You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jakub 1983 <jj...@gmail.com> on 2013/04/19 03:50:58 UTC
security-role-ref doesn't work
my tomcat users:
<role rolename="tomcat"/>
<role rolename="role1"/>
<role rolename="manager-gui"/>
<role rolename="admin"/>
<user username="tomcat" password="tomcat"
roles="tomcat,manager-gui,admin"/>
<user username="both" password="tomcat" roles="tomcat,role1"/>
<user username="role1" password="tomcat" roles="role1"/>
following code fails:
<security-constraint>
<web-resource-collection>
<web-resource-name>Sample Application</web-resource-name>
<description>Require users to authenticate</description>
<url-pattern>*.jsp</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>adminLocal</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<role-name>adminLocal</role-name>
</security-role>
<security-role-ref>
<role-name>admin</role-name>
<role-link>adminLocal</role-link>
</security-role-ref>
if I change security-role.role-name to admin, and in
auth-constraint.role-name also to admin, than I can login,
but why doesnt' it work with <security-role-ref> ?
regards
Jakub
Re: security-role-ref doesn't work
Posted by Jakub 1983 <jj...@gmail.com>.
Mark,
thank you very much for your clarification,
regards
Jakub
ps
anybody else interested in this topic can see here:
http://docs.oracle.com/javaee/5/tutorial/doc/bncav.html
http://docs.oracle.com/javaee/5/tutorial/doc/bncba.html#bncbb
On Fri, Apr 19, 2013 at 11:30 PM, Mark Thomas <ma...@apache.org> wrote:
> On 19/04/2013 21:47, Mark Thomas wrote:
> > On 19/04/2013 21:37, Propes, Barry L wrote:
> >> What version are you using?
> >>
> >> Mine doesn't contain this attribute pair at all...
> >>
> >> <security-role-ref>
> >> </security-role-ref>
> >
> > The version being used is irrelevant. <security-role-ref> is only valid
> > inside a <servlet> element.
> >
> > There might still be a bug here - I'm currently looking at the source to
> > check - but it isn't the bug the OP thinks they have found.
>
> Digging in to this Tomcat's behaviour is specification compliant.
> <security-role-ref> are only intended to work with a specific Servlet
> and only with calls to isUserInRole(). However, that means there are
> various places where it would be helpful to do a role mapping where it
> is not currently possible. I have started a discussion on the dev list
> about how to handle this. It will probably move to the Servlet EG unless
> I have missed something obvious.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: security-role-ref doesn't work
Posted by Mark Thomas <ma...@apache.org>.
On 19/04/2013 21:47, Mark Thomas wrote:
> On 19/04/2013 21:37, Propes, Barry L wrote:
>> What version are you using?
>>
>> Mine doesn't contain this attribute pair at all...
>>
>> <security-role-ref>
>> </security-role-ref>
>
> The version being used is irrelevant. <security-role-ref> is only valid
> inside a <servlet> element.
>
> There might still be a bug here - I'm currently looking at the source to
> check - but it isn't the bug the OP thinks they have found.
Digging in to this Tomcat's behaviour is specification compliant.
<security-role-ref> are only intended to work with a specific Servlet
and only with calls to isUserInRole(). However, that means there are
various places where it would be helpful to do a role mapping where it
is not currently possible. I have started a discussion on the dev list
about how to handle this. It will probably move to the Servlet EG unless
I have missed something obvious.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: security-role-ref doesn't work
Posted by Mark Thomas <ma...@apache.org>.
On 19/04/2013 21:37, Propes, Barry L wrote:
> What version are you using?
>
> Mine doesn't contain this attribute pair at all...
>
> <security-role-ref>
> </security-role-ref>
The version being used is irrelevant. <security-role-ref> is only valid
inside a <servlet> element.
There might still be a bug here - I'm currently looking at the source to
check - but it isn't the bug the OP thinks they have found.
Mark
>
> -----Original Message-----
> From: Jakub 1983 [mailto:jjakub83@gmail.com]
> Sent: Thursday, April 18, 2013 8:51 PM
> To: Tomcat Users List
> Subject: security-role-ref doesn't work
>
> my tomcat users:
> <role rolename="tomcat"/>
> <role rolename="role1"/>
> <role rolename="manager-gui"/>
> <role rolename="admin"/>
> <user username="tomcat" password="tomcat"
> roles="tomcat,manager-gui,admin"/>
> <user username="both" password="tomcat" roles="tomcat,role1"/>
> <user username="role1" password="tomcat" roles="role1"/>
>
> following code fails:
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Sample Application</web-resource-name>
> <description>Require users to authenticate</description>
> <url-pattern>*.jsp</url-pattern>
> <http-method>POST</http-method>
> <http-method>GET</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>adminLocal</role-name>
> </auth-constraint>
> <user-data-constraint>
> <transport-guarantee>NONE</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> <security-role>
> <role-name>adminLocal</role-name>
> </security-role>
> <security-role-ref>
> <role-name>admin</role-name>
> <role-link>adminLocal</role-link>
> </security-role-ref>
>
> if I change security-role.role-name to admin, and in auth-constraint.role-name also to admin, than I can login,
>
> but why doesnt' it work with <security-role-ref> ?
>
> regards
> Jakub
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: security-role-ref doesn't work
Posted by "Propes, Barry L " <ba...@citi.com>.
What version are you using?
Mine doesn't contain this attribute pair at all...
<security-role-ref>
</security-role-ref>
-----Original Message-----
From: Jakub 1983 [mailto:jjakub83@gmail.com]
Sent: Thursday, April 18, 2013 8:51 PM
To: Tomcat Users List
Subject: security-role-ref doesn't work
my tomcat users:
<role rolename="tomcat"/>
<role rolename="role1"/>
<role rolename="manager-gui"/>
<role rolename="admin"/>
<user username="tomcat" password="tomcat"
roles="tomcat,manager-gui,admin"/>
<user username="both" password="tomcat" roles="tomcat,role1"/>
<user username="role1" password="tomcat" roles="role1"/>
following code fails:
<security-constraint>
<web-resource-collection>
<web-resource-name>Sample Application</web-resource-name>
<description>Require users to authenticate</description>
<url-pattern>*.jsp</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>adminLocal</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<role-name>adminLocal</role-name>
</security-role>
<security-role-ref>
<role-name>admin</role-name>
<role-link>adminLocal</role-link>
</security-role-ref>
if I change security-role.role-name to admin, and in auth-constraint.role-name also to admin, than I can login,
but why doesnt' it work with <security-role-ref> ?
regards
Jakub
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org