Versions Compared

Old Version 3

changes.mady.by.user Matthew Dahlman

Saved on

compared with

New Version Current

changes.mady.by.user Matthew Dahlman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This article explains how to configure a Tomcat DataSourceRealm for easy management of users.

After completing these steps you will be able to provision, edit, and remove users from a simple web-based GUI. There's no longer a need to have access to tomcat-users.xml to add users or roles. (But tomcat-users.xml can remain enabled if desired.)

Model the Entities in xDM

...

Code Block
languagesql
titleCreate V_USER_ROLE
collapsetrue
/* sanity check: does this table have the role information I expect? */
select * from GD_USER_ROLE ;

/* create a view to rename F_SEM_USER */
create or replace view V_USER_ROLE as
select F_SEM_USER as SEMUSER_USERNAME, F_SEM_ROLE as F_SEM_ROLE
from GD_USER_ROLE ;

/* sanity check: does the new view return users and roles as expected? */
select * from V_USER_ROLE ;

...

Code Block
languagexml
titlesemarchy.xml snippet
<!-- You should already have this Valve in semarchy.xml -->
  <Valve className="org.apache.catalina.authenticator.FormAuthenticator" landingPage="/"/>

<!-- Use this realm to replace your existing realm. -->
  <Realm className="org.apache.catalina.realm.CombinedRealm">
    <!-- This UserDatabaseRealm is tomcat-users.xml -->
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
    <!-- This JDBCRealm points to your data location containing the user and role tables. -->
    <Realm
      className="org.apache.catalina.realm.JDBCRealm" driverName="oracle.jdbc.OracleDriver"
      connectionURL="jdbc:oracle:thin:@cspov@xxx.ciwpqco9ueekxxxxxxxxx.eu-west-1.rds.amazonaws.com:1521:ORCL"
      connectionName="SANOFIMY_CONSENTUSER" connectionPassword="SANOFIMY_CONSENTP0VPASSWORD"
      userTable="GD_SEM_USER" userNameCol="USER_NAME" userCredCol="PASSWD"
      userRoleTable="V_USER_ROLE" roleNameCol="F_SEM_ROLE"/>
  </Realm>

...

Restart tomcat, then log in with your newly defined users and roles.

Now you can provision, edit, and remove users from a simple web-based GUI. There's no longer a need to have access to tomcat-users.xml to add users or roles. (But tomcat-users.xml can remain enabled if desired.)

Troubleshooting

If things don't work perfectly, then turning on logging can help. 

Add these logging parameters. In a default tomcat configuration you can add these to the end of /etc/tomcat8/logging.properties

Code Block
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/semarchy].level = ALL
org.apache.catalina.realm.level = ALL
org.apache.catalina.realm.useParentHandlers = true
org.apache.catalina.authenticator.level = ALL
org.apache.catalina.authenticator.useParentHandlers = true


