Bug 50713 - The "roles" command doesn't work
Summary: The "roles" command doesn't work
Alias: None
Product: Tomcat 7
Classification: Unclassified
Component: Manager (show other bugs)
Version: trunk
Hardware: All All
: P2 minor (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2011-02-03 02:38 UTC by Eiji Takahashi
Modified: 2011-02-16 08:46 UTC (History)
0 users

patch for context.xml of the Manager application (523 bytes, application/octet-stream)
2011-02-03 02:38 UTC, Eiji Takahashi

Note You need to log in before you can comment on or make changes to this bug.
Description Eiji Takahashi 2011-02-03 02:38:46 UTC
Created attachment 26601 [details]
patch for context.xml of the Manager application

The Manager application has the "roles" command that list the security role names. But now this command doesn't work correctly.

The "roles" command returns following message:
 FAIL - Cannot resolve user database reference
And gets Exception:
SEVERE: Manager: java:comp/env/users
javax.naming.NamingException: Cannot create resource instance
        at org.apache.naming.factory.ResourceEnvFactory.getObjectInstance(ResourceEnvFactory.java:117)
        at javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:304)
        at org.apache.naming.NamingContext.lookup(NamingContext.java:826)
        at org.apache.naming.NamingContext.lookup(NamingContext.java:145)
        at org.apache.naming.NamingContext.lookup(NamingContext.java:814)
        at org.apache.naming.NamingContext.lookup(NamingContext.java:145)
        at org.apache.naming.NamingContext.lookup(NamingContext.java:814)
        at org.apache.naming.NamingContext.lookup(NamingContext.java:159)
        at org.apache.naming.SelectorContext.lookup(SelectorContext.java:158)
        at javax.naming.InitialContext.lookup(InitialContext.java:392)
        at org.apache.catalina.manager.ManagerServlet.roles(ManagerServlet.java:1055)
        at org.apache.catalina.manager.ManagerServlet.doGet(ManagerServlet.java:366)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:306)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:589)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:541)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:382)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:243)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:188)
        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:288)
        at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
        at java.lang.Thread.run(Thread.java:619)

Tomcat 6.x contains same issue.

The workaround for this issue is to add <ResourceLink> to context.xml of the Manager application.
And I made the patch for this issue.

Comment 1 Mark Thomas 2011-02-10 14:06:38 UTC
The more I consider this issue, the more I am inclinded to remove the roles command from the manager in Tomcat 7. My reasoning is follows:
- The manager can be used with any realm
- Most realms do not expose a role list
- It is not practical to list all roles for some realms (e.g. JNDI)
- I don't see what the use case is for this feature
Comment 2 Konstantin Kolinko 2011-02-14 14:12:59 UTC
The "Cannot resolve user database reference" message and the necessity to create a <ResourceLink> are already documented, [1]

[1] http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#List_Available_Security_Roles

I see nothing to fix here. Though the doc can be improved a bit:

1) This is "Cannot resolve user database reference" message, though the solution for it is listed with the "No user database is available" message.

2) IIRC, there is no "<ResourceParams>" element in modern Tomcat versions.

Regardless of that, I agree with Mark that I do not see much reason in keeping this command around. Especially I miss a plausible use case. Maybe it was used for some demos?

Note, that besides this command being present inside manager webapp, there is also RolesTask ANT task.
Comment 3 Eiji Takahashi 2011-02-14 20:13:13 UTC
Thanks for comments.

I encountered this issue when I used the Tomcat maven plugin's "tomcat:roles" command that uses the "roles" command of the Manager app.
The "tomcat:roles" command can display the available security roles. But I can't think of a case where it's necessary.

And I have no objection to remove the "roles" command.

Best regards.
Comment 4 Mark Thomas 2011-02-16 08:46:28 UTC
The roles command has been removed from Tomcat 7 trunk. This will take affect from 7.0.9 onwards.