I have written a JAAS-enabled web-app that successfully uses my LDAP service to
authenticate a user and populate the Subject with several Principals. I have
set up my web-app to use FORM based authentication and can successfully use
request.isUserInRole("rolename") to authorize my user against the Principals.
However, when I declare a protected resource declaratively, and specify that
the resource is protected with "rolename", Tomcat fails to authorize the user
for that resource.
The logging messages I receive are as follows:
2008-05-05 11:41:34,966 2406494 [http-9808-Processor25] DEBUG
org.apache.catalina.realm.RealmBase - Checking constraint
'SecurityConstraint[Login Page]' against GET /home.vm --> false
2008-05-05 11:41:34,966 2406494 [http-9808-Processor25] DEBUG
org.apache.catalina.realm.RealmBase - Checking constraint
'SecurityConstraint[Protected Velocity pages]' against GET /home.vm --> true
2008-05-05 11:41:34,966 2406494 [http-9808-Processor25] DEBUG
org.apache.catalina.realm.RealmBase - User data constraint has no
restrictions
2008-05-05 11:41:34,966 2406494 [http-9808-Processor25] DEBUG
org.apache.catalina.realm.RealmBase - Checking roles
CN=user1,OU=Active,OU=Users,OU=companyname,DC=domainname,DC=com
2008-05-05 11:41:34,967 2406495 [http-9808-Processor25] DEBUG
org.apache.catalina.realm.RealmBase - No role found: rolename
I notice that the Catalina source code does not use the isUserInRole method to
authorize and I wonder why that's the case? More importantly, I wonder why my
user cannot access a protected resource when that resource is protected by a
security-constraint, when I can use a filter and programmatically check for
that same role and succeed.
I am running Tomcat 5.5.12 with Sun 1.4.2_17 JVM.
Thanks for any and all help.
Robin.