Code Block
titleSample of failed login attempt
collapsetrue
11-May-2018 22:08:26.134 FINE [http-nio-8080-exec-3] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request POST /semarchy/mdm-app/ConsentManagement/ConsentManagement/j_security_check
11-May-2018 22:08:26.134 FINE [http-nio-8080-exec-3] org.apache.catalina.authenticator.FormAuthenticator.authenticate Authenticating username 'matt.dahlman'
11-May-2018 22:08:26.135 FINE [http-nio-8080-exec-3] org.apache.catalina.realm.CombinedRealm.authenticate Attempting to authenticate user "matt.dahlman" with realm "org.apache.catalina.realm.UserDatabaseRealm"
11-May-2018 22:08:26.135 FINE [http-nio-8080-exec-3] org.apache.catalina.realm.CombinedRealm.authenticate Failed to authenticate user "matt.dahlman" with realm "org.apache.catalina.realm.UserDatabaseRealm"
11-May-2018 22:08:26.135 FINE [http-nio-8080-exec-3] org.apache.catalina.realm.CombinedRealm.authenticate Attempting to authenticate user "matt.dahlman" with realm "org.apache.catalina.realm.JDBCRealm"
11-May-2018 22:08:26.200 FINE [http-nio-8080-exec-3] org.apache.catalina.realm.CombinedRealm.authenticate Authenticated user "matt.dahlman" with realm "org.apache.catalina.realm.JDBCRealm"
11-May-2018 22:08:26.201 FINE [http-nio-8080-exec-3] org.apache.catalina.authenticator.FormAuthenticator.authenticate Authentication of 'matt.dahlman' was successful
11-May-2018 22:08:26.202 FINE [http-nio-8080-exec-3] org.apache.catalina.authenticator.FormAuthenticator.authenticate Redirecting to original '/semarchy/mdm-app/ConsentManagement/ConsentManagement/search'
11-May-2018 22:08:26.202 FINE [http-nio-8080-exec-3] org.apache.catalina.authenticator.AuthenticatorBase.invoke  Failed authenticate() test ??/semarchy/mdm-app/ConsentManagement/ConsentManagement/j_security_check
11-May-2018 22:08:26.497 FINE [http-nio-8080-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET /semarchy/mdm-app/ConsentManagement/ConsentManagement/search
11-May-2018 22:08:26.497 FINE [http-nio-8080-exec-4] org.apache.catalina.authenticator.FormAuthenticator.authenticate Restore request from session '64C4C864567E3581E28B1C2772C5C942'
11-May-2018 22:08:26.497 FINE [http-nio-8080-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.register Authenticated 'matt.dahlman' with type 'FORM'
11-May-2018 22:08:26.498 FINE [http-nio-8080-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.register Session ID changed on authentication from [64C4C864567E3581E28B1C2772C5C942] to [9F5424EB3C01F66833
3745FE0A981393]
11-May-2018 22:08:26.499 FINE [http-nio-8080-exec-4] org.apache.catalina.authenticator.FormAuthenticator.authenticate Proceed to restored request
11-May-2018 22:08:26.499 FINE [http-nio-8080-exec-4] org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking constraint 'SecurityConstraint[Protect Convergence for MDM Designer, Protect Convergence 
for MDM Landing, Protect Convergence for MDM Data UI]' against GET /mdm-app/ConsentManagement/ConsentManagement/search --> true
11-May-2018 22:08:26.499 FINE [http-nio-8080-exec-4] org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking constraint 'SecurityConstraint[Protect Convergence for MDM Designer, Protect Convergence 
for MDM Landing, Protect Convergence for MDM Data UI]' against GET /mdm-app/ConsentManagement/ConsentManagement/search --> true
11-May-2018 22:08:26.499 FINE [http-nio-8080-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.invoke  Calling hasUserDataPermission()
11-May-2018 22:08:26.499 FINE [http-nio-8080-exec-4] org.apache.catalina.realm.RealmBase.hasUserDataPermission   User data constraint has no restrictions
11-May-2018 22:08:26.500 FINE [http-nio-8080-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.invoke  Calling authenticate()
11-May-2018 22:08:26.500 FINE [http-nio-8080-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.checkForCachedAuthentication Already authenticated [matt.dahlman]
11-May-2018 22:08:26.500 FINE [http-nio-8080-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.invoke  Calling accessControl()
11-May-2018 22:08:26.500 FINE [http-nio-8080-exec-4] org.apache.catalina.realm.RealmBase.hasResourcePermission   Checking roles GenericPrincipal[matt.dahlman()]
11-May-2018 22:08:26.500 FINE [http-nio-8080-exec-4] org.apache.catalina.realm.RealmBase.hasRole Username matt.dahlman does NOT have role semarchyConnect
11-May-2018 22:08:26.501 FINE [http-nio-8080-exec-4] org.apache.catalina.realm.RealmBase.hasResourcePermission No role found:  semarchyConnect
11-May-2018 22:08:26.501 FINE [http-nio-8080-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.invoke  Failed accessControl() test

# This attempt failed due to a typo in a column name in the roles table. 
# The enhanced logging reveals that authentication was successful, but the user does NOT have role semarchyConnect.