Home/ Questions/Q 8902533
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-15T01:38:14+00:00

I would like to make an authentication by tomcat using the groups in my

  • 0

I would like to make an authentication by tomcat using the groups in my ldap to handle the access to my webapp (ex : admins, simple users, developers etc).
I can at the moment login on my webapp using ldap if I don’t use any kind of group.

Here is my relevant sample of code :

web.xml :

<security-constraint>
    <display-name>Test</display-name>
    <web-resource-collection>
        <web-resource-name>Administrative Area</web-resource-name>
        <url-pattern>/admin.html</url-pattern>
        <url-pattern>/blabla.jsp</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>TOTOAdmins</role-name>
    </auth-constraint>
</security-constraint>
<security-constraint>
    <display-name>Tomcat Server Configuration Security Constraint</display-name>
    <web-resource-collection>
        <web-resource-name>Protected Area</web-resource-name>
        <url-pattern>/users/*</url-pattern>
        <url-pattern>/login</url-pattern>
        <url-pattern>/error</url-pattern>
        <url-pattern>/welcome</url-pattern>
        <url-pattern>/home.do</url-pattern>
        <url-pattern>/out.do</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>*</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>Form-Based Authentication </realm-name>
    <form-login-config>
        <form-login-page>/login</form-login-page>
        <form-error-page>/error</form-error-page>
    </form-login-config>
</login-config>
<security-role>
    <role-name>TOTOAdmins</role-name>
</security-role>
<security-role>
    <role-name>*</role-name>
</security-role>
<welcome-file-list>
    <welcome-file>welcome</welcome-file>
</welcome-file-list>

We can see in this sample taht I would like to give access to some page to all users, but that only users who belongs to TOTOAdmins have access to blabla.jsp & admin.html.

At the moment all people (regardless their groups) have access to the page define in the , but no one can access to blabla.jsp & admin.html.

server.xml : 

  <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">
            <Context path="/portal_re" debug="0" reloadable="true" docBase="portal_re">
      <Realm className="org.apache.catalina.realm.JNDIRealm"
               debug="99"
               connectionURL="ldap://XX.X.XX.XXX:XXX"
               connectionName="cn=XXXXXX,ou=abc,dc=abcdef,dc=xyz"
               connectionPassword="XXXXXXX"
               userBase="ou=abc,dc=abcdef,dc=xyz"
               userSearch="(name={0})"
               userSubtree="true"
               userRoleName="memberOf"
               roleBase="ou=abc,dc=abcdef,dc=xyz"
               roleSearch="(uniqueMember={0})"
               roleSubtree="true"
               roleName="cn"
/>
</Context>

When i browse my ldap, every users has a groupe in the member “memberOf”, and i defined rolebase/search/subtree/name in terms of how are defined groups into ldap.
I log into my webapp who has the following attribute in ldap : 

memberOf            CN=TOTOAdmins,OU=ABC,DC=ABCDEF,DC=xyz

(He is even member of four differents groups, but i dont know if it’s relevant)

I dont know if it will help, but on the homepage i have 

<h1><% =request.getUserPrincipal()%></h1>

and when I log with the users : toto, it prints :

GenericPrincipal[toto(CN=Administrators,OU=ABC,DC=ABCDEF,DC=xyz,CN=TOTOAdmins,OU=ABC,DC=ABCDEF,DC=xyz,CN=Readers,CN=ABC,DC=ABCDEF,DC=xyz,CN=Users,CN=Roles,DC=ABCDEF,DC=xyz,)

Well, you’re kind of my last chance.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Try changing the attribute roleSearch to 

    "(member={0})"

    or

    "(memberOf={0})"
    • 0