OpenAM Tomcat 6 Agent

目次

FrontPage
・Windows11
・Chromebook
・Random
・機械学習
・さくらVPS
・Fedora13
・SuSe10
・Docker
・Ansible
・Java
・Scala
・Python
・Ruby
・Lisp
・Computer
・GIS
・HTML
・Culture
・Link

訪問者

total: 21356
today: 1
yesterday: 1
now: 1

更新

最新の10件

人気の10件

MenuBar

Tomcat 6 のインストール †

• Tomcat 7 には、OpenAM の Agent をインストールできない
• http://tomcat.apache.org/download-60.cgi から apache-tomcat-6.0.33.tar.gz をダウンロード

1. 展開

   $ cd /opt
   $ sudo tar -xf ~/ダウンロード/apache-tomcat-6.0.33.tar.gz 
   $ sudo mv apache-tomcat-6.0.33 tomcat

2. /etc/rc.d/init.d/tomcat

   #!/bin/sh
   #
   # tomcat
   #
   # chkconfig: 35 99 1
   # description: Tomcat JEE Server
   CATALINA_HOME=/opt/tomcat
   export CATALINA_HOME
    
   JAVA_HOME=/usr/lib/jvm/java-1.6.0/
   export JAVA_HOME
   
   JAVA_OPTS="-Xmx1024m -XX:MaxPermSize=256m"
   export JAVA_OPTS
   
   CATALINA_OPTS="-Dcom.iplanet.am.cookie.c66Encode=true"
   export CATALINA_OPTS
   
   case "${1}" in
   start)
     "${CATALINA_HOME}/bin/startup.sh"
     exit ${?}
     ;;
   stop)
     "${CATALINA_HOME}/bin/shutdown.sh"
     exit ${?}
     ;;
   *)
     echo "Usage:  $0 { start | stop }"
     exit 1
     ;;
   esac

3. 自動起動設定

   $ sudo chmod +x /etc/rc.d/init.d/tomcat
   $ sudo /sbin/chkconfig --add tomcat
   $ sudo /sbin/chkconfig --list tomcat
   tomcat 0:off	1:off	2:off	3:on	4:off	5:on	6:off

4. Tomcatを停止しておく

   $ sudo /etc/rc.d/init.d/tomcat stop

J2EE Agent の設定(OpenAM側) †

1. [アクセス制御]-[/最上位のレルム]
   
2. [エージェント]-[J2EE]
   
3. tomcatAgent の作成 (実際に外部から呼ばれるときの URL を指定すること)
   
    
   

J2EE Agent の設定(Tomcat側) †

1. http://forgerock.org/openam.html から Tomcat 6 用の Agent をダウンロード
2. /opt/openam に展開

   $ cd /opt/openam
   $ sudo unzip /home/kagyuu/ダウンロード/tomcat_v6_agent_303.zip
   $ ls
   apache-tomcat-6.0.33  j2ee_agents  ssoAdminTools  web_agents

3. パスワードファイルを作成

   # echo tmpassword > /opt/openam/j2ee_agents/tomcat_v6_agent/.passwd
   # chmod 400 /opt/openam/j2ee_agents/tomcat_v6_agent/.passwd

4. tomcat への組み込み

   # cd /opt/openam/j2ee_agents/tomcat_v6_agent/bin/
   # ./agentadmin --install
   
   (中略)
   
   -----------------------------------------------
   Tomcat Server Config Directory : /opt/apache-tomcat-6.0.33/conf 
   OpenSSO server URL : http://pine.hondou.homedns.org:9080/openam 
   $CATALINA_HOME environment variable : /opt/apache-tomcat-6.0.33 
   Tomcat global web.xml filter install : false 
   Agent URL : http://pine.hondou.homedns.org:8080/agentapp 
   Agent Profile name : tomcatAgent 
   Agent Profile Password file name :
   /opt/openam/j2ee_agents/tomcat_v6_agent/.passwd 

