Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

JAASRealm on Tomcat: Principal-to-Role-Mapping works, Access denied

843811Oct 19 2005 — edited Jan 13 2006
Hello!

We are trying to implement a login/security environment using Tomcat 5.5's JAASRealm and Struts as a MVC-Framework.

After Login ,which fails with error "HTTP Status 403 - Access to the requested ressource has been denied", we can navigate manually to our output.jsp and use
...
<%= request.getUserPrincipal %> ,
...
<%= request.isUserInRole("administrator") %>
...
<logic:present role="administrator">
Admin present!
</logic:present>

These return correct username, (true) for isUserInRole, and the logic tag also works...
BUT
Our problem is: We protected *.do in our web.xml to be only accessible by users in role "administrator", which fails as described above.

Why does the login fail, but we still get a valid Subject with Principals, and can access the roles on the output.jsp?

We are stuck now for over a week, reading tutorials, asking google, but with no success... Any Ideas would be appreciated!

Our relevant sourcecode:

----------------- Tomcats server.xml -------------------------------------------------- 
<Server port="8005" shutdown="SHUTDOWN">
...
  <Service name="Catalina">
...
    <Engine name="Catalina" defaultHost="localhost">
...
        <Realm className="org.apache.catalina.realm.JAASRealm" 
            appName="SimpleLogin" 
            userClassNames="my.strutsLogin.UserPrincipal" 
            roleClassNames="my.strutsLogin.GroupPrincipal"
            useContextClassLoader="false" 
        />
        <Host ...> </Host>
    </Engine>
</Service>
</Server>
---------------------------- web.xml of our Project ------------------------------------ 
...
    <servlet-name>logonAction</servlet-name>
...
  <servlet-mapping>
    <servlet-name>logonAction</servlet-name>
    <url-pattern>*.do</url-pattern>
  </servlet-mapping>
    <security-constraint>
         <web-resource-collection>
             <web-resource-name>logonAction</web-resource-name>
             <url-pattern>*.do</url-pattern>
         </web-resource-collection >
         <auth-constraint>
             <role-name>administrator</role-name>      
         </auth-constraint>
     </security-constraint>
     <login-config>
         <auth-method>BASIC</auth-method>
         <realm-name>JAASRealm</realm-name>
     </login-config>
  <security-role>
      <role-name>administrator</role-name>
  </security-role>
</web-app>
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Feb 10 2006
Added on Oct 19 2005
#other-security-apis-tools-and-issues
5 comments
347 views