tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robin Coe <Robin....@kaleidescape.com>
Subject JAAS authenticated user fails authorization check
Date Mon, 05 May 2008 16:09:44 GMT
I have written a JAAS-enabled web-app that successfully uses my LDAP service to authenticate
a user and populate the Subject with several Principals.  I have set up my web-app to use
FORM based authentication and can successfully use request.isUserInRole("rolename") to authorize
my user against the Principals.  However, when I declare a protected resource declaratively,
and specify that the resource is protected with "rolename", Tomcat fails to authorize the
user for that resource.

The logging messages I receive are as follows:
2008-05-05 11:41:34,966 2406494 [http-9808-Processor25] DEBUG org.apache.catalina.realm.RealmBase
 -   Checking constraint 'SecurityConstraint[Login Page]' against GET /home.vm --> false
2008-05-05 11:41:34,966 2406494 [http-9808-Processor25] DEBUG org.apache.catalina.realm.RealmBase
 -   Checking constraint 'SecurityConstraint[Protected Velocity pages]' against GET /home.vm
--> true
2008-05-05 11:41:34,966 2406494 [http-9808-Processor25] DEBUG org.apache.catalina.realm.RealmBase
 -   User data constraint has no restrictions
2008-05-05 11:41:34,966 2406494 [http-9808-Processor25] DEBUG org.apache.catalina.realm.RealmBase
 -   Checking roles CN=user1,OU=Active,OU=Users,OU=companyname,DC=domainname,DC=com
2008-05-05 11:41:34,967 2406495 [http-9808-Processor25] DEBUG org.apache.catalina.realm.RealmBase
 - No role found:  rolename

I notice that the Catalina source code does not use the isUserInRole method to authorize and
I wonder why that's the case?  More importantly, I wonder why my user cannot access a protected
resource when that resource is protected by a security-constraint, when I can use a filter
and programmatically check for that same role and succeed.

I am running Tomcat 5.5.12 with Sun 1.4.2_17 JVM.

Thanks for any and all help.
Robin.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message