5. agentapp を配備

   # cp /opt/openam/j2ee_agents/tomcat_v6_agent/etc/agentapp.war /opt/apache-tomcat-6.0.33/webapps/

6. サンプルアプリ を配備

   # cp /opt/openam/j2ee_agents/tomcat_v6_agent/sampleapp/dist/agentsample.war /opt/apache-tomcat-6.0.33/webapps/

7. tomcatの起動

   # /etc/rc.d/init.d/tomcat start

agentsample †

1. [アクセス制御]-[/(最上位のレルム)]-[ポリシー] で、agentsample 用の設定を行う
   
   • ルール
     • http://pine.hondou.homedns.org:8080/agentsample/*
     • http://pine.hondou.homedns.org:8080/agentsample/*?*
   • 対象
     • 認証済みユーザー
2. [アクセス制御]-[/(最上位のレルム)]-[対象] で、manager グループを作成し、ichiro を manager グループに参加させる
   
3. [アクセス制御]-[/(最上位のレルム)]-[対象] で、employee グループを作成し、jiro を employee グループに参加させる
   
4. http://pine.hondou.homedns.org:8080/agentsample/ にアクセスすると、OpenAM のログイン画面が表示される
5. ichiro (manager) でログイン
   
   
6. jiro (employee) でログインすると /protectedservlet が実行できない
   

• これらは、web.xml によって制御されている

  <?xml version="1.0" encoding="UTF-8"?>
  <!--
   Copyright (c) 2008 Sun Microsystems, Inc. All rights reserved.
   Use is subject to license terms.
  -->
  
  <web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> 
  
  	<display-name> Sun Java System Access Manager J2EE Policy Agent Sample Application</display-name>
      <description> An application to demonstrate the features of J2EE Policy Agents </description>
  
    <filter>
      <filter-name>Agent</filter-name>
      <display-name>Agent</display-name>
      <description>SJS Access Manager Tomcat Policy Agent Filter</description>
      <filter-class>com.sun.identity.agents.filter.AmAgentFilter</filter-class>
    </filter>
  
    <filter-mapping>
      <filter-name>Agent</filter-name>
      <url-pattern>/*</url-pattern>
      <dispatcher>REQUEST</dispatcher>
      <dispatcher>INCLUDE</dispatcher>
      <dispatcher>FORWARD</dispatcher>
      <dispatcher>ERROR</dispatcher>
    </filter-mapping>
  
  	<servlet>
          <display-name>ProtectedServlet</display-name>
          <servlet-name>ProtectedServlet</servlet-name>
          <servlet-class>com.sun.identity.agents.sample.ProtectedServlet</servlet-class>
      </servlet>
  
      <servlet>
          <display-name>SecurityAwareServlet</display-name>
          <servlet-name>SecurityAwareServlet</servlet-name>
          <servlet-class>com.sun.identity.agents.sample.SecurityAwareServlet</servlet-class>
  		<security-role-ref>
              <role-name>MANAGER_ROLE</role-name>
              <role-link>id=manager,ou=group,dc=opensso,dc=java,dc=net</role-link>
          </security-role-ref>
          <security-role-ref>
              <role-name>EMPLOYEE_ROLE</role-name>
              <role-link>id=employee,ou=group,dc=opensso,dc=java,dc=net</role-link>
          </security-role-ref>
      </servlet>
  
      <servlet>
          <display-name>URLPolicyServlet</display-name>
          <servlet-name>URLPolicyServlet</servlet-name>
          <servlet-class>com.sun.identity.agents.sample.URLPolicyServlet</servlet-class>
      </servlet>
  
      <servlet-mapping>
          <servlet-name>ProtectedServlet</servlet-name>
          <url-pattern>/protectedservlet</url-pattern>
      </servlet-mapping>
  
      <servlet-mapping>
          <servlet-name>SecurityAwareServlet</servlet-name>
          <url-pattern>/securityawareservlet</url-pattern>
      </servlet-mapping>
  
      <servlet-mapping>
          <servlet-name>URLPolicyServlet</servlet-name>
          <url-pattern>/urlpolicyservlet</url-pattern>
      </servlet-mapping>
  
