5 Replies Latest reply on Sep 17, 2001 5:55 PM by Scott Stark

    tomcat - HypothermicRealm RequestInterceptor

    Ronald Brindl Newbie

      I hope this is the correct forum for my question,

      I have been using the HypothermicRealm Request-Inteceptor for tomcat to authenticate users logging in into tomcat.It worked very well up to JBoss Version 2.2.2.
      now I upgraded to 2.4 and get the following Exception when a user tries to log in:

      java.lang.NoClassDefFoundError: org/jboss/security/auth/UsernamePasswordHandler
      at com.hypothermic.security.HypothermicRealm.authenticate(HypothermicRealm.java:107)
      at org.apache.tomcat.core.ContextManager.doAuthenticate(ContextManager.java:852)
      at org.apache.tomcat.core.RequestImpl.getRemoteUser(RequestImpl.java:341)
      at com.hypothermic.security.HypothermicRealm.authorize(HypothermicRealm.java:147)
      at org.apache.tomcat.core.ContextManager.doAuthorize(ContextManager.java:870)
      at org.apache.tomcat.core.ContextManager.internalService(ContextManager.java:804)
      at org.apache.tomcat.core.ContextManager.service(ContextManager.java:758)
      at org.apache.tomcat.service.connector.Ajp13ConnectionHandler.processConnection(Ajp13ConnectionHandler.java:160)
      at org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:416)
      at org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java:501)
      at java.lang.Thread.run(Thread.java:484)


      It is obvious to me, that this happens because of a change in the internal structure of JBoss (which i am not quite familiar with).
      So I tried the standard JBossSecurityMgrRealm request interceptor.
      The problem is, that if i log in for example with a wrong password, I get the appropriate messages in the JBoss-console, but tomcat doesnt recognise the login failure and continues with the secured JSPs.
      What I found quite convenient about HypothermicReal was, that JBoss did the authentication via its JDBC-authentication and gave the results back to tomcat immediately, without going through any application code.So I didn't have to care about any user-authentication.

      The possibilities I see are:
      1.) patch for HypothermicRealm to make it work with 2.4
      2.) configure JBossSecurityMgrRealm in a way so that it works in a similar way to HypothermicRealm
      3.) put in application logic to redirect the request back to the login- or a login-failure page
      4.) some other alternatives


      Please Help

        • 1. Re: tomcat - HypothermicRealm RequestInterceptor
          Scott Stark Master

          What do you mean by "tomcat doesnt recognise the login failure and continues with the secured JSPs"? Content from a secure JSP page is being displayed without a valid authenticated user?

          • 2. Re: tomcat - HypothermicRealm RequestInterceptor
            Ronald Brindl Newbie

            Yes, it was like that.
            But now I am sure it was a configuration error.
            I have been configuring the whole thing now for 2 nights (That is: Tomcat-JBOSS-STRUTS) and now that
            behaviour is gone. (Don t know exactly why, sorry)
            I will post the rest of my new questions in the JSP-Forum as tehy dont fit here.

            • 3. Re: tomcat - jboss - login
              Ronald Brindl Newbie

              The Login problem just happens when I use
              FORM-Based login. with BASIC-login everything works
              fine.
              As I mentioned before, I havent changed anything
              in the JSP or Web.xml, so this seems a bit strange
              to me.
              I want to describe the login-form to clarify if I am wrong or not:

              <form action="j_security_check" method="POST">
               <input type="text" class="inputfields" name="j_username" value="">
               <input type="password" class="inputfields" name="j_password">
               <input type="submit" class="buttonstyle" value="Login" name="Login">
              </form>
              

              Like stated in a previous posting, I have the feeling, theres nothing coming back from that form,as I dont get any log-output in jboss. the only response i get is in tomcat.log:
              2001-09-16 23:03:59 - Ctx( /TheApp ): From login without a session
              

              I read some posting today where the author mentioned the form action should be j_securitycheck (w/o underscore) but that doesnt work at all



              • 4. 7719
                Ronald Brindl Newbie

                The Login problem just happens when I use
                FORM-Based login. with BASIC-login everything works
                fine.
                As I mentioned before, I havent changed anything
                in the JSP or Web.xml, so this seems a bit strange
                to me.
                I want to describe the login-form to clarify if I am wrong or not:

                <form action="j_security_check" method="POST">
                 <input type="text" class="inputfields" name="j_username" value="">
                 <input type="password" class="inputfields" name="j_password">
                 <input type="submit" class="buttonstyle" value="Login" name="Login">
                </form>
                

                Like stated in a previous posting, I have the feeling, theres nothing coming back from that form,as I dont get any log-output in jboss. the only response i get is in tomcat.log:
                2001-09-16 23:03:59 - Ctx( /TheApp ): From login without a session
                

                I read some posting today where the author mentioned the form action should be j_securitycheck (w/o underscore) but that doesnt work at all



                • 5. Re: tomcat - jboss - login
                  Scott Stark Master

                  The FORM looks correct. Start with a known JBoss/Tomcat config instead of trying to update an older configuration. Download and try this bundle:

                  wget http://prdownloads.sourceforge.net/jboss/JBoss-2.4.1a_Tomcat-3.2.3.zip