If I define the security-cionstraint like this: <security-constraint> <web-resource-collection> <web-resource-name>LoginProxy</web-resource-name> <url-pattern>/jaas/login</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> When start the tomcat, this context will not add any role into Context object. (Please check ContextConfig.validateSecurityRoles() method.) So the StandardContext's securityRoles[] is an empty array. In RealmBase.hasResourcePermission() method, it will get this roles to compare with the ones in web.xml file. if (constraint.getAllRoles()) { // * means all roles defined in web.xml roles = request.getContext().findSecurityRoles(); } else { roles = constraint.findAuthRoles(); } here if constraint.getAllRoles() return true, it does not return directly, but get the securityRoles[] from the context (empty array). so it will not allown to access this path resource.
This behaviour as as required by the spec. * == all roles defined in web.xml * != all roles defined in realm * != all authenticated users
Hi Mark, I had the very same configuration as Torr nicely working before. Would it be possible to provide an example the illustrates how I can let all (client-cert) login attempts through (and only decide afterwards in my application logic whether I want them to succeed or not) and still be compliant to the specs? Thanks Ralf see also bug 37852, bug 37044, and Bug 34643
I can give you some pointers but my time to write some actual code is non-existant. This is a question for the users list. In fact it came up again yesterday. (http://marc.theaimsgroup.com/?l=tomcat-user&m=115503660912530&w=2)
this can easily be solved by adding the following custom realm to your server.xml: public class ClientCertInAppRealm extends JAASRealm { public boolean hasResourcePermission(Request request, Response response, SecurityConstraint[] constraints, Context context) throws IOException { return true; } }