You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2003/04/29 23:58:14 UTC

DO NOT REPLY [Bug 19444] New: - JNDI Authentication roles must be anonymous accessible

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=19444>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=19444

JNDI Authentication roles must be anonymous accessible

           Summary: JNDI Authentication roles must be anonymous accessible
           Product: Tomcat 4
           Version: 4.1.24
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Minor
          Priority: Other
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: art_w@eastpoint.com


It appears that for the JNDIRealm to be able to locate roles, they must be 
anonymous accessible. I believe that for security purposes this should not be 
necessary if we are validating the user by binding to the directory. In that 
case the roles could be accessible to any bound user or that particular user. I 
discussed this very briefly on the Tomcat user list. It sounds like this had 
been discussed previously and for whatever reason, the idea rejected. Anyhow I 
submit that there is a bug, either in the code - which requires the roles to be 
anonymous, or in the documentation which does not make it clear that this is 
the case (at least in "Tomcat 4 Servlet/JSP Container - Realm Configuration HOW-
TO). It seems reasonable to me that if we are binding to the directory to 
authenticate, we would have that user's access to roles. Perhaps the 
documentation should more explicetly state that this is not the case.

In the hope that it would be accepted as an enhancement, I am going to attempt 
to attach a modified JNDIRealm that uses the authenticated connection to obtain 
the roles.

Thank You,
Art

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org