[prev in list] [next in list] [prev in thread] [next in thread]
List: tomcat-user
Subject: RE: User Realm based Authorisation with Tomcat 8
From: David Marsh <dmarsh26 () outlook ! com>
Date: 2015-03-30 12:10:20
Message-ID: DUB127-W538BC36A6E73030031E75AD9F50 () phx ! gbl
[Download RAW message or body]
No worries fixed it :-
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://win-dc01.kerbtest.local:389"
userBase="cn=Users,dc=kerbtest,dc=local"
userSearch="(cn={0})"
userRoleName="memberOf"
roleBase="cn=Users,dc=kerbtest,dc=local"
roleName="cn"
roleSearch="(member={0})"
debug="9"/>
Seems uniqueMember is no good as I have multiple groups...
----------------------------------------
> From: dmarsh26@outlook.com
> To: users@tomcat.apache.org
> Subject: RE: User Realm based Authorisation with Tomcat 8
> Date: Mon, 30 Mar 2015 12:50:52 +0100
>
> Ok so I fixed my Realm :-
>
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionURL="ldap://win-dc01.kerbtest.local:389"
> userBase="cn=Users,dc=kerbtest,dc=local"
> userSearch="(cn={0})"
> userRoleName="memberOf"
> roleBase="cn=Users,dc=kerbtest,dc=local"
> roleName="cn"
> roleSearch="(uniqueMember={0})"
> debug="9"/>
>
>
>
>
> However the AD group 'manager-gui' does not automatically become a role, how do I \
> define the group to role mapping ?
> Krb5Context.unwrap: data=[30 84 00 00 00 10 02 01 06 65 84 00 00 00 07 0a 01 00 04 \
> 00 04 00 ] 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] \
> org.apache.catalina.realm.CombinedRealm.authentic ate Authenticated user \
> "test@KERBTEST.LOCAL" with realm "org.apache.catalina.realm.JNDIRealm" \
> [Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject
> 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] \
> org.apache.catalina.authenticator.AuthenticatorBa se.register Authenticated 'test' \
> with type 'SPNEGO' 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] \
> org.apache.catalina.authenticator.AuthenticatorBa se.register Session ID changed on \
> authentication from [BA1A48564A9ECF1917107AF362AA9C2B] to [9BA70CD \
> 7B088BEE077787CFD21FE4BC6] 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] \
> org.apache.catalina.authenticator.AuthenticatorBa se.invoke Calling accessControl()
> 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] \
> org.apache.catalina.realm.RealmBase.hasResourcePe rmission Checking roles \
> GenericPrincipal[test(CN=manager-gui,CN=Users,DC=kerbtest,DC=local,)] 30-Mar-2015 \
> 12:46:44.166 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.hasRole \
> Usern ame test does NOT have role manager-gui
> 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] \
> org.apache.catalina.realm.RealmBase.hasResourcePe rmission No role found: \
> manager-gui 30-Mar-2015 12:46:44.182 FINE [http-nio-80-exec-2] \
> org.apache.catalina.authenticator.AuthenticatorBa se.invoke Failed accessControl() \
> test
>
> thanks!
>
> David
>
> ----------------------------------------
> > From: dmarsh26@outlook.com
> > To: users@tomcat.apache.org
> > Subject: User Realm based Authorisation with Tomcat 8
> > Date: Mon, 30 Mar 2015 12:09:47 +0100
> >
> > So I have SPNEGO working and I want to use the JNDI realm for authorisation.
> >
> > I have this configured :-
> >
> > <Realm className="org.apache.catalina.realm.JNDIRealm"
> > connectionURL="ldap://win-dc01.kerbtest.local:389"
> > userBase="ou=Users,dc=kerbtest,dc=local"
> > userSearch="(uid={0})"
> > userRoleName="memberOf"
> > roleBase="ou=Users,dc=kerbtest,dc=local"
> > roleName="cn"
> > roleSearch="(uniqueMember={0})"/>
> >
> > I would like to use AD groups to control authorisation in my application.
> >
> > However currently it appears the tomcat-users is being used :-
> >
> > <user username="test" password="testpass" roles="manager-gui"/>
> >
> > How do I configure tomcat Manager web app to use the realm and ignore the users \
> > file ?
> > Alternatively is there other example code I can use with the JNDI realm ?
> >
> > many thanks
> >
> > David
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic