Thanks for the advice, but I think security-role-ref is only valid
within the context of a servlet element though? As such, it wont work
on JSP's or other resources that might do a
request.isUserInRole(admin) but are not servlets themselves (such as
filters and listeners). I'd also like to avoid changing anything in
web.xml if possible. Configuring the container is fine (eg, server.xml)
but messing around too much in the application WAR package could be
trouble.
I have googled for this and came up with nothing useful, which surprises
me given that many organisations use a centralised LDAP repository that
has unfriendly group names, and we can't expect vendors to know what
crazy and devilish naming schemes our internal security admins will
dream up next. Hence our need to have the container perform such a group
- role mapping per-application, without our application knowing about
it.
The closest I could find in was this:
http://marc.info/?l=tomcat-userm=122218450926648w=2 but it's not the
happy ending I was hoping for. I was hoping for a more tomcat standard
way (ala weblogic.xml or JBoss' RoleMappingLoginModule) rather than
having to hack my own Realm :-)
This is just one application we're migrating off our legacy Weblogic
environment and I have quite a few like it, so a non-invasive approach
would be perfect if it exists.
Cheers,
Jason
On Thu, 2009-08-06 at 07:21 -0400, Tim Funk wrote:
Try adding this to web.xml (and IIUC - this is portable across all
containers)
security-role-ref
role-nameusers/role-name
role-linkSG-FooBar-Users/role-link
/security-role-ref
security-role-ref
role-nameadmins/role-name
role-linkSG-FooBar-Admins/role-link
/security-role-ref
-Tim
Jason Royals wrote:
Hello Tomcatters,
Consider the following scenario. I have a Java web application, and it
is a packaged, commercial application I may not change it. In fact, I
don't have the source so I couldn't even if I wanted to.
The application declares two roles in web.xml - users and admins. In
our corporate environment, those role names are far too generic to be
group names in our LDAP repository. The groups in LDAP are called
SG-FooBar-Users and SG-FooBar-Admins. We expect to map these real group
names to the roles declared in the web.xml.
We have this running currently on Weblogic, and to map the roles to
groups, we have a Weblogic configuration as follows (in weblogic.xml)
weblogic-web-app
security-role-assignment
role-nameusers/role-name
principal-nameSG-FooBar-Users/principal-name
/security-role-assignment
security-role-assignment
role-nameadmins/role-name
principal-nameSG-FooBar-Admins/principal-name
/security-role-assignment
/weblogic-web-app
Websphere, JBoss, Geronimo, Glassfish etc all seem to offer similar
features in their container-specific configurations.
How can I achieve the same result in Tomcat, remembering I cannot change
the application, and I cannot change the groups or the LDAP repository
(which has hundreds of thousands of users and groups)? Is it even
possible with Tomcat?
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
