tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robin Coe <>
Subject RE: JAAS authenticated user fails authorization check
Date Mon, 05 May 2008 20:15:50 GMT
Thanks Chris, that must be it.  Can't believe I missed that.  Unfortunately, this class is
part of the Catalina codebase, which makes it necessary to use a runtime check and invoking
a GenericPrincipal subclass when running inside Tomcat.  I don't want to include the Catalina
jar or be dependent on running Tomcat exclusively.

I find it strange that the code works by calling request.isUserInRole(), when using a class
that implements the Principal interface, but fails when using declared roles.  It's annoying
that the Tomcat docs don't mention the necessity of extending GenericPrincipal when rolling
your own implementation.

Thanks to you guys for helping me out!


-----Original Message-----
From: Christopher Schultz []
Sent: Monday, May 05, 2008 2:55 PM
To: Tomcat Users List
Subject: Re: JAAS authenticated user fails authorization check

Hash: SHA1


Robin Coe wrote:

| The Tomcat code that is failing for my auth check is
| (

Are you sure this is your version?

The 5.5.17 version of this file is available here:

|            } else if(!denyfromall) {
| 787
| 788                 for (int j = 0; j < roles.length; j++) {
| 789                     if (hasRole(principal, roles[j]))
| 790                         status = true;
| 791                     if( log.isDebugEnabled() )
| 792                         log.debug( "No role found: " + roles[j]);
| 793                 }
| 794             }

The above code does not match what I see in the version from SVN, but it
close enough. You're right: it calls hasRole, and the hasRole
implementation is as shown below:

| public boolean hasRole(Principal JavaDoc principal, String JavaDoc role) {
| 851
| 852         // Should be overriten in JAASRealm - to avoid pretty
inefficient conversions
| 853 if ((principal == null) || (role == null) ||
| 854             !(principal instanceof GenericPrincipal))
| 855             return (false);


Assuming that the code continues beyond this point, /some/ type of log
message should be expected. Given that no output is between the
"Checking roles" log statement and "No role found: " statement, it looks
like the Principal object might not be a GenericPrincipal.

JAASRealm.createPrincipal returns a GenericPrincipal object, so this
should be okay. Given than you are doing a lot of stuff through software
and not configuration, is it possible that you are creating your own
Principal object that is not checkable by RealmBase?

| org.apache.catalina.realm.JAASRealm  - Checking Principal "landscape"

Yup. Looks like you are using a Principal not supported by RealmBase.
Does UserGroupPrincipal extent GenericPrincipal? If not, you should
ensure that it does, and that it properly implements hasRole().

| Since my UserGroupPrincipal implements Principal, it is castable to
| GenericPrincipal.

Not true, unless UserGroupPrincipal also extends GenericPrincipal.

- -chris
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message