tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sebastian Trost <sebastian.tr...@dms-ag.ch>
Subject RE: Mapping role names to groups
Date Wed, 04 Oct 2017 11:25:34 GMT
-----Original Message-----
From: André Warnier (tomcat) [mailto:aw@ice-sa.com] 
Sent: Wednesday, October 04, 2017 11:14 AM
To: users@tomcat.apache.org
Subject: Re: Mapping role names to groups

> On 04.10.2017 10:20, Sebastian Trost wrote:
>> -----Original Message-----
>> From: Mark Thomas [mailto:markt@apache.org]
>> Sent: Tuesday, October 03, 2017 4:10 PM
>> To: Tomcat Users List <users@tomcat.apache.org>
>> Subject: Re: Mapping role names to groups
>>
>> On 03/10/17 14:01, Sebastian Trost wrote:
>>>> Hi!
>>>>
>>>> I was looking for a way to map security role names from tomcat to LDAP groups.
I found an old thread from August 2009 with the exact problem in which Christopher Schultz
recommended to write a servlet filter or valve to do that.
>>>>
>>>> Original mail: http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3C1249556542.8225.6.camel@habanero%3E
>>>> Response from Christopher Schulz: http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3C4A7AF405.7090403@christopherschultz.net%3E
>>>>
>>>> It has now been eight years and I'm wondering if there is still no other
solution than this?
>>
>>> security-role-ref ?
>>
>> AFAIK, <security-role-ref> is only valid within the <servlet> element.
Therefore, it doesn't work with JSPs or filters which are not servlets.
>>

> Isn't a JSP page ultimately translated into a servlet ?


I don't know. You tell me! ;)
My knowledge is very limited and as far as I know, you can have servlets but also standalone
JSP files (which still can use isUserInRole()). While adding the <security-role-ref>
tag to the <servlet> element works with the servlet, it doesn't work with the standalone
JSP file. 

Example:

Authentication and authorization is done with LDAP.
Due to company policy the admin-role must be named "company-application-admin". The application
has one servlet named FooServlet and one JSP file called importantLegacyJsp.jsp.

In the web.xml the admin role is defined like this:

<security-role>
   <description>Application admin role</description>
   <role-name>admin</role-name>
</security-role>

Also in the web.xml the servlet is defined like this:

<servlet>
   <servlet-name>FooServlet</servlet-name>
   <servlet-class>com.vendor.app.servlet.FooServlet</servlet-class>
   <security-role-ref>
      <role-name>admin</role-name>
      <role-link>company-application-admin</role-link>
   </security-role-ref>
</servlet>


Calling request.isUserInRole("admin") inside the servlet FooServlet will return "true", because
the of the security-role-ref element inside the servlet-element. Everything works fine and
as intended. The user then opens importantLegacyJsp.jsp which also calls request.isUserInRole("admin").
Now that method will return false, because the mapping is only defined inside the servlet
element. 

It seems that there doesn't exist a way to make that work without creating a custom realm.


Regards
Sebastian Trost


Mime
View raw message