Bug 53047 - JDBCRealm allRolesMode="authOnly" still needs role table
Summary: JDBCRealm allRolesMode="authOnly" still needs role table
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 6
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 6.0.33
Hardware: All All
: P2 minor (vote)
Target Milestone: default
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-04-08 11:18 UTC by Dennis Verbeek
Modified: 2012-08-28 00:16 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dennis Verbeek 2012-04-08 11:18:56 UTC
When a JDBCRealm is created with the allRolesMode attribute set to "authOnly" a role table is still needed even though the documentation states: "The alternative values are authOnly which means that the user must be authenticated but no check is made for assigned roles". No check implies no role table needed. Hint: JDBCRealm.hasRole should probably always return true if the allRolesMode is set to "authOnly". The current workaround is to create a view over the user table with a fixed role name.
Comment 1 Christopher Schultz 2012-04-09 16:39:18 UTC
So if you don't provide a userRoleTable, what do you get? NPE? SQLException?

Are you using "*" as the user role in your <security-constraint>? If so, what do you have "allRolesMode" set to?
Comment 2 Dennis Verbeek 2012-04-10 10:29:13 UTC
When userRoleTable is not defined the JDBCRealm simply queries table "null".
allRolesMode="authOnly" ... It's in the title!

<Realm className="org.apache.catalina.realm.JDBCRealm" allRolesMode="authOnly" digest="MD5" driverName="org.postgresql.Driver" connectionURL="jdbc:postgresql:mydb" connectionName="myname" connectionPassword="mypw" userTable="tomcat_user" userNameCol="login" userCredCol="password" userRoleTable="tomcat_role" roleNameCol="role" />

Apr 10, 2012 11:50:00 AM org.apache.catalina.realm.JDBCRealm getRoles
SEVERE: Exception performing authentication
org.postgresql.util.PSQLException: ERROR: relation "tomcat_role" does not exist

<Realm className="org.apache.catalina.realm.JDBCRealm" allRolesMode="authOnly" digest="MD5" driverName="org.postgresql.Driver" connectionURL="jdbc:postgresql:mydb" connectionName="myname" connectionPassword="mypw" userTable="tomcat_user" userNameCol="login" userCredCol="password" />

Apr 10, 2012 12:02:55 PM org.apache.catalina.realm.JDBCRealm getRoles
SEVERE: Exception performing authentication
org.postgresql.util.PSQLException: ERROR: syntax error at or near "null"

<security-constraint>
   ...
   <auth-constraint>
      <description></description>
      <role-name>*</role-name>
   </auth-constraint>
</security-constraint>
Comment 3 Christopher Schultz 2012-04-10 17:50:37 UTC
(In reply to comment #2)
> When userRoleTable is not defined the JDBCRealm simply queries table "null".
> allRolesMode="authOnly" ... It's in the title!

Duh.

> Apr 10, 2012 11:50:00 AM org.apache.catalina.realm.JDBCRealm getRoles
> SEVERE: Exception performing authentication
> org.postgresql.util.PSQLException: ERROR: relation "tomcat_role" does not exist

Can you give the full stack trace, please?

> Apr 10, 2012 12:02:55 PM org.apache.catalina.realm.JDBCRealm getRoles
> SEVERE: Exception performing authentication
> org.postgresql.util.PSQLException: ERROR: syntax error at or near "null"

Same here, if it's different.

Also, can you try with DataSourceRealm? I know it's a bit more work to configure, but it might be a problem across both of these JDBC-based realms and we may as well fix it for both.
Comment 4 Christopher Schultz 2012-04-10 17:52:09 UTC
FWIW, JDBCRealm isn't appropriate for production use IMO. If you can, you should switch to DataSourceRealm which performs much better.
Comment 5 Dennis Verbeek 2012-04-10 18:02:42 UTC
(In reply to comment #4)
> FWIW, JDBCRealm isn't appropriate for production use IMO. If you can, you
> should switch to DataSourceRealm which performs much better.

Sure, just using JDBCRealm for kickstarting and rapid prototyping my projects.

