tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Fulford, William" <William.Fulf...@ngc.com>
Subject RE: Return from getRemoteUser and isUserInRole Inconsistent
Date Mon, 25 Jan 2010 23:23:09 GMT
Chris,

Sorry about that.  The text came off of a classified system.  The easiest way for me to get
it you, without going through a lot of hoops, was to print it, make sure it's clean, scan
it, and attach it to a file.  Unfortunately I don’t have any character recognition software
handy, so I'll type it in:

server.xml:

...

<Realm className="org.apache.catalina.realm.JDNIRealm"
       debug="99"
       connectionURL="ldap://193.10.1.172:389/"
       userPattern="uid={0},ou=People,dc=aes,dc=com"
       roleBase="ou=group,dc=aes,dc=com"
       roleName="cn"
       roleSearch="memberUid=[1]"
/>

<Valve className="org.apache.catalina.authenticator.SingleSignOn" />

...

web.xml:

...

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Protected Area</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>tgirs</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>BASIC</auth-method>
</login-config>
<security-role>
    <role-name>owd</role-name>
</security-role>

...


The best way to characterize the behavior is that null or the correct user name is randomly
returned and true or false is randomly return (unless the server is freshly restarted).  I
don't believe it’s a problem with the JavaScript or DWR interface, because I log out the
values returned by the Java methods, and they are the same.  My Java methods are just pass-throughs
to the javax.servlet.http.HttpServletRequest interface.

Doug
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net] 
Sent: Monday, January 25, 2010 2:38 PM
To: Tomcat Users List
Subject: Re: Return from getRemoteUser and isUserInRole Inconsistent

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Doug,

On 1/25/2010 4:59 PM, Fulford, William wrote:
> Attached are the relevant sections from the server.xml and web.xml,
> respectively.

This mailing list often strips attachments. Could you copy/paste
relevant sections into your next post? It's important to know what
authentication you are using and what the security constraints look
like. It would also be nice to see a few examples of URLs that your web
pages are trying to access.

> I'm using DWR to call Java methods in HttpServletInfo (a class I
> wrote) from a JavaScript using ExtJs:
> 
> ...
> 
> HttpServletInfo.getRemoteUser(function(user) { ... };
> 
> ...
> 
> HttpServletInfo.isUserInRole("tgirs", function(isInRole) { ... };
> 
> ...

The above doesn't have any information that's really useful to me, at
least not now. :(

> These are called every time my page is loaded (Ext.onReady).
> 
> I've tried with or without restarting Firefox, with or without
> restarting Tomcat, and via <ctrl>-<shift> Reload (Reload that clears
> private data).  The only consistency is that, after restarting
> Tomcat, the user name is returned, and isInRole is false.  Otherwise
> the results are inconsistent.

So, the function HttpServletInfo.getRemoteUser above returns
inconsistent results, or HttpServletRequest.getRemoteUser returns
inconsistent results?

...and if you just sit on the same page, repeatedly reloading the page,
HttpServletRequest.getRemoteUser and HttpServletRequest.isUserInRole
(for the same value every time) return essentially random results?

If it's the functions above that return random stuff, I'd look at those.
If it's Tomcat's implementation of those methods that appears to be
broken, then we'd have a lot of users out there storming the castle with
torches and pitchforks.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkteHSoACgkQ9CaO5/Lv0PBATQCeP4jBBqXuMOA18ePdejyUbcqR
N28AoJcWuvnpAJYCK2V7zhmz7iRSYaeI
=w7CV
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Mime
View raw message