I am using
Apache Tomcat/6.0.37
pxa6460sr13fp2-20130424_01 (SR13 FP2)
IBM Corporation
Linux
2.6.32-358.2.1.el6.x86_64
amd64

I have the following context defined for my application:

<?xml version="1.0" encoding="UTF-8"?>
<Context>
    <Realm className="org.apache.catalina.realm.JNDIRealm"
debug="99"
connectionURL="ldaps://xxxx.xxxx.xxxx.com:636"
userBase="ou=xxxxxxx,o=ibm.com"
userSearch="(mail={0})"
userSubtree="true"
roleBase="ou=xxxxxx,ou=xxxxxxx,o=ibm.com"
roleSubtree="false"
roleNested="true"
roleSearch="(uniqueMember={0})"
roleName="cn"  /> 
</Context>

I have a user defined who is a member of one group which is a member of another group under the roleBase.  After authenticating I only get the role/group that the user is a direct member of, it doesn't return the role/group that the group is a member of.

I downloaded the source of org.apache.catalina.realm.JNDIRealm and the roleNested attribute is never used except in the setters and getters.  Seems like it is being ignored.  Is this feature available in tomcat 6?  The docs say it is but it doesn't seem to work.

Thanks,


Travis