top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

roleNested seems to not be working in tomcat 6

0 votes
308 views

I am using

    Apache Tomcat/6.0.37
    pxa6460sr13fp2-20130424_01 (SR13 FP2)
    IBM Corporation
    Linux
    2.6.32-358.2.1.el6.x86_64
    amd64

I have the following context defined for my application:

I have a user defined who is a member of one group which is a member of another group under the roleBase. After authenticating I only get the role/group that the user is a direct member of, it doesn't return the role/group that the group is a member of.

I downloaded the source of org.apache.catalina.realm.JNDIRealm and the roleNested attribute is never used except in the setters and getters. Seems like it is being ignored. Is this feature available in tomcat 6? The docs say it is but it doesn't seem to work.

posted Jul 9, 2013 by anonymous

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

2 Answers

+1 vote

I found where it is being used in the getRoles method however I'm still wondering why it doesn't work. I don't see any way to define the member group attribute name, it is uniqueGroup in the dir server I am connecting to.

answer Jul 9, 2013 by anonymous
0 votes

roleSearch will be used for every group found.

Given your config and your groups/persons are as follows

dn: cn=group1,ou=...
cn: group1
uniqueMember: cn=person1,ou=...

dn: cn=group2,ou=...
cn: group2
uniqueMember: cn=group1,ou=...

dn: cn=person1,ou=...
cn: person1
mail: person1@...

When you log in as person1@... first thing the realm does is to look up dn for that person using mail=person1@...
It will get dn: cn=person1,ou=... as dn and will try roleSearch with {0} equal the newly found dn.

So the next lookup is uniqueMember=cn=person,ou=... which gives us cn=group1,ou=...

The attribute cn of that group will be stored as a role. Since nestedRoles is enabled it will now do a new search with roleSearch and the dn (and cn in your case).
The lookup will be uniqueMember=cn=group1,ou=... which will give us cn=group2,ou=... and again the cn (group2) will be stored.

So after that your user will have two roles (group1, group2).

It looks to me that the logic for nested roles is reverse to the one you expected.

If you want to get debug output, you can put the line org.apache.catalina.realm.JNDIRealm.level = FINE

at the end of your conf/logging.properties. The attribute debug in your realm definition is being ignored (and invalid).

answer Jul 10, 2013 by anonymous
Similar Questions
0 votes

I am using CentOS 6.0 with Apache 2.2.15, and set up Apache with virtual host. The SSI works fine on the first VH, but ssi on the other virtual hosts does not work. I got the following message in the error log:

mod_include: Options +Includes (or IncludesNoExec) wasnt set, INCLUDES filter removed

Does anyone know how to resolve this problem?

0 votes

I have a home server set up with a couple of things going on. Here is the weird thing that I can't figure out. I can access everything just fine from an INTERNET connection external to my LAN using my domain name, let's say "domain.com". So, if I type into my browser on my LAN "www.domain.com", it searches without actually finding it's destination giving up after a period of time saying the server cannot be found (usually an error 408).
But, if I type www.domain.com on my mobile phone browser using my data connection (not on the LAN), it connects without a hitch and everything functions fine. I have done this set up before at a different home, but since I moved, I have come across this problem and either don't remember having this happen before or don't remember what I did to resolve it. Also, I changed ISP and that seemed to be the beginning of the problem. I set up my port forwards and checked my firewalls on the router. I looked on google and couldn't find anything specific to my problem. Everything I have read in the user documentation for apache seems to be set up correctly. I guess my question is what do I not know that I should know to be looking for. :-/
Could some one direct me as to what I should look for?

+1 vote

Apache/Tomcat (by default) does not allow symbolic linking (nice as it can cross mounted file systems) except in the top apache/lib directory. I use hard links in the Application/WEB-INF/lib directories to reduce copying and help me manage things.

HOWEVER, some applications have special needs - e.g. pictures. You don't want to always distribute these with the release of the application (Application.war file), so symbolic links are the way to go (except for MS land, sorry). The nice solution to this is:

.../webapps/Application/WEB-INF/context.xml
which must contain at least the two below lines:

However this allows ALL symbolic linking in the Application directory. I agree with the developers that this is dangerous.

Is there some way to allow linking in just ONE sub-directory of the Application?
- e.g. .../webapps/Application/images

This would allow all I need to have local images for the application without endangering other things using a symbolic link.

+2 votes

Is it possible to use PHP 5.2.5 with Apache/2.4.6?

I have an application that was written in WAMP5 using PHP 5.2.5, and I am trying to get the application onto a CentOS server and I can't get it to work with 5.4.16.

Are there any good tutorials on using an older version of PHP with Apache?

+2 votes

There is this native Apache API if I recall correctly to speed up Apache. Is there such for Tomcat too?
And should this be established at any rate for production servers?

...