vendredi 29 mai 2015

Tomcat user has principal role but request.isUserInRole() says otherwise

In tomcat-users.xml is defined user and roles:

<user username="admin" password="admin" roles="user,admin,APP_ADMIN"/>

and application security is defined as:

<security-constraint>
        <web-resource-collection>
                <web-resource-name>Dynamic pages</web-resource-name>
                <url-pattern>*.jsp</url-pattern>
        </web-resource-collection>
        <auth-constraint>
                <description>These are the roles who have access.</description>
                <role-name>*</role-name>
        </auth-constraint>
        <user-data-constraint>
                <description></description>
                <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>

But when I login as admin into application it gives me always HTTP 403 not authorized.
I checked roles with JSP scriplet:

out.write(request.getUserPrincipal().toString()); 

And it prints:

User username="admin", roles="user,admin,APP_ADMIN"

But when i check isUserInRole:

out.write(request.isUserInRole("APP_ADMIN") ? "Yep" : "nope");

Gets:

nope

Tomcat version is 7.0.55

Aucun commentaire:

Enregistrer un commentaire