      <session-config>
          <session-timeout>54</session-timeout>
      </session-config>
  
      <welcome-file-list>
          <welcome-file>/public/welcome.html</welcome-file>
      </welcome-file-list>
  
      <error-page>
          <error-code>403</error-code>
          <location>/authentication/accessdenied.html</location>
      </error-page>
  
      <error-page>
          <error-code>404</error-code>
          <location>/public/notfound.html</location>
      </error-page>
  
  	<security-constraint>
          <web-resource-collection>
              <web-resource-name>Security Aware Servlet</web-resource-name>
              <url-pattern>/SecurityAwareServlet</url-pattern>
              <url-pattern>/securityawareservlet</url-pattern>
          </web-resource-collection>
         <auth-constraint>
  			<role-name>id=manager,ou=group,dc=opensso,dc=java,dc=net</role-name>
  			<role-name>id=employee,ou=group,dc=opensso,dc=java,dc=net</role-name>
          </auth-constraint>
      </security-constraint>
  
  	<security-constraint>
          <web-resource-collection>
          <web-resource-name>Protected Servlet</web-resource-name>
          <url-pattern>/protectedservlet</url-pattern>
          </web-resource-collection>
          <auth-constraint>
  			<role-name>id=manager,ou=group,dc=opensso,dc=java,dc=net</role-name>
          </auth-constraint>
      </security-constraint>
  
      <login-config>
          <auth-method>FORM</auth-method>
          <form-login-config>
              <form-login-page>/authentication/login.html</form-login-page>
              <form-error-page>/authentication/accessdenied.html</form-error-page>
          </form-login-config>
      </login-config>   
  
      <security-role id="SR_MANAGER_ROLE">
  		<role-name>id=manager,ou=group,dc=opensso,dc=java,dc=net</role-name>
      </security-role>
  
  	<security-role id="SR_EMPLOYEE_ROLE">
  		<role-name>id=employee,ou=group,dc=opensso,dc=java,dc=net</role-name>
      </security-role>   
  
  </web-app>
  

Tomcat Manager †

1. [アクセス制御]-[/(最上位のレルム)]-[ポリシー] で、manager 用の設定を行う
   
   • ルール
     • http://pine.hondou.homedns.org:8080/manager/*
     • http://pine.hondou.homedns.org:8080/manager/*?*
     • http://pine.hondou.homedns.org:8080/host-manager/*
     • http://pine.hondou.homedns.org:8080/host-manager/*?*
   • 対象
     • manager
2. [アクセス制御]-[/(最上位のレルム)]-[エージェント]-[J2EE]-[tomcatAgent] のログインフォームURIとログインエラーURIを設定する
   
   • ログインフォームURI
     • /manager/AMLogin.html
     • /host-manager/AMLogin.html
   • ログインエラーURI
     • /manager/AMError.html
     • /host-manager/AMError.html
   • これらは、web.xml の <form-login-config><form-login-page> と <form-login-config><form-error-page>
3. id=manager,ou=group,dc=opensso,dc=java,dc=net を Tomcat の manager にする

   # cd /opt/apache-tomcat-6.0.33/webapps/manager/WEB-INF
   # cp web.xml web.xml_
   # sed -e "s/<role-name>manager<\/role-name>/<role-name>id=manager,ou=group,dc=opensso,dc=java,dc=net<\/role-name>/g" web.xml_ > web.xml

    

   # cd /opt/apache-tomcat-6.0.33/webapps/host-manager/WEB-INF
   # cp web.xml web.xml_
   # sed -e "s/<role-name>admin<\/role-name>/<role-name>id=manager,ou=group,dc=opensso,dc=java,dc=net<\/role-name>/g" web.xml_ > web.xml

4. tomcat を再起動

   # /etc/rc.d/init.d/tomcat stop

    

   # /etc/rc.d/init.d/tomcat start

5. http://pine.hondou.homedns.org:8080/manager にアクセスできた
   
   

