Bug 39364

Summary: One problem about the JAAS role check.
Product: Tomcat 5 Reporter: Torr Liu <jjliu>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Severity: normal CC: hauser
Priority: P2    
Version: 5.5.17   
Target Milestone: ---   
Hardware: Other   
OS: other   

Description Torr Liu 2006-04-20 11:18:42 UTC
If I define the security-cionstraint like this:

When start the tomcat, this context will not add any role into Context object. 
(Please check ContextConfig.validateSecurityRoles() method.) So the 
StandardContext's securityRoles[] is an empty array.

In RealmBase.hasResourcePermission() method, it will get this roles to compare 
with the ones in web.xml file.

if (constraint.getAllRoles()) {
                // * means all roles defined in web.xml
                roles = request.getContext().findSecurityRoles();
            } else {
                roles = constraint.findAuthRoles();

here if constraint.getAllRoles() return true, it does not return directly, but 
get the securityRoles[] from the context (empty array). so it will not allown 
to access this path resource.
Comment 1 Mark Thomas 2006-06-12 00:32:31 UTC
This behaviour as as required by the spec.
* == all roles defined in web.xml
* != all roles defined in realm
* != all authenticated users
Comment 2 Ralf Hauser 2006-08-08 15:20:29 UTC
Hi Mark,

I had the very same configuration as Torr nicely working before.

Would it be possible to provide an example the illustrates how I can let all
(client-cert) login attempts through (and only decide afterwards in my
application logic whether I want them to succeed or not) and still be compliant
to the specs?

Thanks  Ralf

see also bug 37852, bug 37044, and Bug 34643
Comment 3 Mark Thomas 2006-08-08 22:57:39 UTC
I can give you some pointers but my time to write some actual code is
non-existant. This is a question for the users list. In fact it came up again
yesterday. (http://marc.theaimsgroup.com/?l=tomcat-user&m=115503660912530&w=2)
Comment 4 Ralf Hauser 2006-11-09 02:10:43 UTC
this can easily be solved by adding the following custom realm to your server.xml:

public class ClientCertInAppRealm extends JAASRealm {

	public boolean hasResourcePermission(Request request, Response response,
SecurityConstraint[] constraints,
			Context context) throws IOException {
		return true;