tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <>
Subject Re: Mapping role names to groups
Date Thu, 06 Aug 2009 11:21:14 GMT
Try adding this to web.xml (and IIUC - this is portable across all 



Jason Royals wrote:
> Hello Tomcatters,
> Consider the following scenario. I have a Java web application, and it
> is a packaged, commercial application I may not change it. In fact, I
> don't have the source so I couldn't even if I wanted to.
> The application declares two roles in web.xml - "users" and "admins". In
> our corporate environment, those role names are far too generic to be
> group names in our LDAP repository.  The groups in LDAP are called
> SG-FooBar-Users and SG-FooBar-Admins. We expect to map these real group
> names to the roles declared in the web.xml.
> We have this running currently on Weblogic, and to map the roles to
> groups, we have a Weblogic configuration as follows (in weblogic.xml)
> <weblogic-web-app>
>     ....
>     <security-role-assignment>
>          <role-name>users</role-name>
>          <principal-name>SG-FooBar-Users</principal-name>
>     </security-role-assignment>
>     <security-role-assignment>
>          <role-name>admins</role-name>
>          <principal-name>SG-FooBar-Admins</principal-name>
>     </security-role-assignment>
>     ....
> </weblogic-web-app>
> Websphere, JBoss, Geronimo, Glassfish etc all seem to offer similar
> features in their container-specific configurations.
> How can I achieve the same result in Tomcat, remembering I cannot change
> the application, and I cannot change the groups or the LDAP repository
> (which has hundreds of thousands of users and groups)?  Is it even
> possible with Tomcat?

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message