Nice, any idea which method I need to call? On Jul 18, 2017 3:54 PM, "Mark Thomas" <ma...@apache.org> wrote:
> On 18/07/17 17:41, Alex O'Ree wrote: > > Alright, quick update on this. > > > > At this point, I have servlet context and a username running off the > > main tomcat http threads (quartz job) > > > >> StandardContext tomcat;////load from reflection from ApplicationContext > from ServletContext as ApplicationContextFacade > >> Realm realm = tomcat.getRealm() > > > > At this point, realm is a LockoutRealm that contains two child realms, > > the JNDI Realm and the standard UserDatabaseRealm > > > >> Principal user = realm.authenticate(username); > > > > At this point, the user object is populated and appears to have the > > roles attached to it (they are listed in the to String method). > > > >> realm.hasRole(new StandardWrapper(), user, role); > > > > This part returns false, if and only if the ldap membership matches > > exactly. Mapped roles via servlet/security-role-ref/role-link and > > role-name do not appear to be effect. > > > > I think this may have something to do with the Principal object not > > having a login context. Normally, this is available via a servlet, but > > this it is not. > > > > I think the root cause might be this line. > > https://github.com/apache/tomcat/blob/TOMCAT_7_0_42/ > java/org/apache/catalina/realm/RealmBase.java#L933 > > > > Which probably does the translation from the LDAP defined group or > > role into what the application is expecting. Am I on the right path > > here? > > Yes. If you check auth outside of a Servlet, the role mappings for the > Servlet won't apply. If you know which servlet to use for the role > mappings you can get that from the Context (Wrappers represent Servlets > and are children of the Context). > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >