'RE: User Realm based Authorisation with Tomcat 8'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tomcat-user
Subject:    RE: User Realm based Authorisation with Tomcat 8
From:       David Marsh <dmarsh26 () outlook ! com>
Date:       2015-03-30 12:10:20
Message-ID: DUB127-W538BC36A6E73030031E75AD9F50 () phx ! gbl
[Download RAW message or body]

No worries fixed it :-

      <Realm className="org.apache.catalina.realm.JNDIRealm"
          connectionURL="ldap://win-dc01.kerbtest.local:389"
          userBase="cn=Users,dc=kerbtest,dc=local"
          userSearch="(cn={0})" 
	  userRoleName="memberOf"
          roleBase="cn=Users,dc=kerbtest,dc=local"
          roleName="cn"
          roleSearch="(member={0})"
	  debug="9"/>

Seems uniqueMember is no good as I have multiple groups...

----------------------------------------
> From: dmarsh26@outlook.com
> To: users@tomcat.apache.org
> Subject: RE: User Realm based Authorisation with Tomcat 8
> Date: Mon, 30 Mar 2015 12:50:52 +0100
> 
> Ok so I fixed my Realm :-
> 
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionURL="ldap://win-dc01.kerbtest.local:389"
> userBase="cn=Users,dc=kerbtest,dc=local"
> userSearch="(cn={0})"
> userRoleName="memberOf"
> roleBase="cn=Users,dc=kerbtest,dc=local"
> roleName="cn"
> roleSearch="(uniqueMember={0})"
> debug="9"/>
> 
> 
> 
> 
> However the AD group 'manager-gui' does not automatically become a role, how do I \
> define the group to role mapping ? 
> Krb5Context.unwrap: data=[30 84 00 00 00 10 02 01 06 65 84 00 00 00 07 0a 01 00 04 \
> 00 04 00 ] 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] \
> org.apache.catalina.realm.CombinedRealm.authentic ate Authenticated user \
> "test@KERBTEST.LOCAL" with realm "org.apache.catalina.realm.JNDIRealm" \
> [Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject
> 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] \
> org.apache.catalina.authenticator.AuthenticatorBa se.register Authenticated 'test' \
> with type 'SPNEGO' 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] \
> org.apache.catalina.authenticator.AuthenticatorBa se.register Session ID changed on \
> authentication from [BA1A48564A9ECF1917107AF362AA9C2B] to [9BA70CD \
> 7B088BEE077787CFD21FE4BC6] 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] \
> org.apache.catalina.authenticator.AuthenticatorBa se.invoke Calling accessControl()
> 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] \
> org.apache.catalina.realm.RealmBase.hasResourcePe rmission Checking roles \
> GenericPrincipal[test(CN=manager-gui,CN=Users,DC=kerbtest,DC=local,)] 30-Mar-2015 \
> 12:46:44.166 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.hasRole \
> Usern ame test does NOT have role manager-gui
> 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] \
> org.apache.catalina.realm.RealmBase.hasResourcePe rmission No role found: \
> manager-gui 30-Mar-2015 12:46:44.182 FINE [http-nio-80-exec-2] \
> org.apache.catalina.authenticator.AuthenticatorBa se.invoke Failed accessControl() \
> test 
> 
> thanks!
> 
> David
> 
> ----------------------------------------
> > From: dmarsh26@outlook.com
> > To: users@tomcat.apache.org
> > Subject: User Realm based Authorisation with Tomcat 8
> > Date: Mon, 30 Mar 2015 12:09:47 +0100
> > 
> > So I have SPNEGO working and I want to use the JNDI realm for authorisation.
> > 
> > I have this configured :-
> > 
> > <Realm className="org.apache.catalina.realm.JNDIRealm"
> > connectionURL="ldap://win-dc01.kerbtest.local:389"
> > userBase="ou=Users,dc=kerbtest,dc=local"
> > userSearch="(uid={0})"
> > userRoleName="memberOf"
> > roleBase="ou=Users,dc=kerbtest,dc=local"
> > roleName="cn"
> > roleSearch="(uniqueMember={0})"/>
> > 
> > I would like to use AD groups to control authorisation in my application.
> > 
> > However currently it appears the tomcat-users is being used :-
> > 
> > <user username="test" password="testpass" roles="manager-gui"/>
> > 
> > How do I configure tomcat Manager web app to use the realm and ignore the users \
> > file ? 
> > Alternatively is there other example code I can use with the JNDI realm ?
> > 
> > many thanks
> > 
> > David
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> > 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
 		 	   		  
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic