Thanks Chris, that must be it. Can't believe I missed that. Unfortunately, this class is part of the Catalina codebase, which makes it necessary to use a runtime check and invoking a GenericPrincipal subclass when running inside Tomcat. I don't want to include the Catalina jar or be dependent on running Tomcat exclusively.
I find it strange that the code works by calling request.isUserInRole(), when using a class that implements the Principal interface, but fails when using declared roles. It's annoying that the Tomcat docs don't mention the necessity of extending GenericPrincipal when rolling your own implementation. Thanks to you guys for helping me out! Robin. -----Original Message----- From: Christopher Schultz [mailto:[EMAIL PROTECTED] Sent: Monday, May 05, 2008 2:55 PM To: Tomcat Users List Subject: Re: JAAS authenticated user fails authorization check -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Robin, Robin Coe wrote: | The Tomcat code that is failing for my auth check is | (http://kickjava.com/src/org/apache/catalina/realm/RealmBase.java.htm): Are you sure this is your version? The 5.5.17 version of this file is available here: http://svn.apache.org/repos/asf/tomcat/container/tags/tc5.5.x/TOMCAT_5_5_12/catalina/src/share/org/apache/catalina/realm/RealmBase.java | } else if(!denyfromall) { | 787 | 788 for (int j = 0; j < roles.length; j++) { | 789 if (hasRole(principal, roles[j])) | 790 status = true; | 791 if( log.isDebugEnabled() ) | 792 log.debug( "No role found: " + roles[j]); | 793 } | 794 } The above code does not match what I see in the version from SVN, but it close enough. You're right: it calls hasRole, and the hasRole implementation is as shown below: | public boolean hasRole(Principal JavaDoc principal, String JavaDoc role) { | 851 | 852 // Should be overriten in JAASRealm - to avoid pretty inefficient conversions | 853 if ((principal == null) || (role == null) || | 854 !(principal instanceof GenericPrincipal)) | 855 return (false); etc. Assuming that the code continues beyond this point, /some/ type of log message should be expected. Given that no output is between the "Checking roles" log statement and "No role found: " statement, it looks like the Principal object might not be a GenericPrincipal. JAASRealm.createPrincipal returns a GenericPrincipal object, so this should be okay. Given than you are doing a lot of stuff through software and not configuration, is it possible that you are creating your own Principal object that is not checkable by RealmBase? | org.apache.catalina.realm.JAASRealm - Checking Principal "landscape" [com.kaleidescape.logdb.webapp.security.auth.UserGroupPrincipal] Yup. Looks like you are using a Principal not supported by RealmBase. Does UserGroupPrincipal extent GenericPrincipal? If not, you should ensure that it does, and that it properly implements hasRole(). | Since my UserGroupPrincipal implements Principal, it is castable to | GenericPrincipal. Not true, unless UserGroupPrincipal also extends GenericPrincipal. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkgfWAMACgkQ9CaO5/Lv0PDjjwCfWZ7D9/43x03H0KkZMDik57kk mo8AoLtTo321eLx4AFzGQi/xGF/GgUK7 =5INN -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]