-----Original Message----- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: Wednesday, October 04, 2017 11:14 AM To: users@tomcat.apache.org Subject: Re: Mapping role names to groups
> On 04.10.2017 10:20, Sebastian Trost wrote: >> -----Original Message----- >> From: Mark Thomas [mailto:ma...@apache.org] >> Sent: Tuesday, October 03, 2017 4:10 PM >> To: Tomcat Users List <users@tomcat.apache.org> >> Subject: Re: Mapping role names to groups >> >> On 03/10/17 14:01, Sebastian Trost wrote: >>>> Hi! >>>> >>>> I was looking for a way to map security role names from tomcat to LDAP >>>> groups. I found an old thread from August 2009 with the exact problem in >>>> which Christopher Schultz recommended to write a servlet filter or valve >>>> to do that. >>>> >>>> Original mail: >>>> http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3C1249556542.8225.6.camel@habanero%3E >>>> Response from Christopher Schulz: >>>> http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3c4a7af405.7090...@christopherschultz.net%3E >>>> >>>> It has now been eight years and I'm wondering if there is still no other >>>> solution than this? >> >>> security-role-ref ? >> >> AFAIK, <security-role-ref> is only valid within the <servlet> element. >> Therefore, it doesn't work with JSPs or filters which are not servlets. >> > Isn't a JSP page ultimately translated into a servlet ? I don't know. You tell me! ;) My knowledge is very limited and as far as I know, you can have servlets but also standalone JSP files (which still can use isUserInRole()). While adding the <security-role-ref> tag to the <servlet> element works with the servlet, it doesn't work with the standalone JSP file. Example: Authentication and authorization is done with LDAP. Due to company policy the admin-role must be named "company-application-admin". The application has one servlet named FooServlet and one JSP file called importantLegacyJsp.jsp. In the web.xml the admin role is defined like this: <security-role> <description>Application admin role</description> <role-name>admin</role-name> </security-role> Also in the web.xml the servlet is defined like this: <servlet> <servlet-name>FooServlet</servlet-name> <servlet-class>com.vendor.app.servlet.FooServlet</servlet-class> <security-role-ref> <role-name>admin</role-name> <role-link>company-application-admin</role-link> </security-role-ref> </servlet> Calling request.isUserInRole("admin") inside the servlet FooServlet will return "true", because the of the security-role-ref element inside the servlet-element. Everything works fine and as intended. The user then opens importantLegacyJsp.jsp which also calls request.isUserInRole("admin"). Now that method will return false, because the mapping is only defined inside the servlet element. It seems that there doesn't exist a way to make that work without creating a custom realm. Regards Sebastian Trost
