RE: Mapping role names to groups
-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
Sent: Wednesday, October 04, 2017 11:14 AM
To: users@tomcat.apache.org
Subject: Re: Mapping role names to groups
> On 04.10.2017 10:20, Sebastian Trost wrote:
>> -Original Message-
>> From: Mark Thomas [mailto:ma...@apache.org]
>> Sent: Tuesday, October 03, 2017 4:10 PM
>> To: Tomcat Users List <users@tomcat.apache.org>
>> Subject: Re: Mapping role names to groups
>>
>> On 03/10/17 14:01, Sebastian Trost wrote:
>>>> Hi!
>>>>
>>>> I was looking for a way to map security role names from tomcat to LDAP
>>>> groups. I found an old thread from August 2009 with the exact problem in
>>>> which Christopher Schultz recommended to write a servlet filter or valve
>>>> to do that.
>>>>
>>>> Original mail:
>>>> http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3C1249556542.8225.6.camel@habanero%3E
>>>> Response from Christopher Schulz:
>>>> http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3c4a7af405.7090...@christopherschultz.net%3E
>>>>
>>>> It has now been eight years and I'm wondering if there is still no other
>>>> solution than this?
>>
>>> security-role-ref ?
>>
>> AFAIK, is only valid within the element.
>> Therefore, it doesn't work with JSPs or filters which are not servlets.
>>
> Isn't a JSP page ultimately translated into a servlet ?
I don't know. You tell me! ;)
My knowledge is very limited and as far as I know, you can have servlets but
also standalone JSP files (which still can use isUserInRole()). While adding
the tag to the element works with the servlet, it
doesn't work with the standalone JSP file.
Example:
Authentication and authorization is done with LDAP.
Due to company policy the admin-role must be named "company-application-admin".
The application has one servlet named FooServlet and one JSP file called
importantLegacyJsp.jsp.
In the web.xml the admin role is defined like this:
Application admin role
admin
Also in the web.xml the servlet is defined like this:
FooServlet
com.vendor.app.servlet.FooServlet
admin
company-application-admin
Calling request.isUserInRole("admin") inside the servlet FooServlet will return
"true", because the of the security-role-ref element inside the
servlet-element. Everything works fine and as intended. The user then opens
importantLegacyJsp.jsp which also calls request.isUserInRole("admin"). Now that
method will return false, because the mapping is only defined inside the
servlet element.
It seems that there doesn't exist a way to make that work without creating a
custom realm.
Regards
Sebastian Trost
Re: Mapping role names to groups
On 04.10.2017 10:20, Sebastian Trost wrote: -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Tuesday, October 03, 2017 4:10 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: Mapping role names to groups On 03/10/17 14:01, Sebastian Trost wrote: Hi! I was looking for a way to map security role names from tomcat to LDAP groups. I found an old thread from August 2009 with the exact problem in which Christopher Schultz recommended to write a servlet filter or valve to do that. Original mail: http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3C1249556542.8225.6.camel@habanero%3E Response from Christopher Schulz: http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3c4a7af405.7090...@christopherschultz.net%3E It has now been eight years and I'm wondering if there is still no other solution than this? security-role-ref ? AFAIK, is only valid within the element. Therefore, it doesn't work with JSPs or filters which are not servlets. Isn't a JSP page ultimately translated into a servlet ? Regards Sebastian Trost - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Mapping role names to groups
On 04/10/17 09:20, Sebastian Trost wrote: > -Original Message- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: Tuesday, October 03, 2017 4:10 PM > To: Tomcat Users List <users@tomcat.apache.org> > Subject: Re: Mapping role names to groups > > On 03/10/17 14:01, Sebastian Trost wrote: >>> Hi! >>> >>> I was looking for a way to map security role names from tomcat to LDAP >>> groups. I found an old thread from August 2009 with the exact problem in >>> which Christopher Schultz recommended to write a servlet filter or valve to >>> do that. >>> >>> Original mail: >>> http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3C1249556542.8225.6.camel@habanero%3E >>> Response from Christopher Schulz: >>> http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3c4a7af405.7090...@christopherschultz.net%3E >>> >>> It has now been eight years and I'm wondering if there is still no other >>> solution than this? > >> security-role-ref ? > > AFAIK, is only valid within the element. > Therefore, it doesn't work with JSPs or filters which are not servlets. JSPs are still handled by a servlet so you could work around that problem. There isn't such an easy solution available for filters. This sort of mapping is probably something we need to think about adding to the Realm. There is this enhancement request: https://bz.apache.org/bugzilla/show_bug.cgi?id=55477 The code needs review but from a quick look the general approach looks good. The thing I'd want to think about is exactly how the mapping was defined. A few thoughts... Putting it in server.xml means restarting Tomcat to change it. Putting it in a separate file removes that issue - if the ability to reload it is added. Experience tells me multiple elements will be less hassle (i.e. less edge case bugs) than a single element with some form of special syntax. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Mapping role names to groups
-Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Tuesday, October 03, 2017 4:10 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: Mapping role names to groups On 03/10/17 14:01, Sebastian Trost wrote: >> Hi! >> >> I was looking for a way to map security role names from tomcat to LDAP >> groups. I found an old thread from August 2009 with the exact problem in >> which Christopher Schultz recommended to write a servlet filter or valve to >> do that. >> >> Original mail: >> http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3C1249556542.8225.6.camel@habanero%3E >> Response from Christopher Schulz: >> http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3c4a7af405.7090...@christopherschultz.net%3E >> >> It has now been eight years and I'm wondering if there is still no other >> solution than this? > security-role-ref ? AFAIK, is only valid within the element. Therefore, it doesn't work with JSPs or filters which are not servlets. Regards Sebastian Trost - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Mapping role names to groups
On 03/10/17 14:01, Sebastian Trost wrote: > Hi! > > I was looking for a way to map security role names from tomcat to LDAP > groups. I found an old thread from August 2009 with the exact problem in > which Christopher Schultz recommended to write a servlet filter or valve to > do that. > > Original mail: > http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3C1249556542.8225.6.camel@habanero%3E > Response from Christopher Schulz: > http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3c4a7af405.7090...@christopherschultz.net%3E > > It has now been eight years and I'm wondering if there is still no other > solution than this? security-role-ref ? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Mapping role names to groups
I THINK ITS POSSIBLE. But when you are fine with weblogic is there any specific reason to use tomcat? -Original Message- From: Jason Royals [mailto:tomcat-mailingl...@fragstealers.com] Sent: Thursday, August 06, 2009 4:32 PM To: users@tomcat.apache.org Subject: Mapping role names to groups Hello Tomcatters, Consider the following scenario. I have a Java web application, and it is a packaged, commercial application I may not change it. In fact, I don't have the source so I couldn't even if I wanted to. The application declares two roles in web.xml - users and admins. In our corporate environment, those role names are far too generic to be group names in our LDAP repository. The groups in LDAP are called SG-FooBar-Users and SG-FooBar-Admins. We expect to map these real group names to the roles declared in the web.xml. We have this running currently on Weblogic, and to map the roles to groups, we have a Weblogic configuration as follows (in weblogic.xml) weblogic-web-app security-role-assignment role-nameusers/role-name principal-nameSG-FooBar-Users/principal-name /security-role-assignment security-role-assignment role-nameadmins/role-name principal-nameSG-FooBar-Admins/principal-name /security-role-assignment /weblogic-web-app Websphere, JBoss, Geronimo, Glassfish etc all seem to offer similar features in their container-specific configurations. How can I achieve the same result in Tomcat, remembering I cannot change the application, and I cannot change the groups or the LDAP repository (which has hundreds of thousands of users and groups)? Is it even possible with Tomcat? Thanks, Jason - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Mapping role names to groups
Try adding this to web.xml (and IIUC - this is portable across all containers) security-role-ref role-nameusers/role-name role-linkSG-FooBar-Users/role-link /security-role-ref security-role-ref role-nameadmins/role-name role-linkSG-FooBar-Admins/role-link /security-role-ref -Tim Jason Royals wrote: Hello Tomcatters, Consider the following scenario. I have a Java web application, and it is a packaged, commercial application I may not change it. In fact, I don't have the source so I couldn't even if I wanted to. The application declares two roles in web.xml - users and admins. In our corporate environment, those role names are far too generic to be group names in our LDAP repository. The groups in LDAP are called SG-FooBar-Users and SG-FooBar-Admins. We expect to map these real group names to the roles declared in the web.xml. We have this running currently on Weblogic, and to map the roles to groups, we have a Weblogic configuration as follows (in weblogic.xml) weblogic-web-app security-role-assignment role-nameusers/role-name principal-nameSG-FooBar-Users/principal-name /security-role-assignment security-role-assignment role-nameadmins/role-name principal-nameSG-FooBar-Admins/principal-name /security-role-assignment /weblogic-web-app Websphere, JBoss, Geronimo, Glassfish etc all seem to offer similar features in their container-specific configurations. How can I achieve the same result in Tomcat, remembering I cannot change the application, and I cannot change the groups or the LDAP repository (which has hundreds of thousands of users and groups)? Is it even possible with Tomcat? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Mapping role names to groups
