tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Tulley" <>
Subject [Patch] Multiple user patterns in JNDIRealm
Date Wed, 03 Sep 2003 00:14:05 GMT
In the current JNDIRealm implementation, you can either have it find(and
authenticate) users via a search or through a user pattern.  Using the
subtree search has security ramifications  -- either you have to grant
public browse access to all containers in the directory where your user
objects are, or you need to grant a particular user those browse rights,
and then place that username and password in server.xml in plaintext. 
Using the user pattern, however if you want to do context-less login,
you are limited to only being able to authenticate users from one

This patch extends the userPattern attribute so that it can have
multiple values.  Backwards compatibility is completely maintained.  The
notation for adding in multiple patterns is to surround each of them in
parentheses, for instance "(cn={0},o=myorg)(cn={0},ou=users,o=myorg)". 
Standard LDAP "OR" search syntax also works,
"(|(cn={0},o=myorg)(cn={0},ou=users,o=myorg))".  I chose parentheses
because of its similarity to LDAP's search syntax, and also for the fact
that semicolons and commas are used to separate path components, and
colons are valid characters in the directory path.  Parentheses are
valid characters as well, but will be escaped if they are part of an
actual name.  The current syntax of "cn={0},o=myorg", no parentheses,
still works.

The use case exactly then is if you want to provide context-less login
in multiple containers without the security ramifications of doing the
sub-tree LDAP search.

I've included some unit test code as well, testing the parsing of the
user pattern.  I attached that file in its entirety since it is new. 
Also attached -- a patch to build.xml to add in support for this unit
test code, and a patch to the realm-howto JNDIRealm section.

I would like this added into the 4.1 branch if possible, since I think
it fills a hole there.


Jeff Tulley  (
Novell, Inc., The Leading Provider of Net Business Solutions

View raw message