Menu

Tomcat 403 message on login

Installation
Steinar Rune Eriksen
2005-11-18
2013-04-03

  • Steinar Rune Eriksen

    Steinar Rune Eriksen - 2005-11-18

    I have setup FDDPMA according to documentation and the Tomcat 5.5 server is able to register new accounts into the Mysql database.

    However, on login I get the following error
    403
    Access to the requested resource has been denied

    I have tried finding out more on this, including adding the role fddpma_role to my Tomcat config, but no luck. Any suggestions?

     

    • Serguei Khramtchenko

      Serguei Khramtchenko - 2005-11-18

      Can you provide the stack trace from your Tomcat console?

       

    • Steinar Rune Eriksen

      Steinar Rune Eriksen - 2005-11-18

      The funny thing is that there is no stack trace. No apparent error at all in the logs.

      Setting log4j in DEBUG mode results in the lines at the end of this message, showing that authentication (Administrator/fddpma) went OK.

      Tomcat does however report an error in the browser making me wonder if it has to do with user roles or something.

      The URL after login is the same as the one before login
      http://localhost:8080/fddpma/projectGroupWorkplaceView.jsf but with the following 403 message in the browser.

      (Can I get any further logs from tomcat by setting any property?)

      403 error in browser:

      type Status report

      message Access to the requested resource has been denied

      description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.

      ---------

      Logs generated from fddpma:

      2005-11-18 20:28:24,399 [http-8080-Processor24] DEBUG org.objectweb.jotm.jta - Transaction ret= null
      2005-11-18 20:28:24,399 [http-8080-Processor24] DEBUG org.enhydra.jdbc.xapool - StandardXAConnectionHandle:prepareStatement (no transaction found)
      2005-11-18 20:28:24,409 [http-8080-Processor24] DEBUG org.enhydra.jdbc.xapool - StandardXAPreparedStatement: Create an XAPreparedStatement with sql='select USER_ID, USER_PASSWORD from FDDPMA_USER where USER_NAME = ?     and DELETED = 0 '
      2005-11-18 20:28:24,409 [http-8080-Processor24] DEBUG org.enhydra.jdbc.xapool - StandardXAConnectionHandle:checkPreparedCache object is *NOT* found
      2005-11-18 20:28:24,409 [http-8080-Processor24] DEBUG org.enhydra.jdbc.xapool - StandardConnectionHandle:createPreparedStatement type ='0'
      2005-11-18 20:28:24,429 [http-8080-Processor24] DEBUG org.enhydra.jdbc.xapool - StandardXAConnectionHandle:checkPreparedCache pstmt='com.mysql.jdbc.PreparedStatement@126a29c: select USER_ID, USER_PASSWORD from FDDPMA_USER where USER_NAME = ** NOT SPECIFIED **     and DELETED = 0 '
      2005-11-18 20:28:24,469 [http-8080-Processor24] DEBUG org.enhydra.jdbc.xapool - StandardXAPreparedStatement:close the XA prepared statement
      2005-11-18 20:28:24,469 [http-8080-Processor24] DEBUG org.enhydra.jdbc.xapool - StandardXAPreparedStatement:close preparedStmtCacheSize='16'
      2005-11-18 20:28:24,469 [http-8080-Processor24] DEBUG org.enhydra.jdbc.xapool - StandardConnectionHandle:close
      2005-11-18 20:28:24,469 [http-8080-Processor24] DEBUG org.enhydra.jdbc.xapool - StandardXAPoolDataSource:connectionClosed
      2005-11-18 20:28:24,469 [http-8080-Processor24] DEBUG org.objectweb.jotm.jta - threadTx.get= java.lang.ThreadLocal@b6d6ab
      2005-11-18 20:28:24,469 [http-8080-Processor24] DEBUG org.objectweb.jotm.jta - Transaction ret= null
      2005-11-18 20:28:24,469 [http-8080-Processor24] DEBUG org.enhydra.jdbc.xapool - StandardXAPoolDataSource:connectionClosed get a transaction
      2005-11-18 20:28:24,469 [http-8080-Processor24] DEBUG org.enhydra.jdbc.xapool - StandardXAPoolDataSource:connectionClosed checkIn an object to the pool
      2005-11-18 20:28:24,469 [http-8080-Processor24] DEBUG org.enhydra.jdbc.xapool - GenericPool:checkIn return an object to the pool
      2005-11-18 20:28:24,469 [http-8080-Processor24] DEBUG org.enhydra.jdbc.xapool - PreparedStatementCache:cleanupObject class='class com.mysql.jdbc.PreparedStatement'
      2005-11-18 20:28:24,469 [http-8080-Processor24] DEBUG org.enhydra.jdbc.xapool - PreparedStatementCache:cleanupObject close a PreparedStatement o='com.mysql.jdbc.PreparedStatement@126a29c: select USER_ID, USER_PASSWORD from FDDPMA_USER where USER_NAME = 'Administrator'     and DELETED = 0 '
      2005-11-18 20:28:24,469 [http-8080-Processor24] DEBUG org.enhydra.jdbc.xapool - StandardConnectionHandle:close preparedStatementCache.size(lru)='0' preparedStatementCache.size(cache)='0' masterPrepStmtCache.size='1'
      2005-11-18 20:28:24,469 [http-8080-Processor24] DEBUG org.enhydra.jdbc.xapool - StandardXAConnectionHandle:close
      2005-11-18 20:28:24,469 [http-8080-Processor24] DEBUG org.enhydra.jdbc.xapool - StandardXAConnectionHandle:close globalTransaction='false' con.getAutoCommit='false' ttx='null'
      2005-11-18 20:28:24,469 [http-8080-Processor24] DEBUG org.enhydra.jdbc.xapool - StandardXAConnectionHandle:close rollback the connection
      2005-11-18 20:28:24,469 [http-8080-Processor24] DEBUG org.enhydra.jdbc.xapool - StandardXAConnectionHandle:close AFTER globalTransaction='false' con.getAutoCommit='true' ttx='null'
      2005-11-18 20:28:24,479 [http-8080-Processor24] DEBUG com.fddtool.si.jaas.TomcatLoginModule - TomcatLoginModule.commit
      2005-11-18 20:28:24,479 [http-8080-Processor24] DEBUG org.apache.catalina.authenticator.FormAuthenticator - Authentication of 'Administrator' was successful
      2005-11-18 20:28:24,479 [http-8080-Processor24] DEBUG org.apache.catalina.authenticator.FormAuthenticator - Redirecting to original '/fddpma/projectGroupWorkplaceView.jsf'
      2005-11-18 20:28:24,479 [http-8080-Processor24] DEBUG org.apache.catalina.authenticator.AuthenticatorBase -  Failed authenticate() test ??/fddpma/j_security_check
      2005-11-18 20:28:24,489 [http-8080-Processor25] DEBUG org.apache.catalina.authenticator.AuthenticatorBase - Security checking request GET /fddpma/projectGroupWorkplaceView.jsf
      2005-11-18 20:28:24,489 [http-8080-Processor25] DEBUG org.apache.catalina.authenticator.AuthenticatorBase -  Calling hasUserDataPermission()
      2005-11-18 20:28:24,489 [http-8080-Processor25] DEBUG org.apache.catalina.authenticator.AuthenticatorBase -  Calling authenticate()
      2005-11-18 20:28:24,489 [http-8080-Processor25] DEBUG org.apache.catalina.authenticator.FormAuthenticator - Restore request from session '651EB8AEB0A3A4A4B34F99213BE6D3E0'
      2005-11-18 20:28:24,489 [http-8080-Processor25] DEBUG org.apache.catalina.authenticator.AuthenticatorBase - Authenticated 'Administrator' with type 'FORM'
      2005-11-18 20:28:24,489 [http-8080-Processor25] DEBUG org.apache.catalina.authenticator.FormAuthenticator - Proceed to restored request
      2005-11-18 20:28:24,489 [http-8080-Processor25] DEBUG org.apache.catalina.authenticator.AuthenticatorBase -  Calling accessControl()
      2005-11-18 20:28:24,489 [http-8080-Processor25] DEBUG org.apache.catalina.authenticator.AuthenticatorBase -  Failed accessControl() test

