You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by janbanan <ba...@gmail.com> on 2007/09/28 09:14:32 UTC
Security roles
Hi,
I'm having some problems with security roles in tomcat 5.5. The actual
url-pattern based protection works fine so presumably the config is ok. But
when I programatically try to check if the user belongs to a role I run into
problems.
First the request.isUserInRole(String) method always returns false. After a
bit of searching I found that Tomcat has it's own implementation of the
Principal class, GenericPrincipal, which has the hasRole(String) method.
Now it turns out I cannot retrieve the GenericPrincipal object from the
request (class not found exception). This I found out is because the class
file is not loaded in the scope of the webapp. The workaround is to copy the
catalina.jar to the WEB-INF/lib folder.
This seems very messy! I'd like to check with you guys is this really the
only way to check a users roles? Or am I doing something wrong?
Thanks!
Jan
--
View this message in context: http://www.nabble.com/Security-roles-tf4532864.html#a12935784
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Security roles
Posted by janbanan <ba...@gmail.com>.
Cleaned up the naming/casing of the roles, it works and now I feel dumb.
Thanks a lot!
David Delbecq-2 wrote:
>
> request.isUserInRole is the way to go. If you don't get "true", i
> suggest you first check getRemoteUser() to see if user is authenticated.
> Then check you correctly spelled role name, including case. Then check
> you have correct role mapping in web.xml (mapping from realm role names
> to webapp role) and the you are correctly using the webapp role name,
> not the realm role name! (best way to avoid this last problem is to use
> same name on both parts)
>
> You are not supposed to access GenericPrincipal. Moreover, tomcat's
> implementation of isUserInRole() will just return the same a
> GenericPrincipal.
>
> As for copying catalina.jar to WEB-INF/lib, it won't work too. Instead
> of a class not found exception, you would get a class Cast Exception
> because your instance has been allocated by server classLoader while the
> class you try to convert to is allocated by webappClassLoader (same
> name, same package but different classloader).
>
> Btw, don't even ever think about moving anything from server/ to
> WEB-INF/lib.
>
>
> En l'instant précis du 28/09/07 09:14, janbanan s'exprimait en ces termes:
>> Hi,
>>
>> I'm having some problems with security roles in tomcat 5.5. The actual
>> url-pattern based protection works fine so presumably the config is ok.
>> But
>> when I programatically try to check if the user belongs to a role I run
>> into
>> problems.
>>
>> First the request.isUserInRole(String) method always returns false. After
>> a
>> bit of searching I found that Tomcat has it's own implementation of the
>> Principal class, GenericPrincipal, which has the hasRole(String) method.
>> Now it turns out I cannot retrieve the GenericPrincipal object from the
>> request (class not found exception). This I found out is because the
>> class
>> file is not loaded in the scope of the webapp. The workaround is to copy
>> the
>> catalina.jar to the WEB-INF/lib folder.
>>
>> This seems very messy! I'd like to check with you guys is this really the
>> only way to check a users roles? Or am I doing something wrong?
>>
>> Thanks!
>>
>> Jan
>>
>>
>>
>>
>>
>
>
> --
> http://www.noooxml.org/
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/Security-roles-tf4532864.html#a12936876
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Security roles
Posted by David Delbecq <de...@oma.be>.
request.isUserInRole is the way to go. If you don't get "true", i
suggest you first check getRemoteUser() to see if user is authenticated.
Then check you correctly spelled role name, including case. Then check
you have correct role mapping in web.xml (mapping from realm role names
to webapp role) and the you are correctly using the webapp role name,
not the realm role name! (best way to avoid this last problem is to use
same name on both parts)
You are not supposed to access GenericPrincipal. Moreover, tomcat's
implementation of isUserInRole() will just return the same a
GenericPrincipal.
As for copying catalina.jar to WEB-INF/lib, it won't work too. Instead
of a class not found exception, you would get a class Cast Exception
because your instance has been allocated by server classLoader while the
class you try to convert to is allocated by webappClassLoader (same
name, same package but different classloader).
Btw, don't even ever think about moving anything from server/ to
WEB-INF/lib.
En l'instant précis du 28/09/07 09:14, janbanan s'exprimait en ces termes:
> Hi,
>
> I'm having some problems with security roles in tomcat 5.5. The actual
> url-pattern based protection works fine so presumably the config is ok. But
> when I programatically try to check if the user belongs to a role I run into
> problems.
>
> First the request.isUserInRole(String) method always returns false. After a
> bit of searching I found that Tomcat has it's own implementation of the
> Principal class, GenericPrincipal, which has the hasRole(String) method.
> Now it turns out I cannot retrieve the GenericPrincipal object from the
> request (class not found exception). This I found out is because the class
> file is not loaded in the scope of the webapp. The workaround is to copy the
> catalina.jar to the WEB-INF/lib folder.
>
> This seems very messy! I'd like to check with you guys is this really the
> only way to check a users roles? Or am I doing something wrong?
>
> Thanks!
>
> Jan
>
>
>
>
>
--
http://www.noooxml.org/
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org