You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mike Keller <mi...@gmail.com> on 2006/09/20 20:21:03 UTC
Understanding of the security-role tag in the web.xml
I am missing a key piece of information that I have not been able to
find in the past few days of searching. How does the <security-role>
and <role-name> tag work in relation to the <auth-constraint> and
<role-name> tag? Do they have any relation?
I am trying to change the security model of a proprietary application
and they were using the JDBC Realm Form authentication. I want to
change it to use the JNDI Realm and go against a Oracle Internet
Directory instance for authentication. I was able to successfully
change the security example packaged with tomcat to use this JNDI
Realm.
I have made the same changes to the proprietary app and I am
successfully authenticating but I believe I am failing authorization
somewhere. However I can find no code that checks for isUserInRole().
Could someone please point me in the direction of some documentation
that explains what the <security-role> tag does and how it does it
since I think that the problem lies in the fact the application is not
getting the role it is expecting?
Thanks,
Mike
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Understanding of the security-role tag in the web.xml
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Mike Keller [mailto:mikepkeller@gmail.com]
> Subject: Re: Understanding of the security-role tag in the web.xml
>
> I have looked at the section 12 specifically 12.3 and 12.4
> but I must be missing something.
Really have to read the whole section plus other bits and pieces of the
spec to get a handle on what's going on. Also useful to look at the
various web.xml files that come with Tomcat's pre-packaged apps.
> I don't understand how the <security-role> tag is use full when you
> are already restricting a resource through the <auth-constraint>.
The <security-role> element is used for programmatic (app managed)
authentication and access control, not declarative (container managed)
authentication. As you surmised, it's the <auth-constraint> element of
<security-constraint> that describes container-managed authentication.
You may use neither, either, or both declarative and programmatic
security for any given app.
> Is this meant simply to give a less abstract name to a role?
That's what the <role-link> element does within <security-role-ref>. It
allows you to specify the role name coded into the app via the
<role-name> element, and have it translated to the actual role name used
by the container's security environment with <role-link>. Note that
there's an error on page 91 of the 2.4 version of the spec: the sentence
near the middle of the page that starts with "A security-role element
should contain a role-link sub-element..." should be referring to a
security-role-ref element; this has been corrected in the draft 2.5
spec.
> Also is there another way to pragmatically restrict other than
> isUserInRole(). I don't get how I am not being authorized when there
> doesn't seem to be any code in place to check this?
Pragmatically or programatically? When the spec talks about
programmatic security, it's referring to what APIs a web app may use,
not what a container (Tomcat) can use. The container must expose the
APIs for app use, but may use any means necessary to internally manage
security. What's pragmatic is pretty much dependent on how much time
you have on your hands.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 5.5.9 not undeploying
Posted by Mark Thomas <ma...@apache.org>.
When starting a new thread (ie sending a message to the list about a
new topic) please do not reply to an existing message and change the
subject line. To many of the list archiving services and mail clients
used by list subscribers this makes your new message appear as part
of the old thread. This makes it harder for other users to find
relevant information when searching the lists.
This is known as thread hijacking and is behaviour that is frowned
upon on this list. Frequent offenders will be removed from the list.
It should also be noted that many list subscribers automatically
ignore any messages that hijack another thread.
The correct procedure is to create a new message with a new subject.
This will start a new thread.
Mark
tomcat-user-owner
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 5.5.9 not undeploying
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Douglas Ferguson [mailto:douglas.ferguson@epsiia.com]
> Subject: RE: Tomcat 5.5.9 not undeploying
>
> Can this be defined globally for all contexts?
Should work, but I haven't tried it personally. Add it to the settings
in the conf/context.xml file.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 5.5.9 not undeploying
Posted by Douglas Ferguson <do...@epsiia.com>.
It is windows.
Can this be defined globally for all contexts?
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: Wednesday, September 20, 2006 4:07 PM
To: Tomcat Users List
Subject: RE: Tomcat 5.5.9 not undeploying
> From: Douglas Ferguson [mailto:douglas.ferguson@epsiia.com]
> Subject: Tomcat 5.5.9 not undeploying
>
> What happens is that it leaves behind a jar file in the
> WEB-INF/lib dir.
What platform? If it's Windows, you might want to experiment with the
antiJARLocking and antiResourceLocking attributes of your app's
<Context> tag. See:
http://tomcat.apache.org/tomcat-5.5-doc/config/context.html
for more info.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 5.5.9 not undeploying
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Douglas Ferguson [mailto:douglas.ferguson@epsiia.com]
> Subject: Tomcat 5.5.9 not undeploying
>
> What happens is that it leaves behind a jar file in the
> WEB-INF/lib dir.
What platform? If it's Windows, you might want to experiment with the
antiJARLocking and antiResourceLocking attributes of your app's
<Context> tag. See:
http://tomcat.apache.org/tomcat-5.5-doc/config/context.html
for more info.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Tomcat 5.5.9 not undeploying
Posted by Douglas Ferguson <do...@epsiia.com>.
Sometimes when I use the manager (via cargo) to undeploy and deploy, my webapp won't actually undeploy.
What happens is that it leaves behind a jar file in the WEB-INF/lib dir.
At first I thought this was a resource leak in my app, but the jar file is not always the same.
Is there anything I can do to prevent this?
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Understanding of the security-role tag in the web.xml
Posted by Mike Keller <mi...@gmail.com>.
Chuck,
Thank you for your quick response. I have looked at the section 12
specifically 12.3 and 12.4 but I must be missing something. I don't
understand how the <security-role> tag is use full when you are
already restricting a resource through the <auth-constraint>. Is this
meant simply to give a less abstract name to a role? For example if
the user role in the OID that I am interested in is named
102934756.Portal.User then I can map that to a simpler name like
Portal.
Also is there another way to pragmatically restrict other than
isUserInRole(). I don't get how I am not being authorized when there
doesn't seem to be any code in place to check this?
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Understanding of the security-role tag in the web.xml
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Mike Keller [mailto:mikepkeller@gmail.com]
> Subject: Understanding of the security-role tag in the web.xml
>
> How does the <security-role> and <role-name> tag
> work in relation to the <auth-constraint> and
> <role-name> tag? Do they have any relation?
This seems to be explained in section 12 of the servlet spec; have you
looked there?
http://jcp.org/aboutJava/communityprocess/final/jsr154/index.html
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org