You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Antony Bowesman <ad...@teamware.com> on 2001/10/23 15:56:00 UTC

Can't get SecurityRoleRef/Tomcat4 working

Hi,

I can't get the <security-role-ref> to work in Tomcat 4 with the
security JSP.

I have added the following

<%
  if (request.isUserInRole("Admin")) {
%>
    User is in Admin role
<%
  } else {
%>
    User is NOT in Admin role
<%
  }
%>

to jsp/security/protected/index.jsp in the distribution to Tomcat 4.

As security-role-ref is part of a servlet element of web.xml how do you
specify this with a JSP.

I tried adding the following to web.xml

    <servlet>
         <servlet-name>
             Protected
         </servlet-name>
         <jsp-file>/jsp/security/protected/index.jsp</jsp-file>
        <security-role-ref>
            <description>Link between Admin and sysadmin</description>
            <role-name>Admin</role-name>
            <role-link>Tomcat</role-link>
        </security-role-ref>
    </servlet>

My user authenticates and is given the role 'Tomcat' but the Realm
hasRole() method is called with 'Admin'.

The code in HttpRequestBase does

    public boolean isUserInRole(String role) {
...
        if (wrapper != null) {
            String realRole = wrapper.findSecurityReference(role);
            if ((realRole != null) &&
                realm.hasRole(userPrincipal, realRole))
                return (true);
        }

to map the servlet role to security-role so I guess I have not got
web.xml set up properly.

Any ideas?

Antony
--
Antony Bowesman
Teamware Group 
adb@teamware.com
phone: +358 9 5128 2562
fax  : +358 9 5128 2705

intra / extra / Internet solutions at www.teamware.com

Re: Can't get SecurityRoleRef/Tomcat4 working

Posted by Antony Bowesman <ad...@teamware.com>.

Hi Craig,

"Craig R. McClanahan" wrote:
> 
> Unless you have changed something in tomcat-users.xml, the role
> assigned to the "tomcat" user is "tomcat", not "Tomcat".  Role
> names, like pretty much everything else in servlets and JSPs,
> are case sensitive.

Sorry, I should have mentioned, I am using my own Jaas realm and have my
own login modules.  I am currently assigning 'Tomcat' as the role in my
test login.

The question still applies, how do you get the role-ref mapping
configured in web.xml when the servlet is a JSP?

Rgds
Antony

Re: Can't get SecurityRoleRef/Tomcat4 working

Posted by "Craig R. McClanahan" <cr...@apache.org>.

Unless you have changed something in tomcat-users.xml, the role assigned
to the "tomcat" user is "tomcat", not "Tomcat".  Role names, like pretty
much everything else in servlets and JSPs, are case sensitive.

Craig


On Tue, 23 Oct 2001, Antony Bowesman wrote:

> Date: Tue, 23 Oct 2001 16:56:00 +0300
> From: Antony Bowesman <ad...@teamware.com>
> Reply-To: tomcat-user@jakarta.apache.org
> To: TomcatUser <to...@jakarta.apache.org>
> Subject: Can't get SecurityRoleRef/Tomcat4 working
>
> Hi,
>
> I can't get the <security-role-ref> to work in Tomcat 4 with the
> security JSP.
>
> I have added the following
>
> <%
>   if (request.isUserInRole("Admin")) {
> %>
>     User is in Admin role
> <%
>   } else {
> %>
>     User is NOT in Admin role
> <%
>   }
> %>
>
> to jsp/security/protected/index.jsp in the distribution to Tomcat 4.
>
> As security-role-ref is part of a servlet element of web.xml how do you
> specify this with a JSP.
>
> I tried adding the following to web.xml
>
>     <servlet>
>          <servlet-name>
>              Protected
>          </servlet-name>
>          <jsp-file>/jsp/security/protected/index.jsp</jsp-file>
>         <security-role-ref>
>             <description>Link between Admin and sysadmin</description>
>             <role-name>Admin</role-name>
>             <role-link>Tomcat</role-link>
>         </security-role-ref>
>     </servlet>
>
> My user authenticates and is given the role 'Tomcat' but the Realm
> hasRole() method is called with 'Admin'.
>
> The code in HttpRequestBase does
>
>     public boolean isUserInRole(String role) {
> ...
>         if (wrapper != null) {
>             String realRole = wrapper.findSecurityReference(role);
>             if ((realRole != null) &&
>                 realm.hasRole(userPrincipal, realRole))
>                 return (true);
>         }
>
> to map the servlet role to security-role so I guess I have not got
> web.xml set up properly.
>
> Any ideas?
>
> Antony
> --
> Antony Bowesman
> Teamware Group
> adb@teamware.com
> phone: +358 9 5128 2562
> fax  : +358 9 5128 2705
>
> intra / extra / Internet solutions at www.teamware.com
>