RE: Mapping role names to groups
-Original Message- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: Wednesday, October 04, 2017 11:14 AM To: users@tomcat.apache.org Subject: Re: Mapping role names to groups > On 04.10.2017 10:20, Sebastian Trost wrote: >> -Original Message- >> From: Mark Thomas [mailto:ma...@apache.org] >> Sent: Tuesday, October 03, 2017 4:10 PM >> To: Tomcat Users List <users@tomcat.apache.org> >> Subject: Re: Mapping role names to groups >> >> On 03/10/17 14:01, Sebastian Trost wrote: >>>> Hi! >>>> >>>> I was looking for a way to map security role names from tomcat to LDAP >>>> groups. I found an old thread from August 2009 with the exact problem in >>>> which Christopher Schultz recommended to write a servlet filter or valve >>>> to do that. >>>> >>>> Original mail: >>>> http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3C1249556542.8225.6.camel@habanero%3E >>>> Response from Christopher Schulz: >>>> http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3c4a7af405.7090...@christopherschultz.net%3E >>>> >>>> It has now been eight years and I'm wondering if there is still no other >>>> solution than this? >> >>> security-role-ref ? >> >> AFAIK, is only valid within the element. >> Therefore, it doesn't work with JSPs or filters which are not servlets. >> > Isn't a JSP page ultimately translated into a servlet ? I don't know. You tell me! ;) My knowledge is very limited and as far as I know, you can have servlets but also standalone JSP files (which still can use isUserInRole()). While adding the tag to the element works with the servlet, it doesn't work with the standalone JSP file. Example: Authentication and authorization is done with LDAP. Due to company policy the admin-role must be named "company-application-admin". The application has one servlet named FooServlet and one JSP file called importantLegacyJsp.jsp. In the web.xml the admin role is defined like this: Application admin role admin Also in the web.xml the servlet is defined like this: FooServlet com.vendor.app.servlet.FooServlet admin company-application-admin Calling request.isUserInRole("admin") inside the servlet FooServlet will return "true", because the of the security-role-ref element inside the servlet-element. Everything works fine and as intended. The user then opens importantLegacyJsp.jsp which also calls request.isUserInRole("admin"). Now that method will return false, because the mapping is only defined inside the servlet element. It seems that there doesn't exist a way to make that work without creating a custom realm. Regards Sebastian Trost
Re: Mapping role names to groups
On 04.10.2017 10:20, Sebastian Trost wrote: -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Tuesday, October 03, 2017 4:10 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: Mapping role names to groups On 03/10/17 14:01, Sebastian Trost wrote: Hi! I was looking for a way to map security role names from tomcat to LDAP groups. I found an old thread from August 2009 with the exact problem in which Christopher Schultz recommended to write a servlet filter or valve to do that. Original mail: http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3C1249556542.8225.6.camel@habanero%3E Response from Christopher Schulz: http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3c4a7af405.7090...@christopherschultz.net%3E It has now been eight years and I'm wondering if there is still no other solution than this? security-role-ref ? AFAIK, is only valid within the element. Therefore, it doesn't work with JSPs or filters which are not servlets. Isn't a JSP page ultimately translated into a servlet ? Regards Sebastian Trost - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Mapping role names to groups
On 04/10/17 09:20, Sebastian Trost wrote: > -Original Message- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: Tuesday, October 03, 2017 4:10 PM > To: Tomcat Users List <users@tomcat.apache.org> > Subject: Re: Mapping role names to groups > > On 03/10/17 14:01, Sebastian Trost wrote: >>> Hi! >>> >>> I was looking for a way to map security role names from tomcat to LDAP >>> groups. I found an old thread from August 2009 with the exact problem in >>> which Christopher Schultz recommended to write a servlet filter or valve to >>> do that. >>> >>> Original mail: >>> http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3C1249556542.8225.6.camel@habanero%3E >>> Response from Christopher Schulz: >>> http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3c4a7af405.7090...@christopherschultz.net%3E >>> >>> It has now been eight years and I'm wondering if there is still no other >>> solution than this? > >> security-role-ref ? > > AFAIK, is only valid within the element. > Therefore, it doesn't work with JSPs or filters which are not servlets. JSPs are still handled by a servlet so you could work around that problem. There isn't such an easy solution available for filters. This sort of mapping is probably something we need to think about adding to the Realm. There is this enhancement request: https://bz.apache.org/bugzilla/show_bug.cgi?id=55477 The code needs review but from a quick look the general approach looks good. The thing I'd want to think about is exactly how the mapping was defined. A few thoughts... Putting it in server.xml means restarting Tomcat to change it. Putting it in a separate file removes that issue - if the ability to reload it is added. Experience tells me multiple elements will be less hassle (i.e. less edge case bugs) than a single element with some form of special syntax. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Mapping role names to groups
-Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Tuesday, October 03, 2017 4:10 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: Mapping role names to groups On 03/10/17 14:01, Sebastian Trost wrote: >> Hi! >> >> I was looking for a way to map security role names from tomcat to LDAP >> groups. I found an old thread from August 2009 with the exact problem in >> which Christopher Schultz recommended to write a servlet filter or valve to >> do that. >> >> Original mail: >> http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3C1249556542.8225.6.camel@habanero%3E >> Response from Christopher Schulz: >> http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3c4a7af405.7090...@christopherschultz.net%3E >> >> It has now been eight years and I'm wondering if there is still no other >> solution than this? > security-role-ref ? AFAIK, is only valid within the element. Therefore, it doesn't work with JSPs or filters which are not servlets. Regards Sebastian Trost - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Mapping role names to groups
On 03/10/17 14:01, Sebastian Trost wrote: > Hi! > > I was looking for a way to map security role names from tomcat to LDAP > groups. I found an old thread from August 2009 with the exact problem in > which Christopher Schultz recommended to write a servlet filter or valve to > do that. > > Original mail: > http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3C1249556542.8225.6.camel@habanero%3E > Response from Christopher Schulz: > http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3c4a7af405.7090...@christopherschultz.net%3E > > It has now been eight years and I'm wondering if there is still no other > solution than this? security-role-ref ? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Mapping role names to groups
I THINK ITS POSSIBLE. But when you are fine with weblogic is there any specific reason to use tomcat? -Original Message- From: Jason Royals [mailto:tomcat-mailingl...@fragstealers.com] Sent: Thursday, August 06, 2009 4:32 PM To: users@tomcat.apache.org Subject: Mapping role names to groups Hello Tomcatters, Consider the following scenario. I have a Java web application, and it is a packaged, commercial application I may not change it. In fact, I don't have the source so I couldn't even if I wanted to. The application declares two roles in web.xml - users and admins. In our corporate environment, those role names are far too generic to be group names in our LDAP repository. The groups in LDAP are called SG-FooBar-Users and SG-FooBar-Admins. We expect to map these real group names to the roles declared in the web.xml. We have this running currently on Weblogic, and to map the roles to groups, we have a Weblogic configuration as follows (in weblogic.xml) weblogic-web-app security-role-assignment role-nameusers/role-name principal-nameSG-FooBar-Users/principal-name /security-role-assignment security-role-assignment role-nameadmins/role-name principal-nameSG-FooBar-Admins/principal-name /security-role-assignment /weblogic-web-app Websphere, JBoss, Geronimo, Glassfish etc all seem to offer similar features in their container-specific configurations. How can I achieve the same result in Tomcat, remembering I cannot change the application, and I cannot change the groups or the LDAP repository (which has hundreds of thousands of users and groups)? Is it even possible with Tomcat? Thanks, Jason - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Mapping role names to groups
Try adding this to web.xml (and IIUC - this is portable across all containers) security-role-ref role-nameusers/role-name role-linkSG-FooBar-Users/role-link /security-role-ref security-role-ref role-nameadmins/role-name role-linkSG-FooBar-Admins/role-link /security-role-ref -Tim Jason Royals wrote: Hello Tomcatters, Consider the following scenario. I have a Java web application, and it is a packaged, commercial application I may not change it. In fact, I don't have the source so I couldn't even if I wanted to. The application declares two roles in web.xml - users and admins. In our corporate environment, those role names are far too generic to be group names in our LDAP repository. The groups in LDAP are called SG-FooBar-Users and SG-FooBar-Admins. We expect to map these real group names to the roles declared in the web.xml. We have this running currently on Weblogic, and to map the roles to groups, we have a Weblogic configuration as follows (in weblogic.xml) weblogic-web-app security-role-assignment role-nameusers/role-name principal-nameSG-FooBar-Users/principal-name /security-role-assignment security-role-assignment role-nameadmins/role-name principal-nameSG-FooBar-Admins/principal-name /security-role-assignment /weblogic-web-app Websphere, JBoss, Geronimo, Glassfish etc all seem to offer similar features in their container-specific configurations. How can I achieve the same result in Tomcat, remembering I cannot change the application, and I cannot change the groups or the LDAP repository (which has hundreds of thousands of users and groups)? Is it even possible with Tomcat? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Mapping role names to groups
