2015-12-05 12:18 GMT+03:00 Marco Pizzoli <marco.pizz...@gmail.com>: > Hi list, > I am fighting against a 3rd party application composed by 2 webapps. > > The first is supposed to present a login form and once authenticated you > are presented with the application frontend. > Behind the lines it is connecting (through localhost) to a second one that > is presenting the same security configuration. > In short, the same username/role are authorized for the second aplication > as well.
What do you mean by "connecting"? A cross-context Servlet API call (getContext(String name)), and the first application has crossContext="true" on its Context element [1]? A network connection to 127.0.0.1 ? [1] http://tomcat.apache.org/tomcat-8.0-doc/config/context.html > In the original setup everything works fine with the memoryRealm, so just > populating the tomcat-users.xml file. > Problems arose when I switched to leverage JNDIRealm (LDAP): it is not > working anymore. > I easily managed to get the first app to authenticate against LDAP, > validating a specific LDAP group, but eventually the app gets 403 in > accessing the second one. > > Of course I already tried the same security-role / security-contraint in > both the web.xml. > > Do you know if it is a known problem in "sharing" a security mechanism > between webapps running on the same Tomcat? > I am running Tomcat 7.0.64. > > I did not found a way to debug the security-contraint/security-role stuff. > If you could just advice what to enable to have a deeper insight... that > would be invaluable! Constraints and roles check is performed by an Authenticator valve [2]. There are several kinds of them - one is selected based on your login configuration. The base operations are common between them, implemented in base class (org.apache.catalina.authenticator.BasicAuthenticator). A Realm is called to perform password checks etc., but see also its common class (RealmBase) with methods such as RealmBase.findSecurityConstraints(..), hasResourcePermission(), ... [2] http://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Authentication Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
