You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2003/04/29 23:58:14 UTC
DO NOT REPLY [Bug 19444] New: -
JNDI Authentication roles must be anonymous accessible
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=19444>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=19444
JNDI Authentication roles must be anonymous accessible
Summary: JNDI Authentication roles must be anonymous accessible
Product: Tomcat 4
Version: 4.1.24
Platform: All
OS/Version: All
Status: NEW
Severity: Minor
Priority: Other
Component: Catalina
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: art_w@eastpoint.com
It appears that for the JNDIRealm to be able to locate roles, they must be
anonymous accessible. I believe that for security purposes this should not be
necessary if we are validating the user by binding to the directory. In that
case the roles could be accessible to any bound user or that particular user. I
discussed this very briefly on the Tomcat user list. It sounds like this had
been discussed previously and for whatever reason, the idea rejected. Anyhow I
submit that there is a bug, either in the code - which requires the roles to be
anonymous, or in the documentation which does not make it clear that this is
the case (at least in "Tomcat 4 Servlet/JSP Container - Realm Configuration HOW-
TO). It seems reasonable to me that if we are binding to the directory to
authenticate, we would have that user's access to roles. Perhaps the
documentation should more explicetly state that this is not the case.
In the hope that it would be accepted as an enhancement, I am going to attempt
to attach a modified JNDIRealm that uses the authenticated connection to obtain
the roles.
Thank You,
Art
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org