The stacktrace as requested:

Apr 10, 2012 11:44:38 AM org.apache.catalina.realm.JDBCRealm getRoles
SEVERE: Exception performing authentication
org.postgresql.util.PSQLException: ERROR: relation "tomcat_role" does not exist
  Position: 18
        at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2103)
        at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1836)
        at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:257)
        at org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:512)
        at org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJdbc2Statement.java:388)
        at org.postgresql.jdbc2.AbstractJdbc2Statement.executeQuery(AbstractJdbc2Statement.java:273)
        at org.apache.catalina.realm.JDBCRealm.getRoles(JDBCRealm.java:644)
        at org.apache.catalina.realm.JDBCRealm.authenticate(JDBCRealm.java:436)
        at org.apache.catalina.realm.JDBCRealm.authenticate(JDBCRealm.java:361)
        at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:181)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:528)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
        at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:877)
        at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:594)
        at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1675)
        at java.lang.Thread.run(Thread.java:679)
Comment 6 Mark Thomas 2012-06-05 23:15:12 UTC
It isn't quite that simple. The application may still make a call to isUserInRole().

There may well be a special case for each realm if all of the following are true:
- AUTH_ONLY_MODE or STRICT_AUTH_ONLY_MODE
- the Realm uses separate attributes to define the role store
- the role store attributes are undefined

In this case, there is no need to look up the roles although an INFO log message on Realm start just to remind the admin what is going on wouldn't hurt.
Comment 7 Dennis Verbeek 2012-06-06 05:42:48 UTC
(In reply to comment #6)
> It isn't quite that simple. The application may still make a call to
> isUserInRole().

I suggest we define the result of that call as:
AUTH_ONLY_MODE => true
STRICT_AUTH_ONLY_MODE => false

> 
> There may well be a special case for each realm if all of the following are
> true:
> - AUTH_ONLY_MODE or STRICT_AUTH_ONLY_MODE
> - the Realm uses separate attributes to define the role store
> - the role store attributes are undefined

Huh? #3 conflicts with #2.

> In this case, there is no need to look up the roles although an INFO log
> message on Realm start just to remind the admin what is going on wouldn't
> hurt.

Why create log messages if it is configured not to use the roles table?
Comment 8 Mark Thomas 2012-06-06 18:52:44 UTC
(In reply to comment #7)

> I suggest we define the result of that call as:
> AUTH_ONLY_MODE => true

The use of AUTH_ONLY mode doe snot preclude the user from being assigned a role and/or the web application testing for it.

> STRICT_AUTH_ONLY_MODE => false

While it is less likely, the same applies here too.

> > - AUTH_ONLY_MODE or STRICT_AUTH_ONLY_MODE
> > - the Realm uses separate attributes to define the role store
> > - the role store attributes are undefined
> 
> Huh? #3 conflicts with #2.

No they do. #2 means the Realm has the capability to define a separate role store. Not all realms do.

#3 means that the above separate role store has not been defined.

> Why create log messages if it is configured not to use the roles table?

Because it is sufficiently unusual that it is worth flagging up to an admin to confirm what is going on. It is just a single log message on Realm start.
Comment 9 Mark Thomas 2012-06-06 18:53:44 UTC
s/No they do./No they don't./
Comment 10 Mark Thomas 2012-06-09 20:38:59 UTC
In the end I opted to implement this for JDBCRealm and DatasourceRealm and without any logging on Realm start.

The fixed has been applied to trunk and 7.0.x and will be included in 7.0.28 onwards.

The fix has been proposed for 6.0.x.
Comment 11 Manuel Fink 2012-07-16 20:10:37 UTC
I could not find the bug 53047 in the change log for 7.0.28 or 7.0.29. Is this still an issue? I need to implement the "authOnly" mode without checking any roles.

Greetings from Germany
Manuel
Comment 12 Mark Thomas 2012-07-29 21:31:58 UTC
See comment #10

The changelog entry was missed. This has been fixed.

http://svn.apache.org/viewvc?view=revision&revision=1348499
http://svn.apache.org/viewvc?view=revision&revision=1366956
Comment 13 Konstantin Kolinko 2012-08-26 14:34:17 UTC
Updated Tomcat 7 documentation for Realm in r1377445.
The documentation update is in 7.0.30 and later.
Comment 14 Konstantin Kolinko 2012-08-28 00:16:39 UTC
Fixed in Tomcat 6 with r1377888 + r1377917 (+ r1377918).
It will be in 6.0.36.