Got it to work! Thanks Mark! On Wed, Jul 19, 2017 at 10:40 AM, Mark Thomas <ma...@apache.org> wrote: > On 19/07/17 15:34, Alex O'Ree wrote: >> Context.findChild and findChildren returns an instance of "Container". >> It looks like StandardWrapper extends Container, so I should be able >> to type cast it. The question is, is it always going to be an instance >> of StandardWrapper? > > For a Context, it should always be an instance of Wrapper so as long as > you cast to Wrapper, you should be fine. > > In a default Tomcat install it will always be StandardWrapper but better > to use the interface here since it has the method you need. > > Mark > > >> >> On Tue, Jul 18, 2017 at 6:40 PM, Mark Thomas <ma...@apache.org> wrote: >>> On 18/07/17 23:21, Alex O'Ree wrote: >>>> Nice, any idea which method I need to call? >>> >>> You already have the Context so you want >>> >>> Context.findChildren() >>> >>> for a list of all the Wrappers (and it is the wrapper object you need) or >>> >>> Context.findChild(String) >>> >>> for a specific Wrapper if you know the name. The name should be the name >>> used in web.xml to define the Servlet. >>> >>> Mark >>> >>> >>>> >>>> On Jul 18, 2017 3:54 PM, "Mark Thomas" <ma...@apache.org> wrote: >>>> >>>>> On 18/07/17 17:41, Alex O'Ree wrote: >>>>>> Alright, quick update on this. >>>>>> >>>>>> At this point, I have servlet context and a username running off the >>>>>> main tomcat http threads (quartz job) >>>>>> >>>>>>> StandardContext tomcat;////load from reflection from ApplicationContext >>>>> from ServletContext as ApplicationContextFacade >>>>>>> Realm realm = tomcat.getRealm() >>>>>> >>>>>> At this point, realm is a LockoutRealm that contains two child realms, >>>>>> the JNDI Realm and the standard UserDatabaseRealm >>>>>> >>>>>>> Principal user = realm.authenticate(username); >>>>>> >>>>>> At this point, the user object is populated and appears to have the >>>>>> roles attached to it (they are listed in the to String method). >>>>>> >>>>>>> realm.hasRole(new StandardWrapper(), user, role); >>>>>> >>>>>> This part returns false, if and only if the ldap membership matches >>>>>> exactly. Mapped roles via servlet/security-role-ref/role-link and >>>>>> role-name do not appear to be effect. >>>>>> >>>>>> I think this may have something to do with the Principal object not >>>>>> having a login context. Normally, this is available via a servlet, but >>>>>> this it is not. >>>>>> >>>>>> I think the root cause might be this line. >>>>>> https://github.com/apache/tomcat/blob/TOMCAT_7_0_42/ >>>>> java/org/apache/catalina/realm/RealmBase.java#L933 >>>>>> >>>>>> Which probably does the translation from the LDAP defined group or >>>>>> role into what the application is expecting. Am I on the right path >>>>>> here? >>>>> >>>>> Yes. If you check auth outside of a Servlet, the role mappings for the >>>>> Servlet won't apply. If you know which servlet to use for the role >>>>> mappings you can get that from the Context (Wrappers represent Servlets >>>>> and are children of the Context). >>>>> >>>>> Mark >>>>> >>>>> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>> >>>>> >>>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org