Ok I found where it is being used in the getRoles method however I'm still wondering why it doesn't work.  I don't see any way to define the member group attribute name, it is uniqueGroup in the dir server I am connecting to.

Thanks,


Travis

Inactive hide details for Travis Bowen---07/09/2013 02:43:58 PM---I am using |-----------------+-------------------------------Travis Bowen---07/09/2013 02:43:58 PM---I am using |-----------------+--------------------------------+------------+-----+------------------

From: Travis Bowen/Tucson/IBM@IBMUS
To: users@tomcat.apache.org,
Date: 07/09/2013 02:43 PM
Subject: roleNested seems to not be working in tomcat 6





I am using
Apache Tomcat/6.0.37
pxa6460sr13fp2-20130424_01 (SR13 FP2)
IBM Corporation
Linux
2.6.32-358.2.1.el6.x86_64
amd64

I have the following context defined for my application:


<?xml version=
"1.0" encoding="UTF-8"?>
<Context>
   <Realm className=
"org.apache.catalina.realm.JNDIRealm"
debug=
"99"
connectionURL=
"ldaps://xxxx.xxxx.xxxx.com:636"
userBase=
"ou=xxxxxxx,o=ibm.com"
userSearch=
"(mail={0})"
userSubtree=
"true"
roleBase=
"ou=xxxxxx,ou=xxxxxxx,o=ibm.com"
roleSubtree=
"false"
roleNested=
"true"
roleSearch=
"(uniqueMember={0})"
roleName=
"cn"  />
</Context>


I have a user defined who is a member of one group which is a member of another group under the roleBase.  After authenticating I only get the role/group that the user is a direct member of, it doesn't return the role/group that the group is a member of.


I downloaded the source of org.apache.catalina.realm.JNDIRealm and the roleNested attribute is never used except in the setters and getters.  Seems like it is being ignored.  Is this feature available in tomcat 6?  The docs say it is but it doesn't seem to work.


Thanks,



Travis