tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: JAAS authenticated user fails authorization check
Date Mon, 05 May 2008 18:54:59 GMT
Hash: SHA1


Robin Coe wrote:

| The Tomcat code that is failing for my auth check is
| (

Are you sure this is your version?

The 5.5.17 version of this file is available here:

|            } else if(!denyfromall) {
| 787
| 788                 for (int j = 0; j < roles.length; j++) {
| 789                     if (hasRole(principal, roles[j]))
| 790                         status = true;
| 791                     if( log.isDebugEnabled() )
| 792                         log.debug( "No role found: " + roles[j]);
| 793                 }
| 794             }

The above code does not match what I see in the version from SVN, but it
close enough. You're right: it calls hasRole, and the hasRole
implementation is as shown below:

| public boolean hasRole(Principal JavaDoc principal, String JavaDoc role) {
| 851
| 852         // Should be overriten in JAASRealm - to avoid pretty
inefficient conversions
| 853 if ((principal == null) || (role == null) ||
| 854             !(principal instanceof GenericPrincipal))
| 855             return (false);


Assuming that the code continues beyond this point, /some/ type of log
message should be expected. Given that no output is between the
"Checking roles" log statement and "No role found: " statement, it looks
like the Principal object might not be a GenericPrincipal.

JAASRealm.createPrincipal returns a GenericPrincipal object, so this
should be okay. Given than you are doing a lot of stuff through software
and not configuration, is it possible that you are creating your own
Principal object that is not checkable by RealmBase?

| org.apache.catalina.realm.JAASRealm  - Checking Principal "landscape"

Yup. Looks like you are using a Principal not supported by RealmBase.
Does UserGroupPrincipal extent GenericPrincipal? If not, you should
ensure that it does, and that it properly implements hasRole().

| Since my UserGroupPrincipal implements Principal, it is castable to
| GenericPrincipal.

Not true, unless UserGroupPrincipal also extends GenericPrincipal.

- -chris
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message