Thanks for the advice, but I think security-role-ref is only valid within the context of a servlet element though? As such, it wont work on JSP's or other resources that might do a request.isUserInRole(admin) but are not servlets themselves (such as filters and listeners). I'd also like to avoid changing anything in web.xml if possible. Configuring the container is fine (eg, server.xml) but messing around too much in the application WAR package could be trouble. I have googled for this and came up with nothing useful, which surprises me given that many organisations use a centralised LDAP repository that has unfriendly group names, and we can't expect vendors to know what crazy and devilish naming schemes our internal security admins will dream up next. Hence our need to have the container perform such a group - role mapping per-application, without our application knowing about it. The closest I could find in was this: http://marc.info/?l=tomcat-userm=122218450926648w=2 but it's not the happy ending I was hoping for. I was hoping for a more tomcat standard way (ala weblogic.xml or JBoss' RoleMappingLoginModule) rather than having to hack my own Realm :-) This is just one application we're migrating off our legacy Weblogic environment and I have quite a few like it, so a non-invasive approach would be perfect if it exists. Cheers, Jason On Thu, 2009-08-06 at 07:21 -0400, Tim Funk wrote: Try adding this to web.xml (and IIUC - this is portable across all containers) security-role-ref role-nameusers/role-name role-linkSG-FooBar-Users/role-link /security-role-ref security-role-ref role-nameadmins/role-name role-linkSG-FooBar-Admins/role-link /security-role-ref -Tim Jason Royals wrote: Hello Tomcatters, Consider the following scenario. I have a Java web application, and it is a packaged, commercial application I may not change it. In fact, I don't have the source so I couldn't even if I wanted to. The application declares two roles in web.xml - users and admins. In our corporate environment, those role names are far too generic to be group names in our LDAP repository. The groups in LDAP are called SG-FooBar-Users and SG-FooBar-Admins. We expect to map these real group names to the roles declared in the web.xml. We have this running currently on Weblogic, and to map the roles to groups, we have a Weblogic configuration as follows (in weblogic.xml) weblogic-web-app security-role-assignment role-nameusers/role-name principal-nameSG-FooBar-Users/principal-name /security-role-assignment security-role-assignment role-nameadmins/role-name principal-nameSG-FooBar-Admins/principal-name /security-role-assignment /weblogic-web-app Websphere, JBoss, Geronimo, Glassfish etc all seem to offer similar features in their container-specific configurations. How can I achieve the same result in Tomcat, remembering I cannot change the application, and I cannot change the groups or the LDAP repository (which has hundreds of thousands of users and groups)? Is it even possible with Tomcat? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Mapping role names to groups
Jason Royals wrote: Thanks for the advice, but I think security-role-ref is only valid within the context of a servlet element though? I have not checked, but are you sure ? Is it not at the level of the web-app ? If so, it would apply to everything belonging to that webapp, whether filters, servlets, jsp's, whatnot. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Mapping role names to groups
André Warnier wrote: Jason Royals wrote: Thanks for the advice, but I think security-role-ref is only valid within the context of a servlet element though? I have not checked, but are you sure ? Is it not at the level of the web-app ? If so, it would apply to everything belonging to that webapp, whether filters, servlets, jsp's, whatnot. Now I have checked.. More precisely, it seems from the Servlet Spec, that all which concerns AAA applies in fact to URLs and/or methods. It seems thus definitely independent from servlets, filters, jsps etc.. Now since these constraints are defined within a context's deployment descriptor (web.xml), I would imagine that whatever URL's are specified in the security section apply within the context of that webapp. I you get what I mean. Note that the above is basically a personal exercise in comprehending the Servlet Spec, so it would not be bad if one of the gurus commented on this.. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Mapping role names to groups
