You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by rj...@apache.org on 2008/09/19 21:51:59 UTC

svn commit: r697213 - in /tomcat/trunk: java/org/apache/catalina/realm/JNDIRealm.java webapps/docs/config/realm.xml webapps/docs/realm-howto.xml

Author: rjung
Date: Fri Sep 19 12:51:59 2008
New Revision: 697213

URL: http://svn.apache.org/viewvc?rev=697213&view=rev
Log:
Add an optional and configurable default role to the JNDIRealm.
This comes handy, if you only want to authenticate the users,
but have a security constraint with a role in the app.

Modified:
    tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java
    tomcat/trunk/webapps/docs/config/realm.xml
    tomcat/trunk/webapps/docs/realm-howto.xml

Modified: tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java?rev=697213&r1=697212&r2=697213&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java (original)
+++ tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java Fri Sep 19 12:51:59 2008
@@ -347,6 +347,12 @@
      */
     protected int curUserPattern = 0;
 
+    /**
+     *  Add this role to every authenticated user
+     */
+    protected String commonRole = null;
+
+
     // ------------------------------------------------------------- Properties
 
     /**
@@ -776,6 +782,28 @@
     }
 
 
+    /**
+     * Return the common role
+     */
+    public String getCommonRole() {
+
+        return commonRole;
+
+    }
+
+
+    /**
+     * Set the common role
+     *
+     * @param commonRole The common role
+     */
+    public void setCommonRole(String commonRole) {
+
+        this.commonRole = commonRole;
+
+    }
+
+
     // ---------------------------------------------------------- Realm Methods
 
 
@@ -1363,6 +1391,8 @@
         if (list == null) {
             list = new ArrayList<String>();
         }
+        if (commonRole != null)
+            list.add(commonRole);
 
         // Are we configured to do role searches?
         if ((roleFormat == null) || (roleName == null))

Modified: tomcat/trunk/webapps/docs/config/realm.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/realm.xml?rev=697213&r1=697212&r2=697213&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/realm.xml (original)
+++ tomcat/trunk/webapps/docs/config/realm.xml Fri Sep 19 12:51:59 2008
@@ -304,6 +304,12 @@
          can be used. If no value is given the providers default is used.</p>
        </attribute>
 
+      <attribute name="commonRole" required="false">
+        <p>A role name assigned to each successfully authenticated user in
+        addition to the roles retrieved from LDAP. If not specified, only
+        the roles retrieved via LDAP are used.</p>
+      </attribute>
+
       <attribute name="connectionName" required="false">
         <p>The directory username to use when establishing a
         connection to the directory for LDAP search operations. If not

Modified: tomcat/trunk/webapps/docs/realm-howto.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/realm-howto.xml?rev=697213&r1=697212&r2=697213&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/realm-howto.xml (original)
+++ tomcat/trunk/webapps/docs/realm-howto.xml Fri Sep 19 12:51:59 2008
@@ -859,6 +859,12 @@
         can be used. If no value is given the providers default is used.</p>
       </attribute>
 
+      <attribute name="commonRole" required="false">
+        <p>A role name assigned to each successfully authenticated user in
+        addition to the roles retrieved from LDAP. If not specified, only
+        the roles retrieved via LDAP are used.</p>
+      </attribute>
+
       <attribute name="connectionName" required="false">
         <p>The directory username to use when establishing a
         connection to the directory for LDAP search operations. If not



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Default Role in Realms

Posted by Rainer Jung <ra...@kippdata.de>.

Rainer Jung schrieb:
>> Im my opinion a most useful feature,
>> as itreally is in ADweRealm (see
>> http://a-weinert.de/java/docs/aWeinertBib/de/a_weinert/realm/ADweRealm.html
>> ) for Active Directory.

> I'll have a look, as it's already ASL 2 licensed.

Speaking to fast. That was only the original License note carried over
form the JNDIRealm. Do you have plans to contribute ADweRealm?

Regards,

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Default Role in Realms

Posted by Rainer Jung <ra...@kippdata.de>.