Thanks for the advice, but I think security-role-ref is only valid within the context of a servlet element though? As such, it wont work on JSP's or other resources that might do a request.isUserInRole(admin) but are not servlets themselves (such as filters and listeners). I'd also like to avoid changing anything in web.xml if possible. Configuring the container is fine (eg, server.xml) but messing around too much in the application WAR package could be trouble. I have googled for this and came up with nothing useful, which surprises me given that many organisations use a centralised LDAP repository that has unfriendly group names, and we can't expect vendors to know what crazy and devilish naming schemes our internal security admins will dream up next. Hence our need to have the container perform such a group - role mapping per-application, without our application knowing about it. The closest I could find in was this: http://marc.info/?l=tomcat-userm=122218450926648w=2 but it's not the happy ending I was hoping for. I was hoping for a more tomcat standard way (ala weblogic.xml or JBoss' RoleMappingLoginModule) rather than having to hack my own Realm :-) This is just one application we're migrating off our legacy Weblogic environment and I have quite a few like it, so a non-invasive approach would be perfect if it exists. Cheers, Jason On Thu, 2009-08-06 at 07:21 -0400, Tim Funk wrote: Try adding this to web.xml (and IIUC - this is portable across all containers) security-role-ref role-nameusers/role-name role-linkSG-FooBar-Users/role-link /security-role-ref security-role-ref role-nameadmins/role-name role-linkSG-FooBar-Admins/role-link /security-role-ref -Tim Jason Royals wrote: Hello Tomcatters, Consider the following scenario. I have a Java web application, and it is a packaged, commercial application I may not change it. In fact, I don't have the source so I couldn't even if I wanted to. The application declares two roles in web.xml - users and admins. In our corporate environment, those role names are far too generic to be group names in our LDAP repository. The groups in LDAP are called SG-FooBar-Users and SG-FooBar-Admins. We expect to map these real group names to the roles declared in the web.xml. We have this running currently on Weblogic, and to map the roles to groups, we have a Weblogic configuration as follows (in weblogic.xml) weblogic-web-app security-role-assignment role-nameusers/role-name principal-nameSG-FooBar-Users/principal-name /security-role-assignment security-role-assignment role-nameadmins/role-name principal-nameSG-FooBar-Admins/principal-name /security-role-assignment /weblogic-web-app Websphere, JBoss, Geronimo, Glassfish etc all seem to offer similar features in their container-specific configurations. How can I achieve the same result in Tomcat, remembering I cannot change the application, and I cannot change the groups or the LDAP repository (which has hundreds of thousands of users and groups)? Is it even possible with Tomcat? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Mapping role names to groups
Jason Royals wrote: Thanks for the advice, but I think security-role-ref is only valid within the context of a servlet element though? I have not checked, but are you sure ? Is it not at the level of the web-app ? If so, it would apply to everything belonging to that webapp, whether filters, servlets, jsp's, whatnot. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Mapping role names to groups
André Warnier wrote: Jason Royals wrote: Thanks for the advice, but I think security-role-ref is only valid within the context of a servlet element though? I have not checked, but are you sure ? Is it not at the level of the web-app ? If so, it would apply to everything belonging to that webapp, whether filters, servlets, jsp's, whatnot. Now I have checked.. More precisely, it seems from the Servlet Spec, that all which concerns AAA applies in fact to URLs and/or methods. It seems thus definitely independent from servlets, filters, jsps etc.. Now since these constraints are defined within a context's deployment descriptor (web.xml), I would imagine that whatever URL's are specified in the security section apply within the context of that webapp. I you get what I mean. Note that the above is basically a personal exercise in comprehending the Servlet Spec, so it would not be bad if one of the gurus commented on this.. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Mapping role names to groups
