tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shashank Rachamalla <shashank....@wipro.com>
Subject Re: Authentication without Authorization ( JNDI Realm ) - Resolved
Date Thu, 10 Dec 2009 04:00:29 GMT

Hi

had to use roleSearch="(mail={1})" instead of roleSearch="(mail={0})"

{0} takes the user dn where as {1} takes the username.

Regards
Shashank.

On Fri, 2009-12-04 at 16:04 +0530, Shashank Rachamalla wrote:
> Hi
> 
> The following is the Realm configuration being used:
> 
> <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
>         connectionName="cn=Manager,dc=wipro,dc=com"
>         connectionPassword="secret"
>         connectionURL="ldap://ldapprime.pesgrid.wipro.com:389"
>         userBase="dc=wipro,dc=com" 
>         userSubtree="true"  
>         userSearch="(mail={0})"
>         roleBase="dc=wipro,dc=com"
>         roleSubtree="true"
>         roleName="objectClass"
>         roleSearch="(mail={0})"/>
> 
> The following is the security constraint specified in web.xml
> 
> <security-constraint>
>         <web-resource-collection>
>                 <url-pattern>/*</url-pattern>
>         </web-resource-collection>
>         <auth-constraint>
>                 <role-name>*</role-name>
>         </auth-constraint>
> </security-constraint>
> 
> <login-config>
>         <auth-method>BASIC</auth-method>
> </login-config>
> 
> <security-role>
>         <role-name>inetOrgPerson</role-name>
> </security-role>
> 
> 
> The following is an entry added to LDAP for testing:
> 
> dn: uid=ccpadmin, dc=wipro,dc=com
> mail: ccpadmin@wipro.com
> uid: ccpadmin
> userPassword:: YWRtaW4xMjM=
> objectClass: inetOrgPerson
> givenName: Cloud
> sn: Administrator
> cid: cloud
> cn: Cloud Administrator
> 
> 
> I am able to authenticate but authorization seems to fail ( error 403
> forbidden )
> 
> Regards
> Shashank
> 
> 
> On Wed, 2009-12-02 at 19:16 -0800, Robert Koberg wrote:
> > On Dec 2, 2009, at 6:01 PM, Christopher Schultz wrote:
> > 
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > > 
> > > Chuck,
> > > 
> > > On 12/2/2009 5:15 PM, Caldarale, Charles R wrote:
> > >>> From: Christopher Schultz [mailto:chris@christopherschultz.net]
> > >>> Subject: Re: Authentication without Authorization ( JNDI Realm )
> > >>> 
> > >>> Technically speaking, this will require authentication but then let
> > >>> anyone holding any role defined in web.xml to access any page on your
> > >>> site.
> > >> 
> > >> But the valid roles still have to be listed in web.xml to be compliant
with the spec.
> > > 
> > > Yes. That's why I said "technically" and "practically".
> > > 
> > >>> Practically speaking, you don't even need to define the roles in
> > >>> web.xml because (last time I checked), Tomcat treats '*' as
> > >>> "authenticated, regardless of roles".
> > >> 
> > >> That was a bug, now fixed:
> > >> http://marc.info/?l=tomcat-user&m=123568422715010&w=2
> > > 
> > > I'll have to look elsewhere in the code, then. What I saw in
> > > GenericPrincipal clearly takes, ahem, liberties with the spec.
> > 
> > (don't know if this has been mentioned)
> > 
> > There is the @PermitAll (and @DenyAll, @RolesAllowed) annotations. It requires a
servlet 3.0 container or some framework that allows it (I like Jersey).
> > 
> > best,
> > -Rob
> > 
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> > 


Please do not print this email unless it is absolutely necessary. 

The information contained in this electronic message and any attachments to this message are
intended for the exclusive use of the addressee(s) and may contain proprietary, confidential
or privileged information. If you are not the intended recipient, you should not disseminate,
distribute or copy this e-mail. Please notify the sender immediately and destroy all copies
of this message and any attachments. 

WARNING: Computer viruses can be transmitted via email. The recipient should check this email
and any attachments for the presence of viruses. The company accepts no liability for any
damage caused by any virus transmitted by this email. 

www.wipro.com

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message