Search code examples
jspauthenticationj-security-check

j_security_check gives 403 page when username and password are correct

I am implementing FORM based authentication with j_security_check and I am stuck with the following problem now:

Ok here are my config files: web.xml:

<security-constraint>
<display-name>Efood Security</display-name>
<web-resource-collection>
  <web-resource-name>Secured Area</web-resource-name>
  <url-pattern>/checkout.jspx</url-pattern>
  <url-pattern>/checkout</url-pattern>
</web-resource-collection>
<auth-constraint>
  <role-name>friend</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<realm-name>Secured eFood Area</realm-name>
<form-login-config>
  <form-login-page>/login.jspx</form-login-page>
  <form-error-page>/error.jspx</form-error-page>
</form-login-config>
</login-config>
<security-role>
  <role-name>10001</role-name>
</security-role>
<error-page>
  <error-code>403</error-code>
  <location>/403.jspx</location>
</error-page>

in server.xml

 <GlobalNamingResources>
 ....
 <Resource driverClassName="org.apache.derby.jdbc.ClientDriver"
 factory="org.apache.tomcat.jdbc.pool.DataSourceFactory" name="jdbc/CSE"
 password="secret" type="javax.sql.DataSource"
 url = "jdbc:derby://hostname:port/DB" username="student" />
 </GlobalNamingResources>
 ....
 <Realm className="org.apache.catalina.realm.LockOutRealm">
 <Realm  className = "org.apache.catalina.realm.DataSourceRealm" 
                driverName="org.apache.derby.jdbc.ClientDriver"
                debug="99"
                dataSourceName = "jdbc/DB" userTable = "users"
                userNameCol = "login" userCredCol="password"
                userRoleTable = "users" roleNameCol = "login" />

  </Realm>

in context.xml

 <ResourceLink type="javax.sql.DataSource" name="jdbc/DB" global="jdbc/DB"/>

So my problem is that I get 403 page when I enter correct credentials. If I enter wrong username and password I am redirected to error.jsp, which means that it checks the DB, however, I don't know what the problem is.

Anyone had any familiar issues with authentication through DB?

Also, I am not sure how to do the secrity-role tag with role-names, because the given table only has username and password.

Thanks in advance!

Solution

  • If you don't have authorization roles, use

    <auth-constraint>
    <role-name>*</role-name> 
</auth-constraint>

    and remove the <security-role>.