You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Stefan Mayr <st...@mayr-stefan.de> on 2013/08/23 20:10:49 UTC
Re: Mapping security role outside of servlet specification
Am 11.06.2013 19:42, schrieb Felix Schumacher:
> Am 05.06.2013 13:42, schrieb Ilya Kazakevich:
>> Hello,
>>
>> I use "probe" app for several tomcats.
>> It's security model is based on servlet API security: security roles and
>> constraints are provided in web.xml and mapped for each servlet it has.
>> I use JNDIRealm to authenticate users via LDAP (actually AD is used).
>> I want to grant access to Probe on "Tomcat1' installation for people from
>> "Group1" and to "Tomcat2" to people from "Group2".
>> But "manager" group is hard-coded in web.xml inside of probe!
>>
>> I want to map group "Group1" from LDAP realm to role "manager" in tomcat.
>> How can I do that?
>> I can't use "security-role-ref" because I should put in <servlet> tag,
>> so I
>> can't
>> do that on tomcat level.
>> There is " security-role-mapping" tag in some servers but it is
>> proprietary
>> and not supported by tomcat.
>>
>> So the only way for me to extract .war file and patch web.xml.
> That is the way, we do it at work. For probe, that is.
>
> For other applications we are using different Attributes in the ldap
> group objects to map to different names for the role.
>
> Greetings
> Felix
>>
>> What is the best way to solve it?
>>
>> Ilya.
What would be the best way to do this on the tomcat level? I would like
to add a simple mapping.properties to our tomcat installations
containing the individual mappings in the form of "security-role=jndi-role".
I see multiple options:
1. create a nestable realm to wrap around the JNDIRealm (Tomcat7)
2. create an own realm extending JNDIRealm
3. provide a patch to JNDIRealm
pseudo-code for overriding hasRole could be like this
public boolean hasRole(..) {
String mappedRole = mapping.getProperty(role);
if((mappedRole != null) && super.hasRole(..,mappedRole)) {
return true;
} else {
return false;
}
}
I'm not sure wether it is also required to override the authenticate
methods which return the principal object.
Any recommendations?
Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Mapping security role outside of servlet specification
Posted by Stefan Mayr <st...@mayr-stefan.de>.
Am 23.08.2013 20:10, schrieb Stefan Mayr:
> Am 11.06.2013 19:42, schrieb Felix Schumacher:
>> Am 05.06.2013 13:42, schrieb Ilya Kazakevich:
>>> Hello,
>>>
>>> I use "probe" app for several tomcats.
>>> It's security model is based on servlet API security: security roles and
>>> constraints are provided in web.xml and mapped for each servlet it has.
>>> I use JNDIRealm to authenticate users via LDAP (actually AD is used).
>>> I want to grant access to Probe on "Tomcat1' installation for people
>>> from
>>> "Group1" and to "Tomcat2" to people from "Group2".
>>> But "manager" group is hard-coded in web.xml inside of probe!
>>>
>>> I want to map group "Group1" from LDAP realm to role "manager" in
>>> tomcat.
>>> How can I do that?
>>> I can't use "security-role-ref" because I should put in <servlet> tag,
>>> so I
>>> can't
>>> do that on tomcat level.
>>> There is " security-role-mapping" tag in some servers but it is
>>> proprietary
>>> and not supported by tomcat.
>>>
>>> So the only way for me to extract .war file and patch web.xml.
>> That is the way, we do it at work. For probe, that is.
>>
>> For other applications we are using different Attributes in the ldap
>> group objects to map to different names for the role.
>>
>> Greetings
>> Felix
>>>
>>> What is the best way to solve it?
>>>
>>> Ilya.
>
> What would be the best way to do this on the tomcat level? I would like
> to add a simple mapping.properties to our tomcat installations
> containing the individual mappings in the form of
> "security-role=jndi-role".
>
> I see multiple options:
> 1. create a nestable realm to wrap around the JNDIRealm (Tomcat7)
> 2. create an own realm extending JNDIRealm
> 3. provide a patch to JNDIRealm
>
> pseudo-code for overriding hasRole could be like this
>
> public boolean hasRole(..) {
> String mappedRole = mapping.getProperty(role);
> if((mappedRole != null) && super.hasRole(..,mappedRole)) {
> return true;
> } else {
> return false;
> }
> }
>
> I'm not sure wether it is also required to override the authenticate
> methods which return the principal object.
>
> Any recommendations?
>
> Stefan
I've created a bugzilla entry and attached a prototype for option 1:
https://issues.apache.org/bugzilla/show_bug.cgi?id=55477
I only tested with a UserDatabaseRealm so far. I hope to find some time
at work to test it with a JNDIRealm.
Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org