tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: Tomcat 5.5.17 <role-name>*</role-name> behavior change
Date Sat, 02 Sep 2006 02:52:30 GMT
It would have been easier to change server.xml, to something like:
    <Realm allRolesMode="strictAuthOnly" ...... />

"brian bay" <brian.f.bay@gmail.com> wrote in message 
news:b5095c1b0609011401h304e7ae4n43779504fdf0c130@mail.gmail.com...
> SOLVED!
>
> Well since no one else seems to care about ldap authentication and user
> roles, I guess I'll reply to myself..
>
> Apparently backwards compatiblity is built into the source code for 
> tomcat.
>
> To work around the problem of <role-name>*</role-name>  you need to got 
> and
> grab the tomcat source code, not the binaries.. If you have the binaries
> installed already, this is fine.  All we are going to do is replace
> catalina.jar...
>
> In my source directory C:\apache-
> tomcat-5.5.17-src\container\catalina\src\share\org\apache\catalina\realm, 
> I
> edited RealmBase.java.
>
> I Changed protected AllRolesMode allRolesMode = AllRolesMode.STRICT_MODE;
>
> to protected AllRolesMode allRolesMode = 
> AllRolesMode.STRICT_AUTH_ONLY_MODE;
>
> I then built from source and copied the newly build catalina.jar file to 
> my
> current binary distribution of tomcat..$TOMCAT_HOME/server/lib
>
> thats it..   Now <role-name>*</role-name> authenticates all roles.
>
>
> Brian Bay
>
>
>
>
> On 9/1/06, brian bay <brian.f.bay@gmail.com> wrote:
>>
>> I recently upgraded from tomcat 5.0.28 to 5.5.17.   I have security set 
>> up
>> on all my apps to allow any user that can authenticate against ldap 
>> access
>> to the application....
>>
>> So in 5.0.28,  I  defined <role-name>*</role-name>  to allow all role
>> names.   In 5.5.17 the behavior changes on the role-name attribute, and
>> apparently the * now means "all roles defined inside of web.xml" instead
>> of the previous "all/any roles"..   I understand that after tomcat 
>> 5.5.12, tomcat was "fixed" to conform to the
>> 2.4 servlet spec, in which the * 's meaning is redefined.   Suck.
>>
>> I dont want to have to define 300 roles in web.xml..  Once I do that, I 
>> am
>> now maintaning roles in 2 places.
>>
>>
>> ***As a test/workaround, I downloaded 5.5.12 and copied catalina.jar from
>> server/lib to my 5.5.17 installation..  !Voila!  authentication now works
>> with the <role-name>*</role-name>
>>
>>
>>
>> questions:
>>
>> Why is there no backwards compatibility?  or is there and I just have to
>> tell it which servlet spec to use?
>>
>> ***As, for my workaround.  I cant see this as being a very good
>> solution... I'm guessing this will cause problems elsewhere??
>>
>>
>> I could just use 5.5.12, but I'm sure there are some bug fixes along the
>> way that I would benefit from..
>>
>> thanks,
>> Brian
>>
> 




---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message