tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "brian bay" <brian.f....@gmail.com>
Subject Re: Tomcat 5.5.17 <role-name>*</role-name> behavior change
Date Sat, 02 Sep 2006 04:17:32 GMT
I would have responded sooner, but I've been to busy banging my head against
my desk..  :-)

Much easier indeed, and better..  thanks for the heads up!  I wish I  had
posted this question earlier..

I understand that it's hard to keep documentation up-to-the-minute on every
change, but this seems like allRolesMode might be a good canidate to include
in the Realm doc.. unless I just missed it..I know it's in the javadoc, but
dummies, like me, need things spelled out.. :-)

In hindsight, your solution seems obvious to me, but the general consensus
that I got from reading the small number of convoluted threads out there,
was nobody had a clue what to do..  besides defining tons of roles in the
web app..  or reverting to 5.5.12..  Maybe it's just not that common of
situation??

thanks for the help!  I'll come here first next time, instead of spending
countless hours reading dead-end-threads..

Brian




On 9/1/06, Bill Barker <wbarker@wilshire.com> wrote:
>
> It would have been easier to change server.xml, to something like:
>     <Realm allRolesMode="strictAuthOnly" ...... />
>
> "brian bay" <brian.f.bay@gmail.com> wrote in message
> news:b5095c1b0609011401h304e7ae4n43779504fdf0c130@mail.gmail.com...
> > SOLVED!
> >
> > Well since no one else seems to care about ldap authentication and user
> > roles, I guess I'll reply to myself..
> >
> > Apparently backwards compatiblity is built into the source code for
> > tomcat.
> >
> > To work around the problem of <role-name>*</role-name>  you need to
got
> > and
> > grab the tomcat source code, not the binaries.. If you have the binaries
> > installed already, this is fine.  All we are going to do is replace
> > catalina.jar...
> >
> > In my source directory C:\apache-
> > tomcat-5.5.17-src\container\catalina\src\share\org\apache\catalina\realm
> ,
> > I
> > edited RealmBase.java.
> >
> > I Changed protected AllRolesMode allRolesMode = AllRolesMode.STRICT_MODE
> ;
> >
> > to protected AllRolesMode allRolesMode =
> > AllRolesMode.STRICT_AUTH_ONLY_MODE;
> >
> > I then built from source and copied the newly build catalina.jar file to
> > my
> > current binary distribution of tomcat..$TOMCAT_HOME/server/lib
> >
> > thats it..   Now <role-name>*</role-name> authenticates all roles.
> >
> >
> > Brian Bay
> >
> >
> >
> >
> > On 9/1/06, brian bay <brian.f.bay@gmail.com> wrote:
> >>
> >> I recently upgraded from tomcat 5.0.28 to 5.5.17.   I have security set
> >> up
> >> on all my apps to allow any user that can authenticate against ldap
> >> access
> >> to the application....
> >>
> >> So in 5.0.28,  I  defined <role-name>*</role-name>  to allow all
role
> >> names.   In 5.5.17 the behavior changes on the role-name attribute, and
> >> apparently the * now means "all roles defined inside of web.xml"
> instead
> >> of the previous "all/any roles"..   I understand that after tomcat
> >> 5.5.12, tomcat was "fixed" to conform to the
> >> 2.4 servlet spec, in which the * 's meaning is redefined.   Suck.
> >>
> >> I dont want to have to define 300 roles in web.xml..  Once I do that, I
> >> am
> >> now maintaning roles in 2 places.
> >>
> >>
> >> ***As a test/workaround, I downloaded 5.5.12 and copied catalina.jarfrom
> >> server/lib to my 5.5.17 installation..  !Voila!  authentication now
> works
> >> with the <role-name>*</role-name>
> >>
> >>
> >>
> >> questions:
> >>
> >> Why is there no backwards compatibility?  or is there and I just have
> to
> >> tell it which servlet spec to use?
> >>
> >> ***As, for my workaround.  I cant see this as being a very good
> >> solution... I'm guessing this will cause problems elsewhere??
> >>
> >>
> >> I could just use 5.5.12, but I'm sure there are some bug fixes along
> the
> >> way that I would benefit from..
> >>
> >> thanks,
> >> Brian
> >>
> >
>
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message