tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Felix Schumacher <>
Subject Re: roleNested seems to not be working in tomcat 6
Date Wed, 10 Jul 2013 07:13:52 GMT
Am 10.07.2013 00:46, schrieb Travis Bowen:
> Ok I found where it is being used in the getRoles method however I'm
> still wondering why it doesn't work. I don't see any way to define the
> member group attribute name, it is uniqueGroup in the dir server I am
> connecting to.

roleSearch will be used for every group found.

Given your config and your groups/persons are as follows

dn: cn=group1,ou=...
cn: group1
uniqueMember: cn=person1,ou=...

dn: cn=group2,ou=...
cn: group2
uniqueMember: cn=group1,ou=...

dn: cn=person1,ou=...
cn: person1
mail: person1@...

When you log in as person1@... first thing the realm does is to look up 
dn for that person using mail=person1@...
It will get dn: cn=person1,ou=... as dn and will try roleSearch with {0} 
equal the newly found dn.

So the next lookup is uniqueMember=cn=person,ou=... which gives us 

The attribute cn of that group will be stored as a role. Since 
nestedRoles is enabled it will now do a new search with roleSearch and 
the dn (and cn in your case).
The lookup will be uniqueMember=cn=group1,ou=... which will give us 
cn=group2,ou=... and again the cn (group2) will be stored.

So after that your user will have two roles (group1, group2).

It looks to me that the logic for nested roles is reverse to the one you 

If you want to get debug output, you can put the line

org.apache.catalina.realm.JNDIRealm.level = FINE

at the end of your conf/ The attribute debug in your 
realm definition is being ignored (and invalid).


>  Thanks,
>  Travis
>  Travis Bowen---07/09/2013 02:43:58 PM---I am using
> |-----------------+--------------------------------+------------+-----+------------------
>  From: Travis Bowen/Tucson/IBM@IBMUS
>  To:,
>  Date: 07/09/2013 02:43 PM
>  Subject: roleNested seems to not be working in tomcat 6
> -------------------------
>  I am using
> Apache Tomcat/6.0.37
> pxa6460sr13fp2-20130424_01 (SR13 FP2)
> IBM Corporation
> Linux
> 2.6.32-358.2.1.el6.x86_64
> amd64
>  I have the following context defined for my application:
>  <?xml version=_"1.0"_ encoding=_"UTF-8"_?>
>  <Context>
>  <Realm className=_"org.apache.catalina.realm.JNDIRealm"_
>  debug=_"99"_
>  connectionURL=_"ldaps://"_
>  userBase=_"ou=xxxxxxx,"_
>  userSearch=_"(mail={0})"_
>  userSubtree=_"true"_
>  roleBase=_"ou=xxxxxx,ou=xxxxxxx,"_
>  roleSubtree=_"false"_
>  roleNested=_"true"_
>  roleSearch=_"(uniqueMember={0})"_
>  roleName=_"cn"_ />
>  </Context>
>  I have a user defined who is a member of one group which is a member
> of another group under the roleBase. After authenticating I only get
> the role/group that the user is a direct member of, it doesn't return
> the role/group that the group is a member of.
>  I downloaded the source of org.apache.catalina.realm.JNDIRealm and
> the roleNested attribute is never used except in the setters and
> getters. Seems like it is being ignored. Is this feature available in
> tomcat 6? The docs say it is but it doesn't seem to work.
>  Thanks,
>  Travis

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message