On 19/07/17 15:34, Alex O'Ree wrote: > Context.findChild and findChildren returns an instance of "Container". > It looks like StandardWrapper extends Container, so I should be able > to type cast it. The question is, is it always going to be an instance > of StandardWrapper?
For a Context, it should always be an instance of Wrapper so as long as you cast to Wrapper, you should be fine. In a default Tomcat install it will always be StandardWrapper but better to use the interface here since it has the method you need. Mark > > On Tue, Jul 18, 2017 at 6:40 PM, Mark Thomas <ma...@apache.org> wrote: >> On 18/07/17 23:21, Alex O'Ree wrote: >>> Nice, any idea which method I need to call? >> >> You already have the Context so you want >> >> Context.findChildren() >> >> for a list of all the Wrappers (and it is the wrapper object you need) or >> >> Context.findChild(String) >> >> for a specific Wrapper if you know the name. The name should be the name >> used in web.xml to define the Servlet. >> >> Mark >> >> >>> >>> On Jul 18, 2017 3:54 PM, "Mark Thomas" <ma...@apache.org> wrote: >>> >>>> On 18/07/17 17:41, Alex O'Ree wrote: >>>>> Alright, quick update on this. >>>>> >>>>> At this point, I have servlet context and a username running off the >>>>> main tomcat http threads (quartz job) >>>>> >>>>>> StandardContext tomcat;////load from reflection from ApplicationContext >>>> from ServletContext as ApplicationContextFacade >>>>>> Realm realm = tomcat.getRealm() >>>>> >>>>> At this point, realm is a LockoutRealm that contains two child realms, >>>>> the JNDI Realm and the standard UserDatabaseRealm >>>>> >>>>>> Principal user = realm.authenticate(username); >>>>> >>>>> At this point, the user object is populated and appears to have the >>>>> roles attached to it (they are listed in the to String method). >>>>> >>>>>> realm.hasRole(new StandardWrapper(), user, role); >>>>> >>>>> This part returns false, if and only if the ldap membership matches >>>>> exactly. Mapped roles via servlet/security-role-ref/role-link and >>>>> role-name do not appear to be effect. >>>>> >>>>> I think this may have something to do with the Principal object not >>>>> having a login context. Normally, this is available via a servlet, but >>>>> this it is not. >>>>> >>>>> I think the root cause might be this line. >>>>> https://github.com/apache/tomcat/blob/TOMCAT_7_0_42/ >>>> java/org/apache/catalina/realm/RealmBase.java#L933 >>>>> >>>>> Which probably does the translation from the LDAP defined group or >>>>> role into what the application is expecting. Am I on the right path >>>>> here? >>>> >>>> Yes. If you check auth outside of a Servlet, the role mappings for the >>>> Servlet won't apply. If you know which servlet to use for the role >>>> mappings you can get that from the Context (Wrappers represent Servlets >>>> and are children of the Context). >>>> >>>> Mark >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>> >>>> >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
