You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Oliver Wulff <ol...@zurich.ch> on 2011/09/19 16:52:58 UTC

role required in auth-constraints to trigger authentication

<img
src="http://zdownload.zurich.com/mailimages/ZHP_MailHeader.gif" />

Hi there

I'm working on the following task:
https://issues.apache.org/bugzilla/show_bug.cgi?id=51334

I've configured a security constraint in my web.xml but noticed that my
custom authenticator is never triggered.

        <security-constraint>
                <web-resource-collection>
                        <web-resource-name>Servlet Protected
Area</web-resource-name>
                        <url-pattern>/secureservlet/*</url-pattern>
                </web-resource-collection>
                <auth-constraint>
                </auth-constraint>
        </security-constraint>


Therefore, I've debugged the tomcat sources and found the following:

        // Since authenticate modifies the response on failure,
        // we have to check for allow-from-all first.
        boolean authRequired;
        if (constraints == null) {
            authRequired = false;
        } else {
            authRequired = true;
            for(i=0; i < constraints.length && authRequired; i++) {
                if(!constraints[i].getAuthConstraint()) {
                    authRequired = false;
                } else if(!constraints[i].getAllRoles()) {
                    String [] roles = constraints[i].findAuthRoles();
                    if(roles == null || roles.length == 0) {
                        authRequired = false;
                    }
                }
            }
        }

The following line enforces that you must have configured a auth-constraint
and list at least one role:
                    String [] roles = constraints[i].findAuthRoles();
                    if(roles == null || roles.length == 0) {
                        authRequired = false;
                    }


Why is it a requirement to configure a role in the auth-constraint?

Thanks
Oliver







******************* BITTE BEACHTEN *******************
Diese Nachricht (wie auch allfällige Anhänge dazu) beinhaltet
möglicherweise vertrauliche oder gesetzlich geschützte Daten oder
Informationen. Zum Empfang derselben ist (sind) ausschliesslich die
genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht
irrtümlicherweise erreicht hat, sind Sie höflich gebeten, diese unter
Ausschluss jeder Reproduktion zu zerstören und die absendende Person
umgehend zu benachrichtigen. Vielen Dank für Ihre Hilfe.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Antwort: Re: role required in auth-constraints to trigger authentication

Posted by Oliver Wulff <ol...@zurich.ch>.

<img
src="http://zdownload.zurich.com/mailimages/ZHP_MailHeader.gif" />
oh, really -  RTFS ;-)

I had the firm conviction that the use case is required that a user is
authenticated but not further authorized. The workaround is to add a
default role "Authenticated" in the Authenticator if required.

Thanks
Oli





Von:	Mark Thomas <ma...@apache.org>
An:	Tomcat Users List <us...@tomcat.apache.org>
Datum:	09/19/2011 04:57 PM
Betreff:	Re: role required in auth-constraints to trigger authentication



On 19/09/2011 15:52, Oliver Wulff wrote:

> Why is it a requirement to configure a role in the auth-constraint?

You need to read the Servlet specification.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org








******************* BITTE BEACHTEN *******************
Diese Nachricht (wie auch allfällige Anhänge dazu) beinhaltet
möglicherweise vertrauliche oder gesetzlich geschützte Daten oder
Informationen. Zum Empfang derselben ist (sind) ausschliesslich die
genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht
irrtümlicherweise erreicht hat, sind Sie höflich gebeten, diese unter
Ausschluss jeder Reproduktion zu zerstören und die absendende Person
umgehend zu benachrichtigen. Vielen Dank für Ihre Hilfe.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: role required in auth-constraints to trigger authentication

Posted by Mark Thomas <ma...@apache.org>.

On 19/09/2011 15:52, Oliver Wulff wrote:

> Why is it a requirement to configure a role in the auth-constraint?

You need to read the Servlet specification.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org