tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: JAAS authenticated user fails authorization check
Date Mon, 05 May 2008 18:54:59 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robin,

Robin Coe wrote:

| The Tomcat code that is failing for my auth check is
| (http://kickjava.com/src/org/apache/catalina/realm/RealmBase.java.htm):

Are you sure this is your version?

The 5.5.17 version of this file is available here:
http://svn.apache.org/repos/asf/tomcat/container/tags/tc5.5.x/TOMCAT_5_5_12/catalina/src/share/org/apache/catalina/realm/RealmBase.java

|            } else if(!denyfromall) {
| 787
| 788                 for (int j = 0; j < roles.length; j++) {
| 789                     if (hasRole(principal, roles[j]))
| 790                         status = true;
| 791                     if( log.isDebugEnabled() )
| 792                         log.debug( "No role found: " + roles[j]);
| 793                 }
| 794             }

The above code does not match what I see in the version from SVN, but it
close enough. You're right: it calls hasRole, and the hasRole
implementation is as shown below:

| public boolean hasRole(Principal JavaDoc principal, String JavaDoc role) {
| 851
| 852         // Should be overriten in JAASRealm - to avoid pretty
inefficient conversions
| 853 if ((principal == null) || (role == null) ||
| 854             !(principal instanceof GenericPrincipal))
| 855             return (false);

etc.

Assuming that the code continues beyond this point, /some/ type of log
message should be expected. Given that no output is between the
"Checking roles" log statement and "No role found: " statement, it looks
like the Principal object might not be a GenericPrincipal.

JAASRealm.createPrincipal returns a GenericPrincipal object, so this
should be okay. Given than you are doing a lot of stuff through software
and not configuration, is it possible that you are creating your own
Principal object that is not checkable by RealmBase?

| org.apache.catalina.realm.JAASRealm  - Checking Principal "landscape"
[com.kaleidescape.logdb.webapp.security.auth.UserGroupPrincipal]

Yup. Looks like you are using a Principal not supported by RealmBase.
Does UserGroupPrincipal extent GenericPrincipal? If not, you should
ensure that it does, and that it properly implements hasRole().

| Since my UserGroupPrincipal implements Principal, it is castable to
| GenericPrincipal.

Not true, unless UserGroupPrincipal also extends GenericPrincipal.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkgfWAMACgkQ9CaO5/Lv0PDjjwCfWZ7D9/43x03H0KkZMDik57kk
mo8AoLtTo321eLx4AFzGQi/xGF/GgUK7
=5INN
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message