On 04/10/17 09:20, Sebastian Trost wrote: > -----Original Message----- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: Tuesday, October 03, 2017 4:10 PM > To: Tomcat Users List <users@tomcat.apache.org> > Subject: Re: Mapping role names to groups > > On 03/10/17 14:01, Sebastian Trost wrote: >>> Hi! >>> >>> I was looking for a way to map security role names from tomcat to LDAP >>> groups. I found an old thread from August 2009 with the exact problem in >>> which Christopher Schultz recommended to write a servlet filter or valve to >>> do that. >>> >>> Original mail: >>> http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3C1249556542.8225.6.camel@habanero%3E >>> Response from Christopher Schulz: >>> http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3c4a7af405.7090...@christopherschultz.net%3E >>> >>> It has now been eight years and I'm wondering if there is still no other >>> solution than this? > >> security-role-ref ? > > AFAIK, <security-role-ref> is only valid within the <servlet> element. > Therefore, it doesn't work with JSPs or filters which are not servlets.
JSPs are still handled by a servlet so you could work around that problem. There isn't such an easy solution available for filters. This sort of mapping is probably something we need to think about adding to the Realm. There is this enhancement request: https://bz.apache.org/bugzilla/show_bug.cgi?id=55477 The code needs review but from a quick look the general approach looks good. The thing I'd want to think about is exactly how the mapping was defined. A few thoughts... Putting it in server.xml means restarting Tomcat to change it. Putting it in a separate file removes that issue - if the ability to reload it is added. Experience tells me multiple elements will be less hassle (i.e. less edge case bugs) than a single element with some form of special syntax. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
