Summary: | JNDIRealm and roleNested doesn't work with roleSearch="(member={1})" | ||
---|---|---|---|
Product: | Tomcat 6 | Reporter: | tahitiangabriel <glandon> |
Component: | Catalina | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | RESOLVED FIXED | ||
Severity: | minor | ||
Priority: | P2 | ||
Version: | 6.0.24 | ||
Target Milestone: | default | ||
Hardware: | All | ||
OS: | All | ||
Attachments: |
patch
add roleNested entry in doc bring {1} to work in JNDIRealm with nested roles |
This has been fixed in trunk and proposed for 6.0.x. Many thanks for the patch. I do not think that this patch is good. See, groupDN is a full distinguished name of a role, while in your case {1} was just a name. Does it work for your configuration? http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm For reference, previous discussion: http://markmail.org/message/cv3i6set7yte57yr In any case, 1) If your configuration works when you do roleSearch="(member={1})" when {1} is a DN of a group, then I think we would better provide a separate attribute to specify search filter for the nested roles. E.g., roleSearch="(member={1})" roleNestedSearch="(member={0})" where {0} in the second case is a group DN, as it is now. We can default roleNestedSearch to be the same as roleSearch when roleNested="true", and to default roleNested="true" when roleNestedSearch is explicitly specified. 2) If you need unqualified rolename, it can be obtained, but the patch will be more complicated. In the code we have Set<String> newGroupDNs = new HashSet<String>(groupMap.keySet()); .. for (String groupDN : newGroupDNs) { .. groupMap.put(dname, name); We should replace Set<String> newGroupDNs with Map<String,String> newGroups = new HashMap<String,String>(groupMap); Perform iteration over entrySet of the map: for (Map.Entry<String,String> newGroup : newGroups.entrySet()) { Then, newGroup.getKey() will give us the groupDN and newGroup.getValue() will give us the group name. 3) It would be nice to update realm-howto.html with documentation on using the roleNested="true". It is not documented yet. Can you propose a patch for /webapps/docs/realm-howto.xml, or at least describe your configuration so that it can be provided as an example there? I think having roleNestedSearch="(member={0})" is a very good idea. Like that it should work for all kind of configurations. For the moment I've switched to the "member={0}" instead of "member={1}", so I can use tomcat 6.0.24 in production. Here's my conf (for a Domino 8.5) : <Realm className="org.apache.catalina.realm.JNDIRealm" connectionName="CN=XXXXXX,O=XXXXX" connectionPassword="XXXXXX" connectionURL="ldap://127.0.0.1:389" roleName="cn" roleNested="true" roleSearch="(member={0})" roleSubtree="true" userSearch="(uid={0})" userSubtree="true"/> I'm not sure my english is good enough to update the doc... Created attachment 24916 [details]
add roleNested entry in doc
Here's a small patch to add the roleNested entry in the doc.
Maybe it should be nice to add an example also.
Created attachment 24953 [details]
bring {1} to work in JNDIRealm with nested roles
Made the corrections proposed by Konstantin Kolinko.
Thanks for the patch. I have applied it to trunk and proposed it for 6.0.x. Thanks again for the patch. It has been applied to 6.0.x and will be includedin 6.0.27 onwards. |
Created attachment 24898 [details] patch roleNested introduced with Tomcat 6.0.24 works well with roleSearch="(member={0})", but not with roleSearch="(member={1})" From tomcat doc : "Use {0} to substitute the distinguished name (DN) of the user, and/or {1} to substitute the username." I've attached a patch to change line : filter = roleFormat.format(new String[] { groupDN }); into : filter = roleFormat.format(new String[] { groupDN, groupDN }); Like that it handles both {0} and {1}. Regards, Gabriel.