tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Montague <m...@catseye.org>
Subject Re: Tomcat Manager WebApp authentication
Date Mon, 21 Nov 2011 19:49:58 GMT
On November 18, 2011 16:17 , Leo Donahue - PLANDEVX 
<LeoDonahue@mail.maricopa.gov> wrote:
>> Is is possible to ... or some other independent source for role 
>> information?
>> >  A sample using JNDI and active directory in the archives.
>> >
>> >  http://www.mail-archive.com/users@tomcat.apache.org/msg74641.html
> And a SQL server DataSource Realm example also:
>
> http://www.mail-archive.com/users@tomcat.apache.org/msg75265.html  Last post.

The solutions at those links perform both authentication and role-based 
authorization.  I need just the ability to perform role-based 
authorization when tomcatAuthentication="false" for a connector.  Am I 
missing something described in one of the messages linked above?

I turned on all logging for catalina realms and authenticators and found 
that when tomcatAuthentication="true" then in 
org.apache.catalina.realm.RealmBase hasResourcePermission(), 
request.getPrincipal() returns an object of class GenericPrincipal, but 
when tomcatAuthentication="false" it returns an object of class 
CoyotePrincipal.  And the CoyotePrincipal class does not support roles.

Any advice on how to solve this problem?  I need Tomcat 6 to use the 
authentication performed by the front-end webserver without breaking the 
roles required by the Tomcat Manager webapp.

Here is what happens when tomcatAuthentication="true" and the Tomcat 
Manager webapp works:

Nov 21, 2011 1:35:08 PM 
org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE:  Calling authenticate()
Nov 21, 2011 1:35:08 PM 
org.apache.catalina.authenticator.AuthenticatorBase register
FINE: Authenticated 'markmont' with type 'BASIC'
Nov 21, 2011 1:35:08 PM 
org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE:  Calling accessControl()
Nov 21, 2011 1:35:08 PM org.apache.catalina.realm.RealmBase 
hasResourcePermission
FINE:   Checking roles GenericPrincipal[markmont(admin,manager,)]
Nov 21, 2011 1:35:08 PM org.apache.catalina.realm.RealmBase 
hasResourcePermission
FINE: Role found:  manager


And here is what happens when tomcatAuthentication="false" and the 
Tomcat Manager webapp breaks:

Nov 21, 2011 1:27:49 PM 
org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE:  Calling authenticate()
Nov 21, 2011 1:27:49 PM 
org.apache.catalina.authenticator.BasicAuthenticator authenticate
FINE: Already authenticated 'markmont'
Nov 21, 2011 1:27:49 PM 
org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE:  Calling accessControl()
Nov 21, 2011 1:27:49 PM org.apache.catalina.realm.RealmBase 
hasResourcePermission
FINE:   Checking roles CoyotePrincipal[markmont]
Nov 21, 2011 1:27:49 PM org.apache.catalina.realm.RealmBase 
hasResourcePermission
FINE: No role found:  manager
Nov 21, 2011 1:27:49 PM 
org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE:  Failed accessControl() test

--
   Mark Montague
   mark@catseye.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message