SOLVED! Well since no one else seems to care about ldap authentication and user roles, I guess I'll reply to myself..
Apparently backwards compatiblity is built into the source code for tomcat. To work around the problem of <role-name>*</role-name> you need to got and grab the tomcat source code, not the binaries.. If you have the binaries installed already, this is fine. All we are going to do is replace catalina.jar... In my source directory C:\apache- tomcat-5.5.17-src\container\catalina\src\share\org\apache\catalina\realm, I edited RealmBase.java. I Changed protected AllRolesMode allRolesMode = AllRolesMode.STRICT_MODE; to protected AllRolesMode allRolesMode = AllRolesMode.STRICT_AUTH_ONLY_MODE; I then built from source and copied the newly build catalina.jar file to my current binary distribution of tomcat..$TOMCAT_HOME/server/lib thats it.. Now <role-name>*</role-name> authenticates all roles. Brian Bay On 9/1/06, brian bay <[EMAIL PROTECTED]> wrote:
I recently upgraded from tomcat 5.0.28 to 5.5.17. I have security set up on all my apps to allow any user that can authenticate against ldap access to the application.... So in 5.0.28, I defined <role-name>*</role-name> to allow all role names. In 5.5.17 the behavior changes on the role-name attribute, and apparently the * now means "all roles defined inside of web.xml" instead of the previous "all/any roles".. I understand that after tomcat 5.5.12, tomcat was "fixed" to conform to the 2.4 servlet spec, in which the * 's meaning is redefined. Suck. I dont want to have to define 300 roles in web.xml.. Once I do that, I am now maintaning roles in 2 places. ***As a test/workaround, I downloaded 5.5.12 and copied catalina.jar from server/lib to my 5.5.17 installation.. !Voila! authentication now works with the <role-name>*</role-name> questions: Why is there no backwards compatibility? or is there and I just have to tell it which servlet spec to use? ***As, for my workaround. I cant see this as being a very good solution... I'm guessing this will cause problems elsewhere?? I could just use 5.5.12, but I'm sure there are some bug fixes along the way that I would benefit from.. thanks, Brian