JndiRealm for Tomcat
Please download ALPHA version of JndiRealm (compiled and source code) from
http://peacetech.com/java/files/apache/tomcat/jndi-auth.html
JndiRealm authenticates and Authorizes users against JNDI. It was developed and tested
against LDAP JNDI (Sun's and Netscape's jndi provider)
JndiRealm looks for exactly one user name matching jndiSearchFilter + usename in entire subtree
of jndiInitialContext and use tomcat supplied credentials to authenticate.
If succesful, it will fetch user roles using JNDI attributes listed in jndiRolesAttributes
and if roleMapperClass is specified it will use it to map user roles onto application roles
specific for each web context.
Provided SimpleRoleMapper implementation will read WEB-INF/role-map.xml file in each web context
and will do mappings accordingly
JndiRealm works a little bit different from SimpleRealm or JdbcRealm.
They extract user/password from user Session for Form based authentication (from headers for Basic authentication) and then for *every request* perform authentication and authorization. This however might be a problem if password on backend changes constantly. Password cached in User Session Cached or Request Header will expire in lets say 15 second and any subsequent attempt to get user roles from directory
One solution to the problem would be to cache all authentication/authorization info in user session (as tomcat already already doing with username and password for form based authentication) and use it as a poof of successful authentication for all subsequent request.
I am not very familiar with Tomcat's security infrastructure so it would be nice if somebody from tomcat team take a look in my source code
If it proves to be useful I will port it to tomcat 4
Alex Roytman
For samples, please see tomcat/conf/server.xml and WEB-INF/role-map.xml files in the distribution