       

    • Steinar Rune Eriksen

      Steinar Rune Eriksen - 2005-11-23

      OK.

      It certainly had something to do with Tomcat settings, and I am not sure yet how to do this the correct way; but I managed to login when I :

      Set <realm> to point to the tomcat-user.xml file instead of FddpmaJaasUser classes, and duplicate the username/password of the database inside the tomcat-user.xml file (with fddpma_role).

      Not sure how to make it work without the tomcat-user file so that I do not have to keep this in sync for user accounts.

       

      • Serguei Khramtchenko

        Serguei Khramtchenko - 2005-11-28

        There are couple of things to check in realm configuration: 

        - fddpma_jaas.jar has to be in the Tomcat's classpath. It may be in common/lib directory, or somewhere else. You may have to manually add it into your Tomcat start script.

        - jaas.properties files has to be in Tomcat's "conf" folder.

        - the startup script has to point to the property file using this option:
        set JAVA_OPTS=-Djava.security.auth.login.config=%CATALINA_HOME%\conf\jaas.properties

        - server.xml has to have the following fragment in the context with path "/fddpma":

          <Realm className="org.apache.catalina.realm.JAASRealm"                
                 appName="fddpma"      
                 userClassNames="com.fddtool.si.jaas.FddpmaJaasUser"      
                 roleClassNames="com.fddtool.si.jaas.FddpmaJaasRole"
                 useContextClassLoader="false"
                 debug="99"/>

         

    • Steinar Rune Eriksen

      Steinar Rune Eriksen - 2005-11-30

      I think the config is (at least partially) ok according to what you write. The system does validate user and password correctly.  The 403 error only comes after a successful login.

      What I think perhaps is going wrong is interpretation of role - not sure where it gets that when not using tomcat-users.xml 

      Maybe some other global <realm> definitions in my server.xml overrides or somehting

       

      • Serguei Khramtchenko

        Serguei Khramtchenko - 2005-12-01

        Can you send me your config.xml, so I can compare it to mine? My email is support@fddpma.net

        Thanks,
        Serguei

         

Log in to post a comment.