Tomcat user has principal role but request.isUserInRole() says otherwise

Question

In tomcat-users.xml is defined user and roles:

<user username="admin" password="admin" roles="user,admin,APP_ADMIN"/>
  <role rolename="user"/>
  <role rolename="APP_ADMIN"/>
  <role rolename="admin"/>

and application security is defined as:

<security-constraint>
        <web-resource-collection>
                <web-resource-name>Dynamic pages</web-resource-name>
                <url-pattern>*.jsp</url-pattern>
        </web-resource-collection>
        <auth-constraint>
                <description>These are the roles who have access.</description>
                <role-name>*</role-name>
        </auth-constraint>
        <user-data-constraint>
                <description></description>
                <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>

But when I login as admin into application it gives me always HTTP 403 not authorized.
I checked roles with JSP scriplet:

out.write(request.getUserPrincipal().toString());

And it prints:

User username="admin", roles="user,admin,APP_ADMIN"

But when i check isUserInRole:

out.write(request.isUserInRole("APP_ADMIN") ? "Yep" : "nope");

Gets:

nope

Tomcat version is 7.0.55

Yep that one is defined as well, also i can login with password admin-admin if i type wrong pass it doesnt log me in, so its look like it is loading tomcat-users.xml — JIV, May 29 '15 at 10:02
Then I'm not quite sure :( I recommend you post the relevant part of your `server.xml` and `tomcat-users.xml` as well, maybe someone else will have something. — Mena, May 29 '15 at 10:08
What happens if you change the name of the role in the XML to ROLE_APP_ADMIN? — chrylis -cautiouslyoptimistic-, May 29 '15 at 16:13

score 2 · Answer 1 · edited May 23 '17 at 10:26

1: You might have to define the roles in the web.xml. See this SO Question Why do I list security roles in web.xml when they're in jdbcRealm database?.

2: The wildcard '*' in the role-name could be causing trouble. Maybe give it a try with role-name 'user' and see if it works.

For a wildcard as role name you have to enable allRolesMode:

This attribute controls how the special role name * is handled when processing authorization constraints in web.xml. By default, the specification compliant value of strict is used which means that the user must be assigned one of the roles defined in web.xml. The alternative values are authOnly which means that the user must be authenticated but no check is made for assigned roles and strictAuthOnly which means that the user must be authenticated and no check will be made for assigned roles unless roles are defined in web.xml in which case the user must be assigned at least one of those roles.

See the Tomcat docs for more: https://tomcat.apache.org/tomcat-7.0-doc/config/realm.html

score 0 · Accepted Answer · answered Jun 08 '15 at 12:47

Finally i found the problem, i just had to replace lines in server.xml:

<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
             resourceName="UserDatabase"/>

with these:

<Realm className="org.apache.catalina.realm.LockOutRealm">
               <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
  </Realm>

Now I don't know why UserDatabaseRealm doesn't work without LockOutRealm wrapper, strange but its working now ...

Tomcat user has principal role but request.isUserInRole() says otherwise

2 Answers2