tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <funk...@apache.org>
Subject Re: Mapping role names to groups
Date Thu, 06 Aug 2009 11:21:14 GMT
Try adding this to web.xml (and IIUC - this is portable across all 
containers)

<security-role-ref>
     <role-name>users</role-name>
     <role-link>SG-FooBar-Users</role-link>
</security-role-ref>
<security-role-ref>
     <role-name>admins</role-name>
     <role-link>SG-FooBar-Admins</role-link>
</security-role-ref>


-Tim


Jason Royals wrote:
> Hello Tomcatters,
> 
> Consider the following scenario. I have a Java web application, and it
> is a packaged, commercial application I may not change it. In fact, I
> don't have the source so I couldn't even if I wanted to.
> 
> The application declares two roles in web.xml - "users" and "admins". In
> our corporate environment, those role names are far too generic to be
> group names in our LDAP repository.  The groups in LDAP are called
> SG-FooBar-Users and SG-FooBar-Admins. We expect to map these real group
> names to the roles declared in the web.xml.
> 
> We have this running currently on Weblogic, and to map the roles to
> groups, we have a Weblogic configuration as follows (in weblogic.xml)
> 
> <weblogic-web-app>
>     ....
>     <security-role-assignment>
>          <role-name>users</role-name>
>          <principal-name>SG-FooBar-Users</principal-name>
>     </security-role-assignment>
>     <security-role-assignment>
>          <role-name>admins</role-name>
>          <principal-name>SG-FooBar-Admins</principal-name>
>     </security-role-assignment>
>     ....
> </weblogic-web-app>
> 
> Websphere, JBoss, Geronimo, Glassfish etc all seem to offer similar
> features in their container-specific configurations.
> 
> How can I achieve the same result in Tomcat, remembering I cannot change
> the application, and I cannot change the groups or the LDAP repository
> (which has hundreds of thousands of users and groups)?  Is it even
> possible with Tomcat?
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message