tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Delbecq <>
Subject Re: Security roles
Date Fri, 28 Sep 2007 07:43:38 GMT
request.isUserInRole is the way to go. If you don't get "true", i
suggest you first check getRemoteUser() to see if user is authenticated.
Then check you correctly spelled role name, including case. Then check
you have correct role mapping in web.xml (mapping from realm role names
to webapp role) and the you are correctly using the webapp role name,
not the realm role name! (best way to avoid this last problem is to use
same name on both parts)

You are not supposed to access GenericPrincipal. Moreover, tomcat's
implementation of isUserInRole() will just return the same a

As for copying catalina.jar to WEB-INF/lib, it won't work too. Instead
of a class not found exception, you would get a class Cast Exception
because your instance has been allocated by server classLoader while the
class you try to convert to is allocated by webappClassLoader (same
name, same package but different classloader).

Btw, don't even ever think about moving anything from server/ to

En l'instant précis du 28/09/07 09:14, janbanan s'exprimait en ces termes:
> Hi,
> I'm having some problems with security roles in tomcat 5.5. The actual
> url-pattern based protection works fine so presumably the config is ok. But
> when I programatically try to check if the user belongs to a role I run into
> problems.
> First the request.isUserInRole(String) method always returns false. After a
> bit of searching I found that Tomcat has it's own implementation of the
> Principal class, GenericPrincipal, which has the hasRole(String) method. 
> Now it turns out I cannot retrieve the GenericPrincipal object from the
> request (class not found exception). This I found out is because the class
> file is not loaded in the scope of the webapp. The workaround is to copy the
> catalina.jar to the WEB-INF/lib folder.
> This seems very messy! I'd like to check with you guys is this really the
> only way to check a users roles? Or am I doing something wrong?
> Thanks!
> Jan


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message