You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by brian bay <br...@gmail.com> on 2006/09/01 19:26:02 UTC
Tomcat 5.5.17 * behavior change
I recently upgraded from tomcat 5.0.28 to 5.5.17. I have security set up
on all my apps to allow any user that can authenticate against ldap access
to the application....
So in 5.0.28, I defined <role-name>*</role-name> to allow all role
names. In 5.5.17 the behavior changes on the role-name attribute, and
apparently the * now means "all roles defined inside of web.xml" instead of
the previous "all/any roles".. I understand that after tomcat 5.5.12,
tomcat was "fixed" to conform to the 2.4 servlet spec, in which the * 's
meaning is redefined. Suck.
I dont want to have to define 300 roles in web.xml.. Once I do that, I am
now maintaning roles in 2 places.
***As a test/workaround, I downloaded 5.5.12 and copied catalina.jar from
server/lib to my 5.5.17 installation.. !Voila! authentication now works
with the <role-name>*</role-name>
questions:
Why is there no backwards compatibility? or is there and I just have to
tell it which servlet spec to use?
***As, for my workaround. I cant see this as being a very good solution...
I'm guessing this will cause problems elsewhere??
I could just use 5.5.12, but I'm sure there are some bug fixes along the way
that I would benefit from..
thanks,
Brian
Re: Tomcat 5.5.17 * behavior change
Posted by brian bay <br...@gmail.com>.
I would have responded sooner, but I've been to busy banging my head against
my desk.. :-)
Much easier indeed, and better.. thanks for the heads up! I wish I had
posted this question earlier..
I understand that it's hard to keep documentation up-to-the-minute on every
change, but this seems like allRolesMode might be a good canidate to include
in the Realm doc.. unless I just missed it..I know it's in the javadoc, but
dummies, like me, need things spelled out.. :-)
In hindsight, your solution seems obvious to me, but the general consensus
that I got from reading the small number of convoluted threads out there,
was nobody had a clue what to do.. besides defining tons of roles in the
web app.. or reverting to 5.5.12.. Maybe it's just not that common of
situation??
thanks for the help! I'll come here first next time, instead of spending
countless hours reading dead-end-threads..
Brian
On 9/1/06, Bill Barker <wb...@wilshire.com> wrote:
>
> It would have been easier to change server.xml, to something like:
> <Realm allRolesMode="strictAuthOnly" ...... />
>
> "brian bay" <br...@gmail.com> wrote in message
> news:b5095c1b0609011401h304e7ae4n43779504fdf0c130@mail.gmail.com...
> > SOLVED!
> >
> > Well since no one else seems to care about ldap authentication and user
> > roles, I guess I'll reply to myself..
> >
> > Apparently backwards compatiblity is built into the source code for
> > tomcat.
> >
> > To work around the problem of <role-name>*</role-name> you need to got
> > and
> > grab the tomcat source code, not the binaries.. If you have the binaries
> > installed already, this is fine. All we are going to do is replace
> > catalina.jar...
> >
> > In my source directory C:\apache-
> > tomcat-5.5.17-src\container\catalina\src\share\org\apache\catalina\realm
> ,
> > I
> > edited RealmBase.java.
> >
> > I Changed protected AllRolesMode allRolesMode = AllRolesMode.STRICT_MODE
> ;
> >
> > to protected AllRolesMode allRolesMode =
> > AllRolesMode.STRICT_AUTH_ONLY_MODE;
> >
> > I then built from source and copied the newly build catalina.jar file to
> > my
> > current binary distribution of tomcat..$TOMCAT_HOME/server/lib
> >
> > thats it.. Now <role-name>*</role-name> authenticates all roles.
> >
> >
> > Brian Bay
> >
> >
> >
> >
> > On 9/1/06, brian bay <br...@gmail.com> wrote:
> >>
> >> I recently upgraded from tomcat 5.0.28 to 5.5.17. I have security set
> >> up
> >> on all my apps to allow any user that can authenticate against ldap
> >> access
> >> to the application....
> >>
> >> So in 5.0.28, I defined <role-name>*</role-name> to allow all role
> >> names. In 5.5.17 the behavior changes on the role-name attribute, and
> >> apparently the * now means "all roles defined inside of web.xml"
> instead
> >> of the previous "all/any roles".. I understand that after tomcat
> >> 5.5.12, tomcat was "fixed" to conform to the
> >> 2.4 servlet spec, in which the * 's meaning is redefined. Suck.
> >>
> >> I dont want to have to define 300 roles in web.xml.. Once I do that, I
> >> am
> >> now maintaning roles in 2 places.
> >>
> >>
> >> ***As a test/workaround, I downloaded 5.5.12 and copied catalina.jarfrom
> >> server/lib to my 5.5.17 installation.. !Voila! authentication now
> works
> >> with the <role-name>*</role-name>
> >>
> >>
> >>
> >> questions:
> >>
> >> Why is there no backwards compatibility? or is there and I just have
> to
> >> tell it which servlet spec to use?
> >>
> >> ***As, for my workaround. I cant see this as being a very good
> >> solution... I'm guessing this will cause problems elsewhere??
> >>
> >>
> >> I could just use 5.5.12, but I'm sure there are some bug fixes along
> the
> >> way that I would benefit from..
