Declarative security role name containing asterisk fails to work

Question

I'm having a problem with my declarative security entries in web.xml.

The entries below are not allowing me to access the page, even though I am a member of the group *ADL - Education Group. I end up being directed to the login-noauth page.

I know this should work -- if I change it to a different group (like AT - Tech Support), it works great. I am suspicious of the leading "*" in the group name and have tried using CDATA in the web.xml, but that didn't work. I have no control over the Active Directory entries, so I can't change the name of the group. Other group names with dashes and spaces work fine.

I have verified that I am a member of the group *ADL - Education Group.

This is on a simple tomcat 6.0 server.

Does anyone know what the problem is and how to fix it?

<error-page>
    <error-code>403</error-code>
    <location>/pages/login/login-noauth.jsf</location>
</error-page>
<login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
        <form-login-page>/pages/login/login.jsf</form-login-page>
        <form-error-page>/pages/login/login-fail.jsf</form-error-page>
    </form-login-config>
</login-config>

<security-constraint>
    <display-name>Batch Security</display-name>
    <web-resource-collection>
        <web-resource-name>Batch Security</web-resource-name>
        <url-pattern>/pages/batch/batch-status.jsf</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>*ADL - Education Group</role-name>
    </auth-constraint>
</security-constraint>
<security-role>
    <description>Everyone</description>
    <role-name>*ADL - Education Group</role-name>
</security-role>

Answer 1

My problem was in the server.xml file in the Realm definition. It turns out that all of the AD groups that start with "*" are defined differently in AD than other groups. In particular, they have a different distinguishedName, specifying a different roleBase. So, once I changed my roleBase attribute in the Realm element of server.xml, it worked great as is, no backslashes or character translations required.

My edit to roleBase was simply to specify the only parts of the distinguished name that were common to both types of groups.

In the one case, the distinguished name is:

CN=*ADL - Education Group,OU=ADLS,OU=IdM,DC=ROOT,DC=com

and in the other case, the distinguished name is:

CN=AT - Tech Support,OU=Distribution Groups,OU=AG1-Place-Company,OU=Americas,OU=Exchange,DC=ROOT,DC=com

So, what works as the roleBase in the server.xml file is:

roleBase="DC=ROOT,DC=com"