tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "brian bay" <>
Subject Re: Tomcat 5.5.17 <role-name>*</role-name> behavior change
Date Fri, 01 Sep 2006 21:01:52 GMT

Well since no one else seems to care about ldap authentication and user
roles, I guess I'll reply to myself..

Apparently backwards compatiblity is built into the source code for tomcat.

To work around the problem of <role-name>*</role-name>  you need to got and
grab the tomcat source code, not the binaries.. If you have the binaries
installed already, this is fine.  All we are going to do is replace

In my source directory C:\apache-
tomcat-5.5.17-src\container\catalina\src\share\org\apache\catalina\realm, I

I Changed protected AllRolesMode allRolesMode = AllRolesMode.STRICT_MODE;

to protected AllRolesMode allRolesMode = AllRolesMode.STRICT_AUTH_ONLY_MODE;

I then built from source and copied the newly build catalina.jar file to my
current binary distribution of tomcat..$TOMCAT_HOME/server/lib

thats it..   Now <role-name>*</role-name> authenticates all roles.

Brian Bay

On 9/1/06, brian bay <> wrote:
> I recently upgraded from tomcat 5.0.28 to 5.5.17.   I have security set up
> on all my apps to allow any user that can authenticate against ldap access
> to the application....
> So in 5.0.28,  I  defined <role-name>*</role-name>  to allow all role
> names.   In 5.5.17 the behavior changes on the role-name attribute, and
> apparently the * now means "all roles defined inside of web.xml" instead
> of the previous "all/any roles"..   I understand that after tomcat 5.5.12, tomcat was
"fixed" to conform to the
> 2.4 servlet spec, in which the * 's meaning is redefined.   Suck.
> I dont want to have to define 300 roles in web.xml..  Once I do that, I am
> now maintaning roles in 2 places.
> ***As a test/workaround, I downloaded 5.5.12 and copied catalina.jar from
> server/lib to my 5.5.17 installation..  !Voila!  authentication now works
> with the <role-name>*</role-name>
> questions:
> Why is there no backwards compatibility?  or is there and I just have to
> tell it which servlet spec to use?
> ***As, for my workaround.  I cant see this as being a very good
> solution... I'm guessing this will cause problems elsewhere??
> I could just use 5.5.12, but I'm sure there are some bug fixes along the
> way that I would benefit from..
> thanks,
> Brian

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message