Geek Answers Handbook

Security-role-ref is not working properly

this is the contents of my web.xml

<?xml version="1.0" encoding="ISO-8859-1"?> <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0" metadata-complete="true"> <servlet> <security-role-ref> <role-name>MY_GROUP_NAME</role-name> <role-link>REGISTERED_USER</role-link> </security-role-ref> </servlet> <servlet> <servlet-name>action</servlet-name> <servlet-class>org.apache.struts.action.ActionServlet</servlet-class> <init-param> <param-name>config</param-name> <param-value>/WEB-INF/struts-config.xml</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> <resource-ref> <description>My datasource</description> <res-ref-name>jdbc/XXXXXXXX</res-ref-name> <res-type>javax.sql.DataSource</res-type> <res-auth>Container</res-auth> </resource-ref> <security-constraint> <display-name>Example Security Constraint</display-name> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <!-- Define the context-relative URL(s) to be protected --> <url-pattern>/protected/`*`</url-pattern> <!-- If you list http methods, only those methods are protected --> <http-method>DELETE</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint> <!-- Anyone with one of the listed roles may access this area --> <role-name>tomcat</role-name> <role-name>role1</role-name> <role-name>REGISTERED_USER</role-name> </auth-constraint> </security-constraint> <!-- Default login configuration uses form-based authentication --> <login-config> <auth-method>FORM</auth-method> <realm-name>Example Form-Based Authentication Area</realm-name> <form-login-config> <form-login-page>/protected/login.jsp</form-login-page> <form-error-page>/protected/error.jsp</form-error-page> </form-login-config> </login-config> <!-- Security roles referenced by this web application --> <security-role> <role-name>role1</role-name> </security-role> <security-role> <role-name>tomcat</role-name> </security-role> <security-role> <role-name>REGISTERED_USER</role-name> </security-role> </web-app>

when I login with a valid user who is in the MY_GROUP_NAME group in ldap, then request.getRemoteUser () and request.getUserPrincipal () work fine. Testing a user with MY_GROUP_NAME

 String role = request.getParameter("role"); request.isUserInRole(role);

works great.

The problem is that when testing the user against the role of REGISTERED_USER does not work. Does anyone see what I'm missing here?

SOME ADDITIONAL INFORMATION

I am using Apache Tomcat v7.0.22

LDAP - OpenDJ 2.4.5

windows 7 OS

+4
source share
1 answer

I am not familiar with OpenDJ, but according to https://wikis.forgerock.org/confluence/display/OPENDJ/Configure+Apache+Tomcat+with+OpenDJ+as+an+Identity+Store there is no "map" between the tomcat and LDAP rules, because matching is one-to-one, and names must be the same. That the LDAP groups you intend to use must be defined as Tomcat roles, and you must use their names in the security role section of your web descriptor (web.xml).

+1
source

More articles:


All Articles