On 18/07/17 17:41, Alex O'Ree wrote: > Alright, quick update on this. > > At this point, I have servlet context and a username running off the > main tomcat http threads (quartz job) > >> StandardContext tomcat;////load from reflection from ApplicationContext from >> ServletContext as ApplicationContextFacade >> Realm realm = tomcat.getRealm() > > At this point, realm is a LockoutRealm that contains two child realms, > the JNDI Realm and the standard UserDatabaseRealm > >> Principal user = realm.authenticate(username); > > At this point, the user object is populated and appears to have the > roles attached to it (they are listed in the to String method). > >> realm.hasRole(new StandardWrapper(), user, role); > > This part returns false, if and only if the ldap membership matches > exactly. Mapped roles via servlet/security-role-ref/role-link and > role-name do not appear to be effect. > > I think this may have something to do with the Principal object not > having a login context. Normally, this is available via a servlet, but > this it is not. > > I think the root cause might be this line. > https://github.com/apache/tomcat/blob/TOMCAT_7_0_42/java/org/apache/catalina/realm/RealmBase.java#L933 > > Which probably does the translation from the LDAP defined group or > role into what the application is expecting. Am I on the right path > here?
Yes. If you check auth outside of a Servlet, the role mappings for the Servlet won't apply. If you know which servlet to use for the role mappings you can get that from the Context (Wrappers represent Servlets and are children of the Context). Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
