tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Royals <tomcat-mailingl...@fragstealers.com>
Subject Mapping role names to groups
Date Thu, 06 Aug 2009 11:02:22 GMT
Hello Tomcatters,

Consider the following scenario. I have a Java web application, and it
is a packaged, commercial application I may not change it. In fact, I
don't have the source so I couldn't even if I wanted to.

The application declares two roles in web.xml - "users" and "admins". In
our corporate environment, those role names are far too generic to be
group names in our LDAP repository.  The groups in LDAP are called
SG-FooBar-Users and SG-FooBar-Admins. We expect to map these real group
names to the roles declared in the web.xml.

We have this running currently on Weblogic, and to map the roles to
groups, we have a Weblogic configuration as follows (in weblogic.xml)

<weblogic-web-app>
    ....
    <security-role-assignment>
         <role-name>users</role-name>
         <principal-name>SG-FooBar-Users</principal-name>
    </security-role-assignment>
    <security-role-assignment>
         <role-name>admins</role-name>
         <principal-name>SG-FooBar-Admins</principal-name>
    </security-role-assignment>
    ....
</weblogic-web-app>

Websphere, JBoss, Geronimo, Glassfish etc all seem to offer similar
features in their container-specific configurations.

How can I achieve the same result in Tomcat, remembering I cannot change
the application, and I cannot change the groups or the LDAP repository
(which has hundreds of thousands of users and groups)?  Is it even
possible with Tomcat?

Thanks,
Jason


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message