DO NOT REPLY [Bug 48629] JNDIRealm and roleNested doesn't work with roleSearch="(member={1})"

Sat, 30 Jan 2010 15:58:42 -0800 

https://issues.apache.org/bugzilla/show_bug.cgi?id=48629

--- Comment #2 from Konstantin Kolinko <knst.koli...@gmail.com> 2010-01-30 
15:58:10 UTC ---
I do not think that this patch is good.

See, groupDN is a full distinguished name of a role, while in your case {1} was
just a name. Does it work for your configuration?

http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm

For reference, previous discussion:
http://markmail.org/message/cv3i6set7yte57yr


In any case,
1) If your configuration works when you do
roleSearch="(member={1})" when {1} is a DN of a group,
 then I think we would better provide a separate attribute to specify search
filter for the nested roles.


E.g.,
roleSearch="(member={1})" roleNestedSearch="(member={0})"
where {0} in the second case is a group DN, as it is now.


We can default roleNestedSearch to be the same as roleSearch when
roleNested="true",  and to default roleNested="true" when roleNestedSearch is
explicitly specified.


2) If you need unqualified rolename,
it can be obtained, but the patch will be more complicated.

In the code we have
  Set<String> newGroupDNs = new HashSet<String>(groupMap.keySet());
  ..
  for (String groupDN : newGroupDNs) {
  ..
  groupMap.put(dname, name);

We should replace Set<String> newGroupDNs  with
  Map<String,String> newGroups = new HashMap<String,String>(groupMap);

Perform iteration over entrySet of the map:
  for (Map.Entry<String,String> newGroup : newGroups.entrySet()) {

Then, newGroup.getKey() will give us the groupDN and newGroup.getValue() will
give us the group name.



3) It would be nice to update realm-howto.html with documentation on using the
roleNested="true". It is not documented yet.  Can you propose a patch for
/webapps/docs/realm-howto.xml,  or at least describe your configuration so that
it can be provided as an example there?

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to