceptor.
The problem is, that if i log in for example with a wrong password, I get the appropriate messages in the JBoss-console, but tomcat doesnt recognise the login failure and continues with the secured JSPs.
What I found quite convenient about HypothermicReal was, that JBoss did the authentication via its JDBC-authentication and gave the results back to tomcat immediately, without going through any application code.So I didn't have to care about any user-authentication.

The possibilities I see are:
1.) patch for HypothermicRealm to make it work with 2.4
2.) configure JBossSecurityMgrRealm in a way so that it works in a similar way to HypothermicRealm
3.) put in application logic to redirect the request back to the login- or a login-failure page
4.) some other alternatives

Please Help

1. Re: tomcat - HypothermicRealm RequestInterceptor

starksm64 Sep 8, 2001 11:05 AM (in response to rbrindl)

What do you mean by "tomcat doesnt recognise the login failure and continues with the secured JSPs"? Content from a secure JSP page is being displayed without a valid authenticated user?
Actions
2. Re: tomcat - HypothermicRealm RequestInterceptor

rbrindl Sep 16, 2001 12:56 PM (in response to rbrindl)

Yes, it was like that.
But now I am sure it was a configuration error.
I have been configuring the whole thing now for 2 nights (That is: Tomcat-JBOSS-STRUTS) and now that
behaviour is gone. (Don t know exactly why, sorry)
I will post the rest of my new questions in the JSP-Forum as tehy dont fit here.
Actions
3. Re: tomcat - jboss - login

rbrindl Sep 16, 2001 5:06 PM (in response to rbrindl)
The Login problem just happens when I use
FORM-Based login. with BASIC-login everything works
fine.
As I mentioned before, I havent changed anything
in the JSP or Web.xml, so this seems a bit strange
to me.
I want to describe the login-form to clarify if I am wrong or not:
<form action="j_security_check" method="POST"> <input type="text" class="inputfields" name="j_username" value=""> <input type="password" class="inputfields" name="j_password"> <input type="submit" class="buttonstyle" value="Login" name="Login"> </form>

Like stated in a previous posting, I have the feeling, theres nothing coming back from that form,as I dont get any log-output in jboss. the only response i get is in tomcat.log:
2001-09-16 23:03:59 - Ctx( /TheApp ): From login without a session

I read some posting today where the author mentioned the form action should be j_securitycheck (w/o underscore) but that doesnt work at all
Actions
4. 7719

rbrindl Sep 17, 2001 5:55 PM (in response to rbrindl)
The Login problem just happens when I use
FORM-Based login. with BASIC-login everything works
fine.
As I mentioned before, I havent changed anything
in the JSP or Web.xml, so this seems a bit strange
to me.
I want to describe the login-form to clarify if I am wrong or not:
<form action="j_security_check" method="POST"> <input type="text" class="inputfields" name="j_username" value=""> <input type="password" class="inputfields" name="j_password"> <input type="submit" class="buttonstyle" value="Login" name="Login"> </form>

Like stated in a previous posting, I have the feeling, theres nothing coming back from that form,as I dont get any log-output in jboss. the only response i get is in tomcat.log:
2001-09-16 23:03:59 - Ctx( /TheApp ): From login without a session

I read some posting today where the author mentioned the form action should be j_securitycheck (w/o underscore) but that doesnt work at all
Actions
5. Re: tomcat - jboss - login

starksm64 Sep 17, 2001 5:55 PM (in response to rbrindl)

The FORM looks correct. Start with a known JBoss/Tomcat config instead of trying to update an older configuration. Download and try this bundle:

wget http://prdownloads.sourceforge.net/jboss/JBoss-2.4.1a_Tomcat-3.2.3.zip
Actions

Go to original post