tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Royals <>
Subject Re: Mapping role names to groups
Date Thu, 06 Aug 2009 12:33:13 GMT
Thanks for the advice, but I think <security-role-ref> is only valid
within the context of a <servlet> element though? As such, it wont work
on JSP's or other resources that might do a
request.isUserInRole("admin") but are not servlets themselves (such as
filters and listeners). I'd also like to avoid changing anything in
web.xml if possible. Configuring the container is fine (eg, server.xml)
but messing around too much in the application WAR package could be

I have googled for this and came up with nothing useful, which surprises
me given that many organisations use a centralised LDAP repository that
has unfriendly group names, and we can't expect vendors to know what
crazy and devilish naming schemes our internal security admins will
dream up next. Hence our need to have the container perform such a group
-> role mapping per-application, without our application knowing about

The closest I could find in was this: but it's not the
happy ending I was hoping for. I was hoping for a more tomcat standard
way (ala weblogic.xml or JBoss' RoleMappingLoginModule) rather than
having to hack my own Realm :-)

This is just one application we're migrating off our legacy Weblogic
environment and I have quite a few like it, so a non-invasive approach
would be perfect if it exists.


On Thu, 2009-08-06 at 07:21 -0400, Tim Funk wrote:
> Try adding this to web.xml (and IIUC - this is portable across all 
> containers)
> <security-role-ref>
>      <role-name>users</role-name>
>      <role-link>SG-FooBar-Users</role-link>
> </security-role-ref>
> <security-role-ref>
>      <role-name>admins</role-name>
>      <role-link>SG-FooBar-Admins</role-link>
> </security-role-ref>
> -Tim
> Jason Royals wrote:
> > Hello Tomcatters,
> > 
> > Consider the following scenario. I have a Java web application, and it
> > is a packaged, commercial application I may not change it. In fact, I
> > don't have the source so I couldn't even if I wanted to.
> > 
> > The application declares two roles in web.xml - "users" and "admins". In
> > our corporate environment, those role names are far too generic to be
> > group names in our LDAP repository.  The groups in LDAP are called
> > SG-FooBar-Users and SG-FooBar-Admins. We expect to map these real group
> > names to the roles declared in the web.xml.
> > 
> > We have this running currently on Weblogic, and to map the roles to
> > groups, we have a Weblogic configuration as follows (in weblogic.xml)
> > 
> > <weblogic-web-app>
> >     ....
> >     <security-role-assignment>
> >          <role-name>users</role-name>
> >          <principal-name>SG-FooBar-Users</principal-name>
> >     </security-role-assignment>
> >     <security-role-assignment>
> >          <role-name>admins</role-name>
> >          <principal-name>SG-FooBar-Admins</principal-name>
> >     </security-role-assignment>
> >     ....
> > </weblogic-web-app>
> > 
> > Websphere, JBoss, Geronimo, Glassfish etc all seem to offer similar
> > features in their container-specific configurations.
> > 
> > How can I achieve the same result in Tomcat, remembering I cannot change
> > the application, and I cannot change the groups or the LDAP repository
> > (which has hundreds of thousands of users and groups)?  Is it even
> > possible with Tomcat?
> > 

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message