> I tried Adrians config but it seemed to be pretty much the same as mine
> (it looks like it came from the same source mainly) but there was one
> significant difference, the Tomcat version. - I had been using Tomcat
> 5.5.23, I reinstalled with 5.5.12 and it all seems to work now.
Ah, think I know what the problem is here - it's one I came across
myself a while ago when I upgraded the version of tomcat I was using on
my IdP servers.
When tomcat reached 5.5.15, they fixed a "bug". In the Shib webapp's
web.xml, where you set up the authentication constraints like so:
=====
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
=====
... in pre 5.5.15 this means that any value at all of role-name is
allowed to authenticate. In 5.5.15 and later, it means that any value
specified below in the <security-role> section is allowed. Basically
changed from a default allow to a default deny.
The easiest way to sort this if you want to use the latest and greatest
tomcat 5.5 is this:
* Add userRoleName="objectclass" to the Realm you set up in the
server.xml. This passes across the user's objectClass as their role.
* Next add the following to the bottom of the web.xml file (before the
</web-app>:
=====
<!-- Security roles referenced by this web application -->
<security-role>
<description>All Users</description>
<role-name>person</role-name>
</security-role>
=====
This means that anyone who tries to log in who has the objectClass of
"person" in your directory is allowed to log in. Which should be every
normal account.
Hey presto.
This info is on the internet2 Shib wiki somewhere, I remember adding it
ages ago. Can't remember where though!
Hope that helps,
R.
--
----------------------------------------------------------------------
Rhys Smith e: [log in to unmask]
Engineering Consultant: Identity & Access Management (GPG:0xDE2F024C)
Information Services,
Cardiff University, t: +44 (0) 29 2087 0126
39-41 Park Place, Cardiff, f: +44 (0) 29 2087 4285
CF10 3BB, United Kingdom. m: +44 (0) 7968 087 821
----------------------------------------------------------------------
|