1. User and Role Document Model
2. web.xml
We have two roles, ContentOwner and ServerAdmin. This is how we set up form-based authentication in web.xml:
… <security-constraint> <web-resource-collection> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>ServerAdmin</role-name> <role-name>ContentOwner</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name> MongoDBRealm</realm-name> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/login_error.jsp</form-error-page> </form-login-config> </login-config> <!-- Security roles referenced by this web application --> <security-role> <role-name>ServerAdmin</role-name> </security-role> <security-role> <role-name>ContentOwner</role-name> </security-role>
3. Create passwords for admin and test users
($CATALINA_HOME/bin/digest.[bat|sh] -a {algorithm} {cleartext-password}) os-prompt> digest -a SHA-256 manager manager: 6ee4a469cd4e91053847f5d3fcb61dbcc91e8f0ef10be7748da4c4a1ba382d17 os-prompt> digest -a SHA-256 testpwd testpwd:a85b6a20813c31a8b1b3f3618da796271c9aa293b3f809873053b21aec501087
Execute this JavaScript code in MongoDB JS shell:
use mydb usr = { userName: 'admin', password: '1a8565a9dc72048ba03b4156be3e569f22771f23', roles: [ { _id: ObjectId(), name: 'ServerAdmin'} ] } db.user.insert(usr); usr = { userName: 'test', password: '05ec834345cbcf1b86f634f11fd79752bf3b01f3', roles: [ { _id: ObjectId(), name: 'ContentOwner'} ] } db.user.insert(usr); db.user.find().pretty(); role = { name: 'ServerAdmin', description: 'Server administrator role' } db.role.insert(role); role = { name: 'ContentOwner', description: 'End-user (client) role' } db.role.insert(role); db.role.find().pretty();
mydb is a MongoDB database name we use in this example.
4. Realm element setup
Set up Realm element, as showed below, in your $CATALINA_HOME/conf/server.xml file:
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true"> ... <Realm className="com.daprota.m2.realm.MongoDBRealm" connectionURL="mongodb://localhost:27017/mydb" digest="SHA-256"/> </Host> </Engine>
5. How to encrypt user’s password
The following Java code snippet is an example of how to encrypt a user’s password:
String password = "password"; MessageDigest messageDigest = java.security.MessageDigest.getInstance("SHA-256"); messageDigest.update(password.getBytes()); byte byteData[] = messageDigest.digest(); //Convert byte data to hex format StringBuffer hexString = new StringBuffer(); for (int i = 0; i < byteData.length; i++) { String hex=Integer.toHexString(0xff & byteData[i]); if (hex.length()==1) hexString.append('0'); hexString.append(hex); }
When you store password in MongoDB, store it via hexString.toString().
6. MongoDB realm source code
The source code of the Tomcat security realm implementation with MongoDB and ready to use m2-mongodb-realm.jar are available at
https://github.com/gzugic/mongortom
You just need to copy m2-mongodb-realm.jar to your $CATALINA_HOME/lib.