Re: Mapping security role outside of servlet specification

Fri, 23 Aug 2013 15:19:30 -0700 

Am 23.08.2013 20:10, schrieb Stefan Mayr:

Am 11.06.2013 19:42, schrieb Felix Schumacher:

Am 05.06.2013 13:42, schrieb Ilya Kazakevich:

Hello,

I use "probe" app for several tomcats.
It's security model is based on servlet API security: security roles and
constraints are provided in web.xml and mapped for each servlet it has.
I use JNDIRealm to authenticate users via LDAP (actually AD is used).
I want to grant access to Probe on "Tomcat1' installation for people
from
"Group1"  and to "Tomcat2" to people from "Group2".
But "manager" group is hard-coded in web.xml inside of probe!

I want to map group "Group1" from LDAP realm to role "manager" in
tomcat.
How can I do that?
I can't use "security-role-ref" because I should put in <servlet> tag,
so I
can't
do that on tomcat level.
There is " security-role-mapping" tag in some servers but  it is
proprietary
and not supported by tomcat.

So the only way for me to extract .war file and patch web.xml.

That is the way, we do it at work. For probe, that is.

For other applications we are using different Attributes in the ldap
group objects to map to different names for the role.

Greetings
  Felix


What is the best way to solve it?

Ilya.


What would be the best way to do this on the tomcat level? I would like
to add a simple mapping.properties to our tomcat installations
containing the individual mappings in the form of
"security-role=jndi-role".

I see multiple options:
1. create a nestable realm to wrap around the JNDIRealm (Tomcat7)
2. create an own realm extending JNDIRealm
3. provide a patch to JNDIRealm

pseudo-code for overriding hasRole could be like this

public boolean hasRole(..) {
   String mappedRole = mapping.getProperty(role);
   if((mappedRole != null) && super.hasRole(..,mappedRole)) {
     return true;
   } else {
     return false;
   }
}

I'm not sure wether it is also required to override the authenticate
methods which return the principal object.

Any recommendations?

   Stefan
I've created a bugzilla entry and attached a prototype for option 1: https://issues.apache.org/bugzilla/show_bug.cgi?id=55477
I only tested with a UserDatabaseRealm so far. I hope to find some time at work to test it with a JNDIRealm. 

  Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to