问题
these are the contents of my web.xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0" metadata-complete="true">
<servlet>
<security-role-ref>
<role-name>MY_GROUP_NAME</role-name>
<role-link>REGISTERED_USER</role-link>
</security-role-ref>
</servlet>
<servlet>
<servlet-name>action</servlet-name>
<servlet-class>org.apache.struts.action.ActionServlet</servlet-class>
<init-param>
<param-name>config</param-name>
<param-value>/WEB-INF/struts-config.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<resource-ref>
<description>My datasource</description>
<res-ref-name>jdbc/XXXXXXXX</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>
<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/protected/`*`</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>tomcat</role-name>
<role-name>role1</role-name>
<role-name>REGISTERED_USER</role-name>
</auth-constraint>
</security-constraint>
<!-- Default login configuration uses form-based authentication -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/protected/login.jsp</form-login-page>
<form-error-page>/protected/error.jsp</form-error-page>
</form-login-config>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<role-name>role1</role-name>
</security-role>
<security-role>
<role-name>tomcat</role-name>
</security-role>
<security-role>
<role-name>REGISTERED_USER</role-name>
</security-role>
</web-app>
when i perform login with a valid user which is in the group MY_GROUP_NAME in ldap then request.getRemoteUser() and request.getUserPrincipal() work ok. Testing the user against MY_GROUP_NAME
String role = request.getParameter("role");
request.isUserInRole(role);
works fine.
The problem is when testing the user against role REGISTERED_USER does not work. Does anyone see something that i am missing here?
SOME ADDITIONAL INFO
I use Apache Tomcat v7.0.22
LDAP is OpenDJ 2.4.5
windows 7 OS
回答1:
I've not experience with OpenDJ, but according to https://wikis.forgerock.org/confluence/display/OPENDJ/Configure+Apache+Tomcat+with+OpenDJ+as+an+Identity+Store there is not a "map" between tomcat roles and LDAP rules, as the mapping is one-to-one and the names should be the same. That's the LDAP groups you are going to use should be defined as Tomcat roles, and you should use their names on the security-role section of your web descriptor (web.xml).
来源:https://stackoverflow.com/questions/10981375/security-role-ref-not-working-properly