Try adding this to web.xml (and IIUC - this is portable across all
containers)
<security-role-ref>
<role-name>users</role-name>
<role-link>SG-FooBar-Users</role-link>
</security-role-ref>
<security-role-ref>
<role-name>admins</role-name>
<role-link>SG-FooBar-Admins</role-link>
</security-role-ref>
-Tim
Jason Royals wrote:
Hello Tomcatters,
Consider the following scenario. I have a Java web application, and it
is a packaged, commercial application I may not change it. In fact, I
don't have the source so I couldn't even if I wanted to.
The application declares two roles in web.xml - "users" and "admins". In
our corporate environment, those role names are far too generic to be
group names in our LDAP repository. The groups in LDAP are called
SG-FooBar-Users and SG-FooBar-Admins. We expect to map these real group
names to the roles declared in the web.xml.
We have this running currently on Weblogic, and to map the roles to
groups, we have a Weblogic configuration as follows (in weblogic.xml)
<weblogic-web-app>
....
<security-role-assignment>
<role-name>users</role-name>
<principal-name>SG-FooBar-Users</principal-name>
</security-role-assignment>
<security-role-assignment>
<role-name>admins</role-name>
<principal-name>SG-FooBar-Admins</principal-name>
</security-role-assignment>
....
</weblogic-web-app>
Websphere, JBoss, Geronimo, Glassfish etc all seem to offer similar
features in their container-specific configurations.
How can I achieve the same result in Tomcat, remembering I cannot change
the application, and I cannot change the groups or the LDAP repository
(which has hundreds of thousands of users and groups)? Is it even
possible with Tomcat?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
