SOLVED!

Well since no one else seems to care about ldap authentication and user
roles, I guess I'll reply to myself..

Apparently backwards compatiblity is built into the source code for tomcat.

To work around the problem of <role-name>*</role-name>  you need to got and
grab the tomcat source code, not the binaries.. If you have the binaries
installed already, this is fine.  All we are going to do is replace
catalina.jar...

In my source directory C:\apache-
tomcat-5.5.17-src\container\catalina\src\share\org\apache\catalina\realm, I
edited RealmBase.java.

I Changed protected AllRolesMode allRolesMode = AllRolesMode.STRICT_MODE;

to protected AllRolesMode allRolesMode = AllRolesMode.STRICT_AUTH_ONLY_MODE;

I then built from source and copied the newly build catalina.jar file to my
current binary distribution of tomcat..$TOMCAT_HOME/server/lib

thats it..   Now <role-name>*</role-name> authenticates all roles.


Brian Bay




On 9/1/06, brian bay <[EMAIL PROTECTED]> wrote:

I recently upgraded from tomcat 5.0.28 to 5.5.17.   I have security set up
on all my apps to allow any user that can authenticate against ldap access
to the application....

So in 5.0.28,  I  defined <role-name>*</role-name>  to allow all role
names.   In 5.5.17 the behavior changes on the role-name attribute, and
apparently the * now means "all roles defined inside of web.xml" instead
of the previous "all/any roles"..   I understand that after tomcat 5.5.12, tomcat was 
"fixed" to conform to the
2.4 servlet spec, in which the * 's meaning is redefined.   Suck.

I dont want to have to define 300 roles in web.xml..  Once I do that, I am
now maintaning roles in 2 places.


***As a test/workaround, I downloaded 5.5.12 and copied catalina.jar from
server/lib to my 5.5.17 installation..  !Voila!  authentication now works
with the <role-name>*</role-name>



questions:

Why is there no backwards compatibility?  or is there and I just have to
tell it which servlet spec to use?

***As, for my workaround.  I cant see this as being a very good
solution... I'm guessing this will cause problems elsewhere??


I could just use 5.5.12, but I'm sure there are some bug fixes along the
way that I would benefit from..

thanks,
Brian

Reply via email to