Thanks for the advice, but I think <security-role-ref> is only valid
within the context of a <servlet> element though? As such, it wont work
on JSP's or other resources that might do a
request.isUserInRole("admin") but are not servlets themselves (such as
filters and listeners). I'd also like to avoid changing anything in
web.xml if possible. Configuring the container is fine (eg, server.xml)
but messing around too much in the application WAR package could be
trouble.I have googled for this and came up with nothing useful, which surprises me given that many organisations use a centralised LDAP repository that has unfriendly group names, and we can't expect vendors to know what crazy and devilish naming schemes our internal security admins will dream up next. Hence our need to have the container perform such a group -> role mapping per-application, without our application knowing about it. The closest I could find in was this: http://marc.info/?l=tomcat-user&m=122218450926648&w=2 but it's not the happy ending I was hoping for. I was hoping for a more tomcat standard way (ala weblogic.xml or JBoss' RoleMappingLoginModule) rather than having to hack my own Realm :-) This is just one application we're migrating off our legacy Weblogic environment and I have quite a few like it, so a non-invasive approach would be perfect if it exists. Cheers, Jason On Thu, 2009-08-06 at 07:21 -0400, Tim Funk wrote: > Try adding this to web.xml (and IIUC - this is portable across all > containers) > > <security-role-ref> > <role-name>users</role-name> > <role-link>SG-FooBar-Users</role-link> > </security-role-ref> > <security-role-ref> > <role-name>admins</role-name> > <role-link>SG-FooBar-Admins</role-link> > </security-role-ref> > > > -Tim > > > Jason Royals wrote: > > Hello Tomcatters, > > > > Consider the following scenario. I have a Java web application, and it > > is a packaged, commercial application I may not change it. In fact, I > > don't have the source so I couldn't even if I wanted to. > > > > The application declares two roles in web.xml - "users" and "admins". In > > our corporate environment, those role names are far too generic to be > > group names in our LDAP repository. The groups in LDAP are called > > SG-FooBar-Users and SG-FooBar-Admins. We expect to map these real group > > names to the roles declared in the web.xml. > > > > We have this running currently on Weblogic, and to map the roles to > > groups, we have a Weblogic configuration as follows (in weblogic.xml) > > > > <weblogic-web-app> > > .... > > <security-role-assignment> > > <role-name>users</role-name> > > <principal-name>SG-FooBar-Users</principal-name> > > </security-role-assignment> > > <security-role-assignment> > > <role-name>admins</role-name> > > <principal-name>SG-FooBar-Admins</principal-name> > > </security-role-assignment> > > .... > > </weblogic-web-app> > > > > Websphere, JBoss, Geronimo, Glassfish etc all seem to offer similar > > features in their container-specific configurations. > > > > How can I achieve the same result in Tomcat, remembering I cannot change > > the application, and I cannot change the groups or the LDAP repository > > (which has hundreds of thousands of users and groups)? Is it even > > possible with Tomcat? > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
