...
This article explains how to configure a Tomcat DataSourceRealm for easy management of users.
After completing these steps you will be able to provision, edit, and remove users from a simple web-based GUI. There's no longer a need to have access to tomcat-users.xml to add users or roles. (But tomcat-users.xml can remain enabled if desired.)
Model the Entities in xDM
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
/* sanity check: does this table have the role information I expect? */ select * from GD_USER_ROLE ; /* create a view to rename F_SEM_USER */ create or replace view V_USER_ROLE as select F_SEM_USER as SEMUSER_USERNAME, F_SEM_ROLE as F_SEM_ROLE from GD_USER_ROLE ; /* sanity check: does the new view return users and roles as expected? */ select * from V_USER_ROLE ; |
...
Code Block | ||||
---|---|---|---|---|
| ||||
<!-- You should already have this Valve in semarchy.xml --> <Valve className="org.apache.catalina.authenticator.FormAuthenticator" landingPage="/"/> <!-- Use this realm to replace your existing realm. --> <Realm className="org.apache.catalina.realm.CombinedRealm"> <!-- This UserDatabaseRealm is tomcat-users.xml --> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> <!-- This JDBCRealm points to your data location containing the user and role tables. --> <Realm className="org.apache.catalina.realm.JDBCRealm" driverName="oracle.jdbc.OracleDriver" connectionURL="jdbc:oracle:thin:@cspov@xxx.ciwpqco9ueekxxxxxxxxx.eu-west-1.rds.amazonaws.com:1521:ORCL" connectionName="SANOFIMY_CONSENTUSER" connectionPassword="SANOFIMY_CONSENTP0VPASSWORD" userTable="GD_SEM_USER" userNameCol="USER_NAME" userCredCol="PASSWD" userRoleTable="V_USER_ROLE" roleNameCol="F_SEM_ROLE"/> </Realm> |
...
Restart tomcat, then log in with your newly defined users and roles.
Now you can provision, edit, and remove users from a simple web-based GUI. There's no longer a need to have access to tomcat-users.xml to add users or roles. (But tomcat-users.xml can remain enabled if desired.)
Troubleshooting
If things don't work perfectly, then turning on logging can help.
Add these logging parameters. In a default tomcat configuration you can add these to the end of /etc/tomcat8/logging.properties
Code Block |
---|
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/semarchy].level = ALL
org.apache.catalina.realm.level = ALL
org.apache.catalina.realm.useParentHandlers = true
org.apache.catalina.authenticator.level = ALL
org.apache.catalina.authenticator.useParentHandlers = true |
Code Block | ||||
---|---|---|---|---|
| ||||
11-May-2018 22:08:26.134 FINE [http-nio-8080-exec-3] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request POST /semarchy/mdm-app/ConsentManagement/ConsentManagement/j_security_check 11-May-2018 22:08:26.134 FINE [http-nio-8080-exec-3] org.apache.catalina.authenticator.FormAuthenticator.authenticate Authenticating username 'matt.dahlman' 11-May-2018 22:08:26.135 FINE [http-nio-8080-exec-3] org.apache.catalina.realm.CombinedRealm.authenticate Attempting to authenticate user "matt.dahlman" with realm "org.apache.catalina.realm.UserDatabaseRealm" 11-May-2018 22:08:26.135 FINE [http-nio-8080-exec-3] org.apache.catalina.realm.CombinedRealm.authenticate Failed to authenticate user "matt.dahlman" with realm "org.apache.catalina.realm.UserDatabaseRealm" 11-May-2018 22:08:26.135 FINE [http-nio-8080-exec-3] org.apache.catalina.realm.CombinedRealm.authenticate Attempting to authenticate user "matt.dahlman" with realm "org.apache.catalina.realm.JDBCRealm" 11-May-2018 22:08:26.200 FINE [http-nio-8080-exec-3] org.apache.catalina.realm.CombinedRealm.authenticate Authenticated user "matt.dahlman" with realm "org.apache.catalina.realm.JDBCRealm" 11-May-2018 22:08:26.201 FINE [http-nio-8080-exec-3] org.apache.catalina.authenticator.FormAuthenticator.authenticate Authentication of 'matt.dahlman' was successful 11-May-2018 22:08:26.202 FINE [http-nio-8080-exec-3] org.apache.catalina.authenticator.FormAuthenticator.authenticate Redirecting to original '/semarchy/mdm-app/ConsentManagement/ConsentManagement/search' 11-May-2018 22:08:26.202 FINE [http-nio-8080-exec-3] org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed authenticate() test ??/semarchy/mdm-app/ConsentManagement/ConsentManagement/j_security_check 11-May-2018 22:08:26.497 FINE [http-nio-8080-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET /semarchy/mdm-app/ConsentManagement/ConsentManagement/search 11-May-2018 22:08:26.497 FINE [http-nio-8080-exec-4] org.apache.catalina.authenticator.FormAuthenticator.authenticate Restore request from session '64C4C864567E3581E28B1C2772C5C942' 11-May-2018 22:08:26.497 FINE [http-nio-8080-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.register Authenticated 'matt.dahlman' with type 'FORM' 11-May-2018 22:08:26.498 FINE [http-nio-8080-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.register Session ID changed on authentication from [64C4C864567E3581E28B1C2772C5C942] to [9F5424EB3C01F66833 3745FE0A981393] 11-May-2018 22:08:26.499 FINE [http-nio-8080-exec-4] org.apache.catalina.authenticator.FormAuthenticator.authenticate Proceed to restored request 11-May-2018 22:08:26.499 FINE [http-nio-8080-exec-4] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Protect Convergence for MDM Designer, Protect Convergence for MDM Landing, Protect Convergence for MDM Data UI]' against GET /mdm-app/ConsentManagement/ConsentManagement/search --> true 11-May-2018 22:08:26.499 FINE [http-nio-8080-exec-4] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Protect Convergence for MDM Designer, Protect Convergence for MDM Landing, Protect Convergence for MDM Data UI]' against GET /mdm-app/ConsentManagement/ConsentManagement/search --> true 11-May-2018 22:08:26.499 FINE [http-nio-8080-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling hasUserDataPermission() 11-May-2018 22:08:26.499 FINE [http-nio-8080-exec-4] org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint has no restrictions 11-May-2018 22:08:26.500 FINE [http-nio-8080-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate() 11-May-2018 22:08:26.500 FINE [http-nio-8080-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.checkForCachedAuthentication Already authenticated [matt.dahlman] 11-May-2018 22:08:26.500 FINE [http-nio-8080-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling accessControl() 11-May-2018 22:08:26.500 FINE [http-nio-8080-exec-4] org.apache.catalina.realm.RealmBase.hasResourcePermission Checking roles GenericPrincipal[matt.dahlman()] 11-May-2018 22:08:26.500 FINE [http-nio-8080-exec-4] org.apache.catalina.realm.RealmBase.hasRole Username matt.dahlman does NOT have role semarchyConnect 11-May-2018 22:08:26.501 FINE [http-nio-8080-exec-4] org.apache.catalina.realm.RealmBase.hasResourcePermission No role found: semarchyConnect 11-May-2018 22:08:26.501 FINE [http-nio-8080-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed accessControl() test # This attempt failed due to a typo in a column name in the roles table. # The enhanced logging reveals that authentication was successful, but the user does NOT have role semarchyConnect. |