Bug 19444 - JNDI Authentication roles must be anonymous accessible
Summary: JNDI Authentication roles must be anonymous accessible
Alias: None
Product: Tomcat 4
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 4.1.24
Hardware: All All
: P3 enhancement (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
: 22948 (view as bug list)
Depends on:
Reported: 2003-04-29 21:58 UTC by art_w
Modified: 2011-02-22 06:10 UTC (History)
1 user (show)

Modified JNDIRealm to use authenticated connection for roles. (47.27 KB, text/plain)
2003-04-29 22:00 UTC, art_w
Diff from version 4.1.24. (8.10 KB, patch)
2003-04-29 22:01 UTC, art_w
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description art_w 2003-04-29 21:58:13 UTC
It appears that for the JNDIRealm to be able to locate roles, they must be 
anonymous accessible. I believe that for security purposes this should not be 
necessary if we are validating the user by binding to the directory. In that 
case the roles could be accessible to any bound user or that particular user. I 
discussed this very briefly on the Tomcat user list. It sounds like this had 
been discussed previously and for whatever reason, the idea rejected. Anyhow I 
submit that there is a bug, either in the code - which requires the roles to be 
anonymous, or in the documentation which does not make it clear that this is 
the case (at least in "Tomcat 4 Servlet/JSP Container - Realm Configuration HOW-
TO). It seems reasonable to me that if we are binding to the directory to 
authenticate, we would have that user's access to roles. Perhaps the 
documentation should more explicetly state that this is not the case.

In the hope that it would be accepted as an enhancement, I am going to attempt 
to attach a modified JNDIRealm that uses the authenticated connection to obtain 
the roles.

Thank You,
Comment 1 art_w 2003-04-29 22:00:28 UTC
Created attachment 6087 [details]
Modified JNDIRealm to use authenticated connection for roles.
Comment 2 art_w 2003-04-29 22:01:42 UTC
Created attachment 6088 [details]
Diff from version 4.1.24.
Comment 3 art_w 2003-04-29 22:11:54 UTC
I forgot to mention that using connectionName and connectionPassword is also 
not an option for us.

Comment 4 Mark Thomas 2004-04-14 21:33:06 UTC
Here is the relevant thread from tomact-user


I am going to mark this as an enhancement request for now.
Comment 5 seth.leger 2008-03-20 07:01:25 UTC
*** Bug 22948 has been marked as a duplicate of this bug. ***
Comment 6 Mark Thomas 2011-02-22 06:10:26 UTC
The code has moved on somewhat since this enhancement request was made so the patch does not apply cleanly.

I have added a new JNDIRealm option in Tomcat 7.0.x to optionally allow role searches as the user being authenticated rather than using using an anonymous user or using connectionName/connectionPassword.

The new option will be included in 7.0.9 onwards.