In the Tomcat 7 <em>tomcat-users.xml</em> file, what purpose is served by the
<role /> tags?
For an XAMPP instance of Tomcat 7, I've figured out how to configure my <em>tomcat-users.xml</em> file to permit me to access both <strong>Tomcat Web Application Manager</strong> and <strong>Tomcat Virtual Host Manager</strong>. More specifically, the following enables the aforementioned access:
<tomcat-users> <user username="uname" password="pword" roles="manager-gui,admin-gui"/> </tomcat-users>
Note that what's NOT in this successful snippet of XML are any
<role /> tags. That's the crux of my question: I can't for the life of me figure out what purpose <em>role</em> tags are meant to serve.
In pursuit of learning how to configure access, I've read plenty of documentation and forum postings, but they all seem to go in a circle: One can define <em>roles</em>, but then <em>roles</em> don't really seem to themselves define anything useful(?)
For example, here's the recurring illustration used in both the <em>tomcat-users.xml</em> file and in numerous forum posts "explaining" the use of roles.
<tomcat-users> <role rolename="tomcat"/> <user username="uname" password="pword" roles="tomcat"/> </tomcat-users>
Okay, so in this "explanation" a <em>role</em> element defines a <em>rolename</em> attribute equal to <em>tomcat</em>, then the <em>user</em> element contains a <em>roles</em> attribute that defines the user's role as <em>tomcat</em>. What's the point?
Asked another way, given that in <em>role</em> element the <em>rolename</em> attrbute defines <em>tomcat</em>, <em>roles=tomcat</em> does what, exactly? Especially compared to my working user definition of <em></em> where <em>manager-gui</em> and <em>admin-gui</em> define roles that enable <strong>Tomcat Web Application Manager</strong> AND <strong>Tomcat Virtual Host Manager</strong> access.
Cheers & thanks,<br /> Riley<br /> SFOAnswer1:
The use of the
<role .../> element in
tomcat-users.xml is optional. Tomcat builds the list of roles from the
<role .../> elements and from the roles named in the
roles="..." attribute of the users.
The benefit of using the
<role .../> element is that you can declare the complete set of supported roles and you can include description attribute describing the role.
As an aside,
tomcat-users.xml also supports groups although they are not shown in the example that ships by default with Tomcat. Groups are sets of roles that can then be assigned to users.
From what I understand you (can) define roles:<ul><li>
because it gives you more flexibility, for example add a description an for instance. A GUI can use this information.
<role rolename="customer" description="Customer of Java WebService"/></li> <li>
you can remap or group the roles later in a specific servlet
<security-role-ref> <role-name>cust</role-name> <role-link>bankCustomer</role-link> </security-role-ref></li> </ul>
Please keep in mind that I am not a Tomcat expert so I hope that a true expert can refine this answer.Answer3:
Asked another way, given that in role element the rolename attrbute defines tomcat, roles=tomcat does what, exactly? Especially compared to my working user definition of where manager-gui and admin-gui define roles that enable Tomcat Web Application Manager AND Tomcat Virtual Host Manager access.</blockquote>
Role/security constraints are defined in applications descriptor <em>web.xml</em>.
For Example, <em>manager-gui</em> is defined in tomcat <em>manager</em> application:
<security-constraint> <web-resource-collection> <web-resource-name>HTML Manager interface (for humans)</web-resource-name> <url-pattern>/html/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>manager-gui</role-name> </auth-constraint> </security-constraint> <security-role> <description> The role that is required to access the HTML Manager pages </description> <role-name>manager-gui</role-name> </security-role>