Yep, well according to the XSD that I'm using http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd but also http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd, security-role-ref can only appear within a servlet definition. It could certainly help if it was directly under web-app, but it ain't allowed so therefore it's usefulness is limited :-( Cheers, Jason On Thu, 2009-08-06 at 14:40 +0200, André Warnier wrote: Jason Royals wrote: Thanks for the advice, but I think security-role-ref is only valid within the context of a servlet element though? I have not checked, but are you sure ? Is it not at the level of the web-app ? If so, it would apply to everything belonging to that webapp, whether filters, servlets, jsp's, whatnot. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Mapping role names to groups
From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: Mapping role names to groups More precisely, it seems from the Servlet Spec, that all which concerns AAA applies in fact to URLs and/or methods. It seems thus definitely independent from servlets, filters, jsps etc.. Except for this one security-related element, which is specific to a servlet declaration, and therefore, as Jason says, limited in its usefulness. Also, it applies to programmatic, not declarative, security, so I suspect that Tomcat ignores any security-role-ref mappings unless there are explicit isUserInRole() calls from the servlet. Curiously enough, there are addRoleMapping() and findRoleMapping() methods in Tomcat's StandardContext class, and these appear to do exactly what Jason wants - except I can't find any code that calls them. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Mapping role names to groups
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jason,
On 8/6/2009 8:33 AM, Jason Royals wrote:
Thanks for the advice, but I think security-role-ref is only valid
within the context of a servlet element though? As such, it wont work
on JSP's or other resources that might do a
request.isUserInRole(admin) but are not servlets themselves (such as
filters and listeners).
You might be able to get away with re-defining the JSP Servlet and
including the security-role-ref, but you're right: that won't cover
filters or listeners. It's a shame the spec is written in this way.
As for André's comment about the top-levelness of security-role-ref,
Chuck points out that it's servlet-specific, but does not say where
that is defined. I found it very quickly by looking at the 2.3 servlet
DTD (http://java.sun.com/dtd/web-app_2_3.dtd) which contains this
documentation:
!--
The security-role-ref element contains the declaration of a security
role reference in the web application's code. The declaration consists
of an optional description, the security role name used in the code,
and an optional link to a security role. If the security role is not
specified, the Deployer must choose an appropriate security role.
The value of the role-name element must be the String used as the
parameter to the EJBContext.isCallerInRole(String roleName) method
or the HttpServletRequest.isUserInRole(String role) method.
Used in: servlet
- --
!ELEMENT security-role-ref (description?, role-name, role-link?)
Searching for actual uses of security-role-ref confirms that it is only
valid within a servlet element. :(
I'd also like to avoid changing anything in
web.xml if possible. Configuring the container is fine (eg, server.xml)
but messing around too much in the application WAR package could be
trouble.
I know you mentioned you don't want to mess around with web.xml but I
think you'll probably have to do it. If you're willing to do that, you
could write a filter that wraps the request and overrides isUserInRole
to provide a look-up-table of mapped group names. Something like this:
public class GroupRenamingFilter
implements Filter
{
private Map roleNameMap; /* fill this yourself */
public void invoke(ServletRequest request, ServletResponse,
FilterChain chain)
{
if(request instanceof HttpServletRequest)
request = new GroupRenamingRequest((HttpServletRequest)request);
chain.doFilter(request, response)
}
private class GroupRemaningRequest
extends HttpServletRequestWrapper
{
public GroupRenamingRequest(HttpServletRequest wrapped)
{
super(wrapped);
}
public boolean isUserInRole(String roleName)
{
String realRoleName = (String)roleNameMap.get(roleName);
if(null == realRoleName)
realRoleName = roleName; // not sure what to do, here
return super.isUserInRole(realRoleName);
}
}
}
Now that I've written it, I think you'll need to implement this as a
Valve that is invoked /before/ Tomcat's authorization code runs (which
may not be possible?).
On the other hand, what's wrong with a search-and-replace within the
web.xml to change the names of the security-role names to those you
actually use instead of the more generic users and admins?
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkp69AUACgkQ9CaO5/Lv0PC6qQCaAi3L37mYx5zBU50GUB675qdJ
dRsAoK6UoU7hpjMjvnNQwFVRLM7TAOOG
=zPlp
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
