JSF project form authentication using Tomcat DataSourceRealm

Question

I have a JSF 2 project and am using Eclipse Inigo as IDE, and deploying to Tomcat 6 (which is running in a a virtual machine in VirtualBox to mimic the target environment). I am not using Eclipse to deploy. Right now I'm simply exporting a .war file and deploying it from the Tomcat manager screen. I am using HSQLDB to store users, passwords, and user roles. One project requirement that is causing me confusion is that my web app must be fully self-contained. That is to say, I deliver a .war file and they plug it in without additional configuration to Tomcat.

I've read a ton on configuring my project for form authentication, including: SO question 1, SO question 2, SO question 3, Tomcat Realm config, Java EE 6 security, and more. Those sources really helped understand how to configure my project. I thought I was almost there. However, when I deploy the web app and try to access a restricted page I always get the login error page. I attempt login with one of various users in the DB with the role required, and I think the DB is set up according to the Tomcat Documentation.

All the tutorials I've read differ from my situation in one way or another:

1. Uses Glassfish instead of Tomcat
2. Uses BASIC authentication instead of FORM
3. Stores users, passwords, and roles in tomcat-users.xml instead of relational DB tables
4. Declares roles in server.xml instead of somewhere within the .war file.

Point 4 especially is preventing me from getting a full understanding of what is and is not possible (out of the box).

I will edit this question later to post code (web.xml, etc.), but first I wanted to ask a question similar to the one in the 'SO question 2' (above), in which the OP asks whether it's possible to do form authentication without defining something in the application server. In one of the answers it sort of sounds like it is not possible, but it's not quite definitive.

So, is it possible to implement form authentication without modifying files in the server (specifically server.xml and tomcat-users.xml as so many tutorials show)? Can form authentication with a DataSourceRealm be done with the requirement of the .war being fully self contained? If so, how? Can I include additional .xml files in my .war that would do the trick? Can I include everthing I need in web.xml and context.xml?

I've tried including everything in web.xml and context.xml, but it is not working. I thought I had things configured properly except for not having anything in the server.xml file.

I'll leave it at that for now. If what I need is possible, I'll edit with code to try to figure out what I'm doing wrong, otherwise, I'll save the trouble. Also, if what I need is not possible using form authentication, can anyone recommend a good alternative to achieve the same in a self-contained .war? (I'm throwing around the term 'self-contained .war' for lack of a better way to describe it...if there's a better or more precise term, let me know.)

Answer 1

Unfortunately, you can not do it. Realms are configured in the server.xml file so if you want to authenticate a user against database you have to configure it in the server.xml file.

If you want to authenticate a user against database and ensure all your configuration will be within your WAR file please consider to use the Spring Security framework: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html It is the great and simple framework that solves a lot of authentication / authorization problems.