tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject <security-role-ref> and security constraints
Date Fri, 19 Apr 2013 21:28:26 GMT
Currently, Tomcat only checks against <security-role-ref> elements if
there is a call to isUserInRole(). Prior to Servlet 3.0 this made sense.
The person deploying the web application has control over web.xml and
hence the security roles (those used in security constraints) but no
control over application roles (those used by developers in Servlets
with isUserInRole()) and therefore needed a mechanism to map the
application roles to security roles.

This mechanism is usually used to map application roles to security
roles that exist in an external authentication and authorisation system
such as an LDAP directory. For example, the application role admin in
the HR application may get mapped to the hr-manager role that exists in
the LDAP directory.

With Servlet 3.0 plugability features the picture changes a little.

Now a fragment may define security constraints that use a security role
that does not match the organisations security roles and can't be
modified in the application's web.xml. For example, an HR application
with two fragments may define a role "admin" in fragment A and "sysuser"
in fragment B both of which need to be mapped to the "hr-manager" role.

Oh, and just to throw a spanner in the works, if a Filter uses
isUserInRole() there is no way to map the application role to a security

I'm currently unsure how this issue should be addressed. The options as
I see them are:

a) There is an obvious solution I have missed.

b) Check <security-role-ref>'s when processing security constraints.

c) Something else.

Given the Filter issue, I think c) is the only viable option.

Tomcat's current behaviour looks to be specification compliant but there
appears to me to be an issue here the the Servlet EG needs to address.
Before I move this issue there what do folks think about this? Is there
an issue or am I missing the obvious?


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message