A. Weinert schrieb:
> Rainer Jung schrieb:
>> I added an optional configurable default role to the JNDIRealm.
>> That's useful, if you only want to authenticate the users (password
>> check).
>>
>>    http://svn.apache.org/viewvc?rev=697213&view=rev
>>
>> I could as well add it to most of the other Realms, but I'm wondering,
>> if it would make more sense to introduce an additional getRoles to
>> RealmBase, which returns the default role if configured and can be
>> included in the getRoles already present in most of the Realm
>> implementations.
>>
>> Thoughts?
>>
>> Regards,
>>
>> Rainer
> 
> Im my opinion a most useful feature,
> as itreally is in ADweRealm (see
> http://a-weinert.de/java/docs/aWeinertBib/de/a_weinert/realm/ADweRealm.html
> ) for Active Directory.
> 
> Active Directory (AD) lists certain default group memberships not
> explicitely. So an user account, who is just "Domänen-Benutzer",
> would get authentication but no roles and hence no Tomcat
> rights w/o such a default role feature.
> 
> But I'm not sure if a change to the base class (RealmBase) is much help.
> To use ADweRealm again as an example, it implements a primitive way
> of Realm Chaining (badly needed with AD and missed in Tomcat). Here the
> default role signals which Realm the user got her authentication from.
> Under this aspect a base class implementation of the default role
> feature would only make sense if the Realm Chaining feature would be
> implemented there as well.

I'll have a look, as it's already ASL 2 licensed. I also have recursive
role searches in the queue (not committed yet) and Mark recently added a
CombinedRealm to trunk.

Regards,

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Default Role in Realms

Posted by "A. Weinert" <al...@a-weinert.de>.

Rainer Jung schrieb:
> I added an optional configurable default role to the JNDIRealm.
> That's useful, if you only want to authenticate the users (password check).
> 
>    http://svn.apache.org/viewvc?rev=697213&view=rev
> 
> I could as well add it to most of the other Realms, but I'm wondering, 
> if it would make more sense to introduce an additional getRoles to 
> RealmBase, which returns the default role if configured and can be 
> included in the getRoles already present in most of the Realm 
> implementations.
> 
> Thoughts?
> 
> Regards,
> 
> Rainer

Im my opinion a most useful feature,
as itreally is in ADweRealm (see
http://a-weinert.de/java/docs/aWeinertBib/de/a_weinert/realm/ADweRealm.html
) for Active Directory.

Active Directory (AD) lists certain default group memberships not
explicitely. So an user account, who is just "Domänen-Benutzer",
would get authentication but no roles and hence no Tomcat
rights w/o such a default role feature.

But I'm not sure if a change to the base class (RealmBase) is much help.
To use ADweRealm again as an example, it implements a primitive way
of Realm Chaining (badly needed with AD and missed in Tomcat). Here the
default role signals which Realm the user got her authentication from.
Under this aspect a base class implementation of the default role
feature would only make sense if the Realm Chaining feature would be
implemented there as well.


Best regards Albrecht

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Default Role in Realms

Posted by Filip Hanik - Dev Lists <de...@hanik.com>.

Mark Thomas wrote:
> Rainer Jung wrote:
>   
>> I added an optional configurable default role to the JNDIRealm.
>> That's useful, if you only want to authenticate the users (password check).
>>
>>    http://svn.apache.org/viewvc?rev=697213&view=rev
>>
>> I could as well add it to most of the other Realms, but I'm wondering,
>> if it would make more sense to introduce an additional getRoles to
>> RealmBase, which returns the default role if configured and can be
>> included in the getRoles already present in most of the Realm
>> implementations.
>>
>> Thoughts?
>>     
>
> I think it is just as useful for other realms so I would go ahead with
> adding getRoles() to RealmBase in some form. Maybe add getDefaultRole() to
> RealmBase and then call that from the other Realms?
>   
+1
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
>   


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Default Role in Realms

Posted by Mark Thomas <ma...@apache.org>.

Rainer Jung wrote:
> I added an optional configurable default role to the JNDIRealm.
> That's useful, if you only want to authenticate the users (password check).
> 
>    http://svn.apache.org/viewvc?rev=697213&view=rev
> 
> I could as well add it to most of the other Realms, but I'm wondering,
> if it would make more sense to introduce an additional getRoles to
> RealmBase, which returns the default role if configured and can be
> included in the getRoles already present in most of the Realm
> implementations.
> 
> Thoughts?

I think it is just as useful for other realms so I would go ahead with
adding getRoles() to RealmBase in some form. Maybe add getDefaultRole() to
RealmBase and then call that from the other Realms?

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Default Role in Realms

Posted by Rainer Jung <ra...@kippdata.de>.

I added an optional configurable default role to the JNDIRealm.
That's useful, if you only want to authenticate the users (password check).

    http://svn.apache.org/viewvc?rev=697213&view=rev

I could as well add it to most of the other Realms, but I'm wondering, 
if it would make more sense to introduce an additional getRoles to 
RealmBase, which returns the default role if configured and can be 
included in the getRoles already present in most of the Realm 
implementations.

Thoughts?

Regards,

Rainer



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org