When a JDBCRealm is created with the allRolesMode attribute set to "authOnly" a role table is still needed even though the documentation states: "The alternative values are authOnly which means that the user must be authenticated but no check is made for assigned roles". No check implies no role table needed. Hint: JDBCRealm.hasRole should probably always return true if the allRolesMode is set to "authOnly". The current workaround is to create a view over the user table with a fixed role name.
So if you don't provide a userRoleTable, what do you get? NPE? SQLException? Are you using "*" as the user role in your <security-constraint>? If so, what do you have "allRolesMode" set to?
When userRoleTable is not defined the JDBCRealm simply queries table "null". allRolesMode="authOnly" ... It's in the title! <Realm className="org.apache.catalina.realm.JDBCRealm" allRolesMode="authOnly" digest="MD5" driverName="org.postgresql.Driver" connectionURL="jdbc:postgresql:mydb" connectionName="myname" connectionPassword="mypw" userTable="tomcat_user" userNameCol="login" userCredCol="password" userRoleTable="tomcat_role" roleNameCol="role" /> Apr 10, 2012 11:50:00 AM org.apache.catalina.realm.JDBCRealm getRoles SEVERE: Exception performing authentication org.postgresql.util.PSQLException: ERROR: relation "tomcat_role" does not exist <Realm className="org.apache.catalina.realm.JDBCRealm" allRolesMode="authOnly" digest="MD5" driverName="org.postgresql.Driver" connectionURL="jdbc:postgresql:mydb" connectionName="myname" connectionPassword="mypw" userTable="tomcat_user" userNameCol="login" userCredCol="password" /> Apr 10, 2012 12:02:55 PM org.apache.catalina.realm.JDBCRealm getRoles SEVERE: Exception performing authentication org.postgresql.util.PSQLException: ERROR: syntax error at or near "null" <security-constraint> ... <auth-constraint> <description></description> <role-name>*</role-name> </auth-constraint> </security-constraint>
(In reply to comment #2) > When userRoleTable is not defined the JDBCRealm simply queries table "null". > allRolesMode="authOnly" ... It's in the title! Duh. > Apr 10, 2012 11:50:00 AM org.apache.catalina.realm.JDBCRealm getRoles > SEVERE: Exception performing authentication > org.postgresql.util.PSQLException: ERROR: relation "tomcat_role" does not exist Can you give the full stack trace, please? > Apr 10, 2012 12:02:55 PM org.apache.catalina.realm.JDBCRealm getRoles > SEVERE: Exception performing authentication > org.postgresql.util.PSQLException: ERROR: syntax error at or near "null" Same here, if it's different. Also, can you try with DataSourceRealm? I know it's a bit more work to configure, but it might be a problem across both of these JDBC-based realms and we may as well fix it for both.
FWIW, JDBCRealm isn't appropriate for production use IMO. If you can, you should switch to DataSourceRealm which performs much better.
(In reply to comment #4) > FWIW, JDBCRealm isn't appropriate for production use IMO. If you can, you > should switch to DataSourceRealm which performs much better. Sure, just using JDBCRealm for kickstarting and rapid prototyping my projects. The stacktrace as requested: Apr 10, 2012 11:44:38 AM org.apache.catalina.realm.JDBCRealm getRoles SEVERE: Exception performing authentication org.postgresql.util.PSQLException: ERROR: relation "tomcat_role" does not exist Position: 18 at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2103) at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1836) at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:257) at org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:512) at org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJdbc2Statement.java:388) at org.postgresql.jdbc2.AbstractJdbc2Statement.executeQuery(AbstractJdbc2Statement.java:273) at org.apache.catalina.realm.JDBCRealm.getRoles(JDBCRealm.java:644) at org.apache.catalina.realm.JDBCRealm.authenticate(JDBCRealm.java:436) at org.apache.catalina.realm.JDBCRealm.authenticate(JDBCRealm.java:361) at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:181) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:528) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:877) at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:594) at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1675) at java.lang.Thread.run(Thread.java:679)
It isn't quite that simple. The application may still make a call to isUserInRole(). There may well be a special case for each realm if all of the following are true: - AUTH_ONLY_MODE or STRICT_AUTH_ONLY_MODE - the Realm uses separate attributes to define the role store - the role store attributes are undefined In this case, there is no need to look up the roles although an INFO log message on Realm start just to remind the admin what is going on wouldn't hurt.
(In reply to comment #6) > It isn't quite that simple. The application may still make a call to > isUserInRole(). I suggest we define the result of that call as: AUTH_ONLY_MODE => true STRICT_AUTH_ONLY_MODE => false > > There may well be a special case for each realm if all of the following are > true: > - AUTH_ONLY_MODE or STRICT_AUTH_ONLY_MODE > - the Realm uses separate attributes to define the role store > - the role store attributes are undefined Huh? #3 conflicts with #2. > In this case, there is no need to look up the roles although an INFO log > message on Realm start just to remind the admin what is going on wouldn't > hurt. Why create log messages if it is configured not to use the roles table?
(In reply to comment #7) > I suggest we define the result of that call as: > AUTH_ONLY_MODE => true The use of AUTH_ONLY mode doe snot preclude the user from being assigned a role and/or the web application testing for it. > STRICT_AUTH_ONLY_MODE => false While it is less likely, the same applies here too. > > - AUTH_ONLY_MODE or STRICT_AUTH_ONLY_MODE > > - the Realm uses separate attributes to define the role store > > - the role store attributes are undefined > > Huh? #3 conflicts with #2. No they do. #2 means the Realm has the capability to define a separate role store. Not all realms do. #3 means that the above separate role store has not been defined. > Why create log messages if it is configured not to use the roles table? Because it is sufficiently unusual that it is worth flagging up to an admin to confirm what is going on. It is just a single log message on Realm start.
s/No they do./No they don't./
In the end I opted to implement this for JDBCRealm and DatasourceRealm and without any logging on Realm start. The fixed has been applied to trunk and 7.0.x and will be included in 7.0.28 onwards. The fix has been proposed for 6.0.x.
I could not find the bug 53047 in the change log for 7.0.28 or 7.0.29. Is this still an issue? I need to implement the "authOnly" mode without checking any roles. Greetings from Germany Manuel
See comment #10 The changelog entry was missed. This has been fixed. http://svn.apache.org/viewvc?view=revision&revision=1348499 http://svn.apache.org/viewvc?view=revision&revision=1366956
Updated Tomcat 7 documentation for Realm in r1377445. The documentation update is in 7.0.30 and later.
Fixed in Tomcat 6 with r1377888 + r1377917 (+ r1377918). It will be in 6.0.36.