Mapping role names to groups

[Sebastian Trost <se...@dms-ag.ch>]

Hi!

I was looking for a way to map security role names from tomcat to LDAP groups. I found an old thread from August 2009 with the exact problem in which Christopher Schultz recommended to write a servlet filter or valve to do that. 

Original mail: http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3C1249556542.8225.6.camel@habanero%3E
Response from Christopher Schulz: http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3C4A7AF405.7090403@christopherschultz.net%3E

It has now been eight years and I'm wondering if there is still no other solution than this? 

Regards
Sebastian Trost

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Mapping role names to groups

[Mark Thomas <ma...@apache.org>]

On 04/10/17 09:20, Sebastian Trost wrote:
> -----Original Message-----
> From: Mark Thomas [mailto:markt@apache.org] 
> Sent: Tuesday, October 03, 2017 4:10 PM
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: Re: Mapping role names to groups
> 
> On 03/10/17 14:01, Sebastian Trost wrote:
>>> Hi!
>>>
>>> I was looking for a way to map security role names from tomcat to LDAP groups. I found an old thread from August 2009 with the exact problem in which Christopher Schultz recommended to write a servlet filter or valve to do that. 
>>>
>>> Original mail: http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3C1249556542.8225.6.camel@habanero%3E
>>> Response from Christopher Schulz: http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3C4A7AF405.7090403@christopherschultz.net%3E
>>>
>>> It has now been eight years and I'm wondering if there is still no other solution than this?
> 
>> security-role-ref ?
> 
> AFAIK, <security-role-ref> is only valid within the <servlet> element. Therefore, it doesn't work with JSPs or filters which are not servlets.

JSPs are still handled by a servlet so you could work around that
problem. There isn't such an easy solution available for filters.

This sort of mapping is probably something we need to think about adding
to the Realm.

There is this enhancement request:
https://bz.apache.org/bugzilla/show_bug.cgi?id=55477

The code needs review but from a quick look the general approach looks
good. The thing I'd want to think about is exactly how the mapping was
defined. A few thoughts...

Putting it in server.xml means restarting Tomcat to change it. Putting
it in a separate file removes that issue - if the ability to reload it
is added.

Experience tells me multiple elements will be less hassle (i.e. less
edge case bugs) than a single element with some form of special syntax.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Mapping role names to groups

[Sebastian Trost <se...@dms-ag.ch>]

-----Original Message-----
From: André Warnier (tomcat) [mailto:aw@ice-sa.com] 
Sent: Wednesday, October 04, 2017 11:14 AM
To: users@tomcat.apache.org
Subject: Re: Mapping role names to groups

> On 04.10.2017 10:20, Sebastian Trost wrote:
>> -----Original Message-----
>> From: Mark Thomas [mailto:markt@apache.org]
>> Sent: Tuesday, October 03, 2017 4:10 PM
>> To: Tomcat Users List <us...@tomcat.apache.org>
>> Subject: Re: Mapping role names to groups
>>
>> On 03/10/17 14:01, Sebastian Trost wrote:
>>>> Hi!
>>>>
>>>> I was looking for a way to map security role names from tomcat to LDAP groups. I found an old thread from August 2009 with the exact problem in which Christopher Schultz recommended to write a servlet filter or valve to do that.
>>>>
>>>> Original mail: http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3C1249556542.8225.6.camel@habanero%3E
>>>> Response from Christopher Schulz: http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3C4A7AF405.7090403@christopherschultz.net%3E
>>>>
>>>> It has now been eight years and I'm wondering if there is still no other solution than this?
>>
>>> security-role-ref ?
>>
>> AFAIK, <security-role-ref> is only valid within the <servlet> element. Therefore, it doesn't work with JSPs or filters which are not servlets.
>>

> Isn't a JSP page ultimately translated into a servlet ?


I don't know. You tell me! ;)
My knowledge is very limited and as far as I know, you can have servlets but also standalone JSP files (which still can use isUserInRole()). While adding the <security-role-ref> tag to the <servlet> element works with the servlet, it doesn't work with the standalone JSP file. 

Example:

Authentication and authorization is done with LDAP.
Due to company policy the admin-role must be named "company-application-admin". The application has one servlet named FooServlet and one JSP file called importantLegacyJsp.jsp.

In the web.xml the admin role is defined like this:

<security-role>
   <description>Application admin role</description>
   <role-name>admin</role-name>
</security-role>

Also in the web.xml the servlet is defined like this:

<servlet>
   <servlet-name>FooServlet</servlet-name>
   <servlet-class>com.vendor.app.servlet.FooServlet</servlet-class>
   <security-role-ref>
      <role-name>admin</role-name>
      <role-link>company-application-admin</role-link>
   </security-role-ref>
</servlet>


Calling request.isUserInRole("admin") inside the servlet FooServlet will return "true", because the of the security-role-ref element inside the servlet-element. Everything works fine and as intended. The user then opens importantLegacyJsp.jsp which also calls request.isUserInRole("admin"). Now that method will return false, because the mapping is only defined inside the servlet element. 

It seems that there doesn't exist a way to make that work without creating a custom realm. 

Regards
Sebastian Trost

Re: Mapping role names to groups

["André Warnier (tomcat)" <aw...@ice-sa.com>]

On 04.10.2017 10:20, Sebastian Trost wrote:
> -----Original Message-----
> From: Mark Thomas [mailto:markt@apache.org]
> Sent: Tuesday, October 03, 2017 4:10 PM
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: Re: Mapping role names to groups
>
> On 03/10/17 14:01, Sebastian Trost wrote:
>>> Hi!
>>>
>>> I was looking for a way to map security role names from tomcat to LDAP groups. I found an old thread from August 2009 with the exact problem in which Christopher Schultz recommended to write a servlet filter or valve to do that.
>>>
>>> Original mail: http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3C1249556542.8225.6.camel@habanero%3E
>>> Response from Christopher Schulz: http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3C4A7AF405.7090403@christopherschultz.net%3E
>>>
>>> It has now been eight years and I'm wondering if there is still no other solution than this?
>
>> security-role-ref ?
>
> AFAIK, <security-role-ref> is only valid within the <servlet> element. Therefore, it doesn't work with JSPs or filters which are not servlets.
>

Isn't a JSP page ultimately translated into a servlet ?


> Regards
> Sebastian Trost
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Mapping role names to groups

[Sebastian Trost <se...@dms-ag.ch>]

-----Original Message-----
From: Mark Thomas [mailto:markt@apache.org] 
Sent: Tuesday, October 03, 2017 4:10 PM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: Mapping role names to groups

On 03/10/17 14:01, Sebastian Trost wrote:
>> Hi!
>> 
>> I was looking for a way to map security role names from tomcat to LDAP groups. I found an old thread from August 2009 with the exact problem in which Christopher Schultz recommended to write a servlet filter or valve to do that. 
>> 
>> Original mail: http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3C1249556542.8225.6.camel@habanero%3E
>> Response from Christopher Schulz: http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3C4A7AF405.7090403@christopherschultz.net%3E
>> 
>> It has now been eight years and I'm wondering if there is still no other solution than this?

> security-role-ref ?

AFAIK, <security-role-ref> is only valid within the <servlet> element. Therefore, it doesn't work with JSPs or filters which are not servlets. 

Regards
Sebastian Trost

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Mapping role names to groups

[Mark Thomas <ma...@apache.org>]

On 03/10/17 14:01, Sebastian Trost wrote:
> Hi!
> 
> I was looking for a way to map security role names from tomcat to LDAP groups. I found an old thread from August 2009 with the exact problem in which Christopher Schultz recommended to write a servlet filter or valve to do that. 
> 
> Original mail: http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3C1249556542.8225.6.camel@habanero%3E
> Response from Christopher Schulz: http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3C4A7AF405.7090403@christopherschultz.net%3E
> 
> It has now been eight years and I'm wondering if there is still no other solution than this?

security-role-ref ?

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org