It appears that for the JNDIRealm to be able to locate roles, they must be anonymous accessible. I believe that for security purposes this should not be necessary if we are validating the user by binding to the directory. In that case the roles could be accessible to any bound user or that particular user. I discussed this very briefly on the Tomcat user list. It sounds like this had been discussed previously and for whatever reason, the idea rejected. Anyhow I submit that there is a bug, either in the code - which requires the roles to be anonymous, or in the documentation which does not make it clear that this is the case (at least in "Tomcat 4 Servlet/JSP Container - Realm Configuration HOW- TO). It seems reasonable to me that if we are binding to the directory to authenticate, we would have that user's access to roles. Perhaps the documentation should more explicetly state that this is not the case. In the hope that it would be accepted as an enhancement, I am going to attempt to attach a modified JNDIRealm that uses the authenticated connection to obtain the roles. Thank You, Art
Created attachment 6087 [details] Modified JNDIRealm to use authenticated connection for roles.
Created attachment 6088 [details] Diff from version 4.1.24.
I forgot to mention that using connectionName and connectionPassword is also not an option for us. Art
Here is the relevant thread from tomact-user http://marc.theaimsgroup.com/?l=tomcat-user&m=103158720132648&w=2 I am going to mark this as an enhancement request for now.
*** Bug 22948 has been marked as a duplicate of this bug. ***
The code has moved on somewhat since this enhancement request was made so the patch does not apply cleanly. I have added a new JNDIRealm option in Tomcat 7.0.x to optionally allow role searches as the user being authenticated rather than using using an anonymous user or using connectionName/connectionPassword. The new option will be included in 7.0.9 onwards.