> >>
> >> thanks,
> >> Brian
> >>
> >
>
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat 5.5.17 * behavior change
Posted by Bill Barker <wb...@wilshire.com>.
It would have been easier to change server.xml, to something like:
<Realm allRolesMode="strictAuthOnly" ...... />
"brian bay" <br...@gmail.com> wrote in message
news:b5095c1b0609011401h304e7ae4n43779504fdf0c130@mail.gmail.com...
> SOLVED!
>
> Well since no one else seems to care about ldap authentication and user
> roles, I guess I'll reply to myself..
>
> Apparently backwards compatiblity is built into the source code for
> tomcat.
>
> To work around the problem of <role-name>*</role-name> you need to got
> and
> grab the tomcat source code, not the binaries.. If you have the binaries
> installed already, this is fine. All we are going to do is replace
> catalina.jar...
>
> In my source directory C:\apache-
> tomcat-5.5.17-src\container\catalina\src\share\org\apache\catalina\realm,
> I
> edited RealmBase.java.
>
> I Changed protected AllRolesMode allRolesMode = AllRolesMode.STRICT_MODE;
>
> to protected AllRolesMode allRolesMode =
> AllRolesMode.STRICT_AUTH_ONLY_MODE;
>
> I then built from source and copied the newly build catalina.jar file to
> my
> current binary distribution of tomcat..$TOMCAT_HOME/server/lib
>
> thats it.. Now <role-name>*</role-name> authenticates all roles.
>
>
> Brian Bay
>
>
>
>
> On 9/1/06, brian bay <br...@gmail.com> wrote:
>>
>> I recently upgraded from tomcat 5.0.28 to 5.5.17. I have security set
>> up
>> on all my apps to allow any user that can authenticate against ldap
>> access
>> to the application....
>>
>> So in 5.0.28, I defined <role-name>*</role-name> to allow all role
>> names. In 5.5.17 the behavior changes on the role-name attribute, and
>> apparently the * now means "all roles defined inside of web.xml" instead
>> of the previous "all/any roles".. I understand that after tomcat
>> 5.5.12, tomcat was "fixed" to conform to the
>> 2.4 servlet spec, in which the * 's meaning is redefined. Suck.
>>
>> I dont want to have to define 300 roles in web.xml.. Once I do that, I
>> am
>> now maintaning roles in 2 places.
>>
>>
>> ***As a test/workaround, I downloaded 5.5.12 and copied catalina.jar from
>> server/lib to my 5.5.17 installation.. !Voila! authentication now works
>> with the <role-name>*</role-name>
>>
>>
>>
>> questions:
>>
>> Why is there no backwards compatibility? or is there and I just have to
>> tell it which servlet spec to use?
>>
>> ***As, for my workaround. I cant see this as being a very good
>> solution... I'm guessing this will cause problems elsewhere??
>>
>>
>> I could just use 5.5.12, but I'm sure there are some bug fixes along the
>> way that I would benefit from..
>>
>> thanks,
>> Brian
>>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 5.5.17 * behavior change
Posted by brian bay <br...@gmail.com>.
SOLVED!
Well since no one else seems to care about ldap authentication and user
roles, I guess I'll reply to myself..
Apparently backwards compatiblity is built into the source code for tomcat.
To work around the problem of <role-name>*</role-name> you need to got and
grab the tomcat source code, not the binaries.. If you have the binaries
installed already, this is fine. All we are going to do is replace
catalina.jar...
In my source directory C:\apache-
tomcat-5.5.17-src\container\catalina\src\share\org\apache\catalina\realm, I
edited RealmBase.java.
I Changed protected AllRolesMode allRolesMode = AllRolesMode.STRICT_MODE;
to protected AllRolesMode allRolesMode = AllRolesMode.STRICT_AUTH_ONLY_MODE;
I then built from source and copied the newly build catalina.jar file to my
current binary distribution of tomcat..$TOMCAT_HOME/server/lib
thats it.. Now <role-name>*</role-name> authenticates all roles.
Brian Bay
On 9/1/06, brian bay <br...@gmail.com> wrote:
>
> I recently upgraded from tomcat 5.0.28 to 5.5.17. I have security set up
> on all my apps to allow any user that can authenticate against ldap access
> to the application....
>
> So in 5.0.28, I defined <role-name>*</role-name> to allow all role
> names. In 5.5.17 the behavior changes on the role-name attribute, and
> apparently the * now means "all roles defined inside of web.xml" instead
> of the previous "all/any roles".. I understand that after tomcat 5.5.12, tomcat was "fixed" to conform to the
> 2.4 servlet spec, in which the * 's meaning is redefined. Suck.
>
> I dont want to have to define 300 roles in web.xml.. Once I do that, I am
> now maintaning roles in 2 places.
>
>
> ***As a test/workaround, I downloaded 5.5.12 and copied catalina.jar from
> server/lib to my 5.5.17 installation.. !Voila! authentication now works
> with the <role-name>*</role-name>
>
>
>
> questions:
>
> Why is there no backwards compatibility? or is there and I just have to
> tell it which servlet spec to use?
>
> ***As, for my workaround. I cant see this as being a very good
> solution... I'm guessing this will cause problems elsewhere??
>
>
> I could just use 5.5.12, but I'm sure there are some bug fixes along the
> way that I would benefit from..
>
> thanks,
> Brian
>