How can I map LDAP role names to application role names on Tomcat

Solution Verified - Updated -


The problem we’re trying to solve on Tomcat is “how to we take a physical group name “Role-LongName-Admin” and map that to an application role named “admin””? On JBoss Enterprise Application Platform (EAP) we have the RoleMappingLoginModule, on Weblogic we have the weblogic.xml. Tomcat out of the box has no equivalent.

On normal Tomcat, we could subclass org.apache.catalina.realm.JNDIRealm and override getRoles(), however due to User being package-private this requires it to be in the same package. We cannot place the custom subclass in the same package because the Tomcat classes in EWS are in signed jars.


  • Tomcat 6
  • JBoss Enterprise Web Server (EWS)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In