tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robin Coe <Robin....@kaleidescape.com>
Subject RE: JAAS authenticated user fails authorization check
Date Mon, 05 May 2008 20:15:50 GMT
Thanks Chris, that must be it.  Can't believe I missed that.  Unfortunately, this class is
part of the Catalina codebase, which makes it necessary to use a runtime check and invoking
a GenericPrincipal subclass when running inside Tomcat.  I don't want to include the Catalina
jar or be dependent on running Tomcat exclusively.

I find it strange that the code works by calling request.isUserInRole(), when using a class
that implements the Principal interface, but fails when using declared roles.  It's annoying
that the Tomcat docs don't mention the necessity of extending GenericPrincipal when rolling
your own implementation.

Thanks to you guys for helping me out!

Robin.

-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Monday, May 05, 2008 2:55 PM
To: Tomcat Users List
Subject: Re: JAAS authenticated user fails authorization check

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robin,

Robin Coe wrote:

| The Tomcat code that is failing for my auth check is
| (http://kickjava.com/src/org/apache/catalina/realm/RealmBase.java.htm):

Are you sure this is your version?

The 5.5.17 version of this file is available here:
http://svn.apache.org/repos/asf/tomcat/container/tags/tc5.5.x/TOMCAT_5_5_12/catalina/src/share/org/apache/catalina/realm/RealmBase.java

|            } else if(!denyfromall) {
| 787
| 788                 for (int j = 0; j < roles.length; j++) {
| 789                     if (hasRole(principal, roles[j]))
| 790                         status = true;
| 791                     if( log.isDebugEnabled() )
| 792                         log.debug( "No role found: " + roles[j]);
| 793                 }
| 794             }

The above code does not match what I see in the version from SVN, but it
close enough. You're right: it calls hasRole, and the hasRole
implementation is as shown below:

| public boolean hasRole(Principal JavaDoc principal, String JavaDoc role) {
| 851
| 852         // Should be overriten in JAASRealm - to avoid pretty
inefficient conversions
| 853 if ((principal == null) || (role == null) ||
| 854             !(principal instanceof GenericPrincipal))
| 855             return (false);

etc.

Assuming that the code continues beyond this point, /some/ type of log
message should be expected. Given that no output is between the
"Checking roles" log statement and "No role found: " statement, it looks
like the Principal object might not be a GenericPrincipal.

JAASRealm.createPrincipal returns a GenericPrincipal object, so this
should be okay. Given than you are doing a lot of stuff through software
and not configuration, is it possible that you are creating your own
Principal object that is not checkable by RealmBase?

| org.apache.catalina.realm.JAASRealm  - Checking Principal "landscape"
[com.kaleidescape.logdb.webapp.security.auth.UserGroupPrincipal]

Yup. Looks like you are using a Principal not supported by RealmBase.
Does UserGroupPrincipal extent GenericPrincipal? If not, you should
ensure that it does, and that it properly implements hasRole().

| Since my UserGroupPrincipal implements Principal, it is castable to
| GenericPrincipal.

Not true, unless UserGroupPrincipal also extends GenericPrincipal.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkgfWAMACgkQ9CaO5/Lv0PDjjwCfWZ7D9/43x03H0KkZMDik57kk
mo8AoLtTo321eLx4AFzGQi/xGF/GgUK7
=5INN
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message