Yep, well according to the XSD that I'm using http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd but also http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd, security-role-ref can only appear within a servlet definition. It could certainly help if it was directly under web-app, but it ain't allowed so therefore it's usefulness is limited :-( Cheers, Jason On Thu, 2009-08-06 at 14:40 +0200, André Warnier wrote: Jason Royals wrote: Thanks for the advice, but I think security-role-ref is only valid within the context of a servlet element though? I have not checked, but are you sure ? Is it not at the level of the web-app ? If so, it would apply to everything belonging to that webapp, whether filters, servlets, jsp's, whatnot. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Mapping role names to groups
From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: Mapping role names to groups More precisely, it seems from the Servlet Spec, that all which concerns AAA applies in fact to URLs and/or methods. It seems thus definitely independent from servlets, filters, jsps etc.. Except for this one security-related element, which is specific to a servlet declaration, and therefore, as Jason says, limited in its usefulness. Also, it applies to programmatic, not declarative, security, so I suspect that Tomcat ignores any security-role-ref mappings unless there are explicit isUserInRole() calls from the servlet. Curiously enough, there are addRoleMapping() and findRoleMapping() methods in Tomcat's StandardContext class, and these appear to do exactly what Jason wants - except I can't find any code that calls them. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Mapping role names to groups
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jason, On 8/6/2009 8:33 AM, Jason Royals wrote: Thanks for the advice, but I think security-role-ref is only valid within the context of a servlet element though? As such, it wont work on JSP's or other resources that might do a request.isUserInRole(admin) but are not servlets themselves (such as filters and listeners). You might be able to get away with re-defining the JSP Servlet and including the security-role-ref, but you're right: that won't cover filters or listeners. It's a shame the spec is written in this way. As for André's comment about the top-levelness of security-role-ref, Chuck points out that it's servlet-specific, but does not say where that is defined. I found it very quickly by looking at the 2.3 servlet DTD (http://java.sun.com/dtd/web-app_2_3.dtd) which contains this documentation: !-- The security-role-ref element contains the declaration of a security role reference in the web application's code. The declaration consists of an optional description, the security role name used in the code, and an optional link to a security role. If the security role is not specified, the Deployer must choose an appropriate security role. The value of the role-name element must be the String used as the parameter to the EJBContext.isCallerInRole(String roleName) method or the HttpServletRequest.isUserInRole(String role) method. Used in: servlet - -- !ELEMENT security-role-ref (description?, role-name, role-link?) Searching for actual uses of security-role-ref confirms that it is only valid within a servlet element. :( I'd also like to avoid changing anything in web.xml if possible. Configuring the container is fine (eg, server.xml) but messing around too much in the application WAR package could be trouble. I know you mentioned you don't want to mess around with web.xml but I think you'll probably have to do it. If you're willing to do that, you could write a filter that wraps the request and overrides isUserInRole to provide a look-up-table of mapped group names. Something like this: public class GroupRenamingFilter implements Filter { private Map roleNameMap; /* fill this yourself */ public void invoke(ServletRequest request, ServletResponse, FilterChain chain) { if(request instanceof HttpServletRequest) request = new GroupRenamingRequest((HttpServletRequest)request); chain.doFilter(request, response) } private class GroupRemaningRequest extends HttpServletRequestWrapper { public GroupRenamingRequest(HttpServletRequest wrapped) { super(wrapped); } public boolean isUserInRole(String roleName) { String realRoleName = (String)roleNameMap.get(roleName); if(null == realRoleName) realRoleName = roleName; // not sure what to do, here return super.isUserInRole(realRoleName); } } } Now that I've written it, I think you'll need to implement this as a Valve that is invoked /before/ Tomcat's authorization code runs (which may not be possible?). On the other hand, what's wrong with a search-and-replace within the web.xml to change the names of the security-role names to those you actually use instead of the more generic users and admins? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkp69AUACgkQ9CaO5/Lv0PC6qQCaAi3L37mYx5zBU50GUB675qdJ dRsAoK6UoU7hpjMjvnNQwFVRLM7TAOOG =zPlp -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org