RE: Apache Tomcat role authorisation against AD2003

[Rupert Whitefield]

Hi Chris,

Thanks for the mail. The only thing that changed in my server.xml was
the order, and changed the roleSearch from:

roleSearch="(uniqueMember={0})

To

roleSearch="(member={0})

Apart from that, I'm a little confused why it works - but it does....

If a user had 3 roles (group1, group2, group3) - (is a member of 3
Windows domain groups) - then I was getting back

CN=CN=group1,CN=xxxx,DC=yyy,DC=zzzz
CN=CN=group2,CN=xxxx,DC=yyy,DC=zzzz
CN=CN=group3,CN=xxxx,DC=yyy,DC=zzzz
group1
group2
group3


So moved onto my next problem, which is why when securing the URL via
HTTPS, everything works great , but IE can no longer 'find' the Java Web
Start application..... And it worked on same port with HTTP. Sigh.
Looking into it.

Rupert.


-----Original Message-----
From: Christopher Schultz [mailto:[EMAIL PROTECTED] 
Sent: 09 April 2008 14:16
To: Tomcat Users List
Subject: Re: Apache Tomcat role authorisation against AD2003




This message should be regarded as confidential. If you have received this 
email in error please notify the sender and destroy it immediately.
Statements of intent shall only become binding when confirmed in hard copy by 
an authorised signatory.  The contents of this email may relate to dealings 
with other companies within the Detica Group plc group of companies.

Detica Limited is registered in England under No: 1337451.

Registered offices: Surrey Research Park, Guildford, Surrey, GU2 7YP, England.



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rupert,

Rupert Whitefield wrote:
| Thanks for the response.  I think you are correct on the role 
| definition (could not find a way of escaping or wildcarding the role 
| which struts
| 1.1 suggests is possible) - so have worked a little more on the AD 
| realm settings in Tomcat.  By trail and error I have found the below
to work:

Your new configuration looks the same as your original configuration to
me. What changed?

| This seems to return both the cn and DN, i.e. really twice as much 
| role data as I need - but at least it works.....

When you say it "returns both", what do you mean? If a user has 3 roles,
for how many different values will request.isUserInRole(value) return
true?

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkf8wawACgkQ9CaO5/Lv0PD5eACdEuglj6wGsWsvrTPnUmco8lpG
EvgAn1oR4vz/BGrcthNy1G75oS/4c2Ur
=AA/t
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




This message should be regarded as confidential. If you have received this 
email in error please notify the sender and destroy it immediately.
Statements of intent shall only become binding when confirmed in hard copy by 
an authorised signatory.  The contents of this email may relate to dealings 
with other companies within the Detica Group plc group of companies.

Detica Limited is registered in England under No: 1337451.

Registered offices: Surrey Research Park, Guildford, Surrey, GU2 7YP, England.



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]