Declarative security role name containing asterisk fails to work

Question

I'm having a problem with my declarative security entries in web.xml.

The entries below are not allowing me to access the page, even though I am a member of the group *ADL - Education Group. I end up being directed to the login-noauth page.

I know this should work -- if I change it to a different group (like AT - Tech Support), it works great. I am suspicious of the leading "*" in the group name and have tried using CDATA in the web.xml, but that didn't work. I have no control over the Active Directory entries, so I can't change the name of the group. Other group names with dashes and spaces work fine.

I have verified that I am a member of the group *ADL - Education Group.

This is on a simple tomcat 6.0 server.

Does anyone know what the problem is and how to fix it?

<error-page>
    <error-code>403</error-code>
    <location>/pages/login/login-noauth.jsf</location>
</error-page>
<login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
        <form-login-page>/pages/login/login.jsf</form-login-page>
        <form-error-page>/pages/login/login-fail.jsf</form-error-page>
    </form-login-config>
</login-config>

<security-constraint>
    <display-name>Batch Security</display-name>
    <web-resource-collection>
        <web-resource-name>Batch Security</web-resource-name>
        <url-pattern>/pages/batch/batch-status.jsf</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>*ADL - Education Group</role-name>
    </auth-constraint>
</security-constraint>
<security-role>
    <description>Everyone</description>
    <role-name>*ADL - Education Group</role-name>
</security-role>

Seems a Tomcat specific issue. Try escaping it with \ like so `\*ADL - Education Group`. — BalusC, May 29 '12 at 16:34
I also tried * as a replacement for "*". Still doesn't work. — Jeremy Goodell, May 29 '12 at 17:14
Further research indicates that using * in the auth-constraint matches all defined security-role entries in web.xml. However, even using this notation, I can't get the AD group containing "*" to be recognizable as a security role ... — Jeremy Goodell, May 29 '12 at 17:50

score 0 · Accepted Answer · answered May 29 '12 at 19:43

My problem was in the server.xml file in the Realm definition. It turns out that all of the AD groups that start with "*" are defined differently in AD than other groups. In particular, they have a different distinguishedName, specifying a different roleBase. So, once I changed my roleBase attribute in the Realm element of server.xml, it worked great as is, no backslashes or character translations required.

My edit to roleBase was simply to specify the only parts of the distinguished name that were common to both types of groups.

In the one case, the distinguished name is:

CN=*ADL - Education Group,OU=ADLS,OU=IdM,DC=ROOT,DC=com

and in the other case, the distinguished name is:

CN=AT - Tech Support,OU=Distribution Groups,OU=AG1-Place-Company,OU=Americas,OU=Exchange,DC=ROOT,DC=com

So, what works as the roleBase in the server.xml file is:

roleBase="DC=ROOT,DC=com"

Declarative security role name containing asterisk fails to work

1 Answers1