You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by David Marsh <dm...@outlook.com> on 2015/03/30 13:09:47 UTC

User Realm based Authorisation with Tomcat 8

So I have SPNEGO working and I want to use the JNDI realm for authorisation.

I have this configured :-

      <Realm className="org.apache.catalina.realm.JNDIRealm"
          connectionURL="ldap://win-dc01.kerbtest.local:389"
          userBase="ou=Users,dc=kerbtest,dc=local"
          userSearch="(uid={0})" 
          userRoleName="memberOf"
          roleBase="ou=Users,dc=kerbtest,dc=local"
          roleName="cn"
          roleSearch="(uniqueMember={0})"/>

I would like to use AD groups to control authorisation in my application.

However currently it appears the tomcat-users is being used :-

  <user username="test" password="testpass" roles="manager-gui"/>

How do I configure tomcat Manager web app to use the realm and ignore the users file ?

Alternatively is there other example code I can use with the JNDI realm ?

many thanks

David 		 	   		  
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: User Realm based Authorisation with Tomcat 8

Posted by David Marsh <dm...@outlook.com>.

No worries fixed it :-

      <Realm className="org.apache.catalina.realm.JNDIRealm"
          connectionURL="ldap://win-dc01.kerbtest.local:389"
          userBase="cn=Users,dc=kerbtest,dc=local"
          userSearch="(cn={0})" 
	  userRoleName="memberOf"
          roleBase="cn=Users,dc=kerbtest,dc=local"
          roleName="cn"
          roleSearch="(member={0})"
	  debug="9"/>

Seems uniqueMember is no good as I have multiple groups...

----------------------------------------
> From: dmarsh26@outlook.com
> To: users@tomcat.apache.org
> Subject: RE: User Realm based Authorisation with Tomcat 8
> Date: Mon, 30 Mar 2015 12:50:52 +0100
>
> Ok so I fixed my Realm :-
>
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionURL="ldap://win-dc01.kerbtest.local:389"
> userBase="cn=Users,dc=kerbtest,dc=local"
> userSearch="(cn={0})"
> userRoleName="memberOf"
> roleBase="cn=Users,dc=kerbtest,dc=local"
> roleName="cn"
> roleSearch="(uniqueMember={0})"
> debug="9"/>
>
> 
> 
>
> However the AD group 'manager-gui' does not automatically become a role, how do I define the group to role mapping ?
>
> Krb5Context.unwrap: data=[30 84 00 00 00 10 02 01 06 65 84 00 00 00 07 0a 01 00 04 00 04 00 ]
> 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] org.apache.catalina.realm.CombinedRealm.authentic
> ate Authenticated user "test@KERBTEST.LOCAL" with realm "org.apache.catalina.realm.JNDIRealm"
> [Krb5LoginModule]: Entering logout
> [Krb5LoginModule]: logged out Subject
> 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa
> se.register Authenticated 'test' with type 'SPNEGO'
> 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa
> se.register Session ID changed on authentication from [BA1A48564A9ECF1917107AF362AA9C2B] to [9BA70CD
> 7B088BEE077787CFD21FE4BC6]
> 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa
> se.invoke Calling accessControl()
> 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.hasResourcePe
> rmission Checking roles GenericPrincipal[test(CN=manager-gui,CN=Users,DC=kerbtest,DC=local,)]
> 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.hasRole Usern
> ame test does NOT have role manager-gui
> 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.hasResourcePe
> rmission No role found: manager-gui
> 30-Mar-2015 12:46:44.182 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa
> se.invoke Failed accessControl() test
>
>
> thanks!
>
> David
>
> ----------------------------------------
>> From: dmarsh26@outlook.com
>> To: users@tomcat.apache.org
>> Subject: User Realm based Authorisation with Tomcat 8
>> Date: Mon, 30 Mar 2015 12:09:47 +0100
>>
>> So I have SPNEGO working and I want to use the JNDI realm for authorisation.
>>
>> I have this configured :-
>>
>> <Realm className="org.apache.catalina.realm.JNDIRealm"
>> connectionURL="ldap://win-dc01.kerbtest.local:389"
>> userBase="ou=Users,dc=kerbtest,dc=local"
>> userSearch="(uid={0})"
>> userRoleName="memberOf"
>> roleBase="ou=Users,dc=kerbtest,dc=local"
>> roleName="cn"
>> roleSearch="(uniqueMember={0})"/>
>>
>> I would like to use AD groups to control authorisation in my application.
>>
>> However currently it appears the tomcat-users is being used :-
>>
>> <user username="test" password="testpass" roles="manager-gui"/>
>>
>> How do I configure tomcat Manager web app to use the realm and ignore the users file ?
>>
>> Alternatively is there other example code I can use with the JNDI realm ?
>>
>> many thanks
>>
>> David
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
 		 	   		  
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: User Realm based Authorisation with Tomcat 8

Posted by David Marsh <dm...@outlook.com>.

Ok so I fixed my Realm :-

      <Realm className="org.apache.catalina.realm.JNDIRealm"
          connectionURL="ldap://win-dc01.kerbtest.local:389"
          userBase="cn=Users,dc=kerbtest,dc=local"
          userSearch="(cn={0})" 
          userRoleName="memberOf"
          roleBase="cn=Users,dc=kerbtest,dc=local"
          roleName="cn"
          roleSearch="(uniqueMember={0})"
	  debug="9"/>

        <!-- This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
<!--
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
-->

However the AD group 'manager-gui' does not automatically become a role, how do I define the group to role mapping ?

Krb5Context.unwrap: data=[30 84 00 00 00 10 02 01 06 65 84 00 00 00 07 0a 01 00 04 00 04 00 ]
30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] org.apache.catalina.realm.CombinedRealm.authentic
ate Authenticated user "test@KERBTEST.LOCAL" with realm "org.apache.catalina.realm.JNDIRealm"
                [Krb5LoginModule]: Entering logout
                [Krb5LoginModule]: logged out Subject
30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa
se.register Authenticated 'test' with type 'SPNEGO'
30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa
se.register Session ID changed on authentication from [BA1A48564A9ECF1917107AF362AA9C2B] to [9BA70CD
7B088BEE077787CFD21FE4BC6]
30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke  Calling accessControl()
30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.hasResourcePe
rmission   Checking roles GenericPrincipal[test(CN=manager-gui,CN=Users,DC=kerbtest,DC=local,)]
30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.hasRole Usern
ame test does NOT have role manager-gui
30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.hasResourcePe
rmission No role found:  manager-gui
30-Mar-2015 12:46:44.182 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke  Failed accessControl() test


thanks!

David

----------------------------------------
> From: dmarsh26@outlook.com
> To: users@tomcat.apache.org
> Subject: User Realm based Authorisation with Tomcat 8
> Date: Mon, 30 Mar 2015 12:09:47 +0100
>
> So I have SPNEGO working and I want to use the JNDI realm for authorisation.
>
> I have this configured :-
>
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionURL="ldap://win-dc01.kerbtest.local:389"
> userBase="ou=Users,dc=kerbtest,dc=local"
> userSearch="(uid={0})"
> userRoleName="memberOf"
> roleBase="ou=Users,dc=kerbtest,dc=local"
> roleName="cn"
> roleSearch="(uniqueMember={0})"/>
>
> I would like to use AD groups to control authorisation in my application.
>
> However currently it appears the tomcat-users is being used :-
>
> <user username="test" password="testpass" roles="manager-gui"/>
>
> How do I configure tomcat Manager web app to use the realm and ignore the users file ?
>
> Alternatively is there other example code I can use with the JNDI realm ?
>
> many thanks
>
> David
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
 		 	   		  
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org