• web.xml はこんな感じになっている

  <?xml version="1.0" encoding="ISO-8859-1"?>
  <!--
   Licensed to the Apache Software Foundation (ASF) under one or more
    contributor license agreements.  See the NOTICE file distributed with
    this work for additional information regarding copyright ownership.
    The ASF licenses this file to You under the Apache License, Version 2.0
    (the "License"); you may not use this file except in compliance with
    the License.  You may obtain a copy of the License at
  
        http://www.apache.org/licenses/LICENSE-2.0
  
    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
  -->
  
  <web-app xmlns="http://java.sun.com/xml/ns/javaee"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
     version="2.5"> 
  
    <display-name>Tomcat Manager Application</display-name>
    <description>
      A scriptable management web application for the Tomcat Web Server;
      Manager lets you view, load/unload/etc particular web applications.
    </description>
  
    <filter>
      <filter-name>Agent</filter-name>
      <display-name>Agent</display-name>
      <description>SJS Access Manager Tomcat Policy Agent Filter</description>
      <filter-class>com.sun.identity.agents.filter.AmAgentFilter</filter-class>
    </filter>
  
    <filter-mapping>
      <filter-name>Agent</filter-name>
      <url-pattern>/*</url-pattern>
      <dispatcher>REQUEST</dispatcher>
      <dispatcher>INCLUDE</dispatcher>
      <dispatcher>FORWARD</dispatcher>
      <dispatcher>ERROR</dispatcher>
    </filter-mapping>
  
    <servlet>
      <servlet-name>Manager</servlet-name>
      <servlet-class>org.apache.catalina.manager.ManagerServlet</servlet-class>
      <init-param>
        <param-name>debug</param-name>
        <param-value>2</param-value>
      </init-param>
    </servlet>
    <servlet>
      <servlet-name>HTMLManager</servlet-name>
      <servlet-class>org.apache.catalina.manager.HTMLManagerServlet</servlet-class>
      <init-param>
        <param-name>debug</param-name>
        <param-value>2</param-value>
      </init-param>
    </servlet>
    <servlet>
      <servlet-name>Status</servlet-name>
      <servlet-class>org.apache.catalina.manager.StatusManagerServlet</servlet-class>
      <init-param>
        <param-name>debug</param-name>
        <param-value>0</param-value>
      </init-param>
    </servlet>
  
    <servlet>
      <servlet-name>JMXProxy</servlet-name>
      <servlet-class>org.apache.catalina.manager.JMXProxyServlet</servlet-class>
    </servlet>
  
    <!-- Define the Manager Servlet Mapping -->
    <servlet-mapping>
      <servlet-name>Manager</servlet-name>
        <url-pattern>/list</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>Manager</servlet-name>
        <url-pattern>/expire</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>Manager</servlet-name>
        <url-pattern>/sessions</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>Manager</servlet-name>
        <url-pattern>/start</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>Manager</servlet-name>
        <url-pattern>/stop</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>Manager</servlet-name>
        <url-pattern>/install</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>Manager</servlet-name>
        <url-pattern>/remove</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>Manager</servlet-name>
        <url-pattern>/deploy</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>Manager</servlet-name>
        <url-pattern>/undeploy</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>Manager</servlet-name>
        <url-pattern>/reload</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>Manager</servlet-name>
        <url-pattern>/save</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>Manager</servlet-name>
        <url-pattern>/serverinfo</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>Manager</servlet-name>
        <url-pattern>/roles</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>Manager</servlet-name>
        <url-pattern>/resources</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>Manager</servlet-name>
        <url-pattern>/findleaks</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>Status</servlet-name>
      <url-pattern>/status/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>JMXProxy</servlet-name>
        <url-pattern>/jmxproxy/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>HTMLManager</servlet-name>
      <url-pattern>/html/*</url-pattern>
    </servlet-mapping>
  
    <filter>
      <filter-name>CSRF</filter-name>
      <filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
      <init-param>
        <param-name>entryPoints</param-name>
        <param-value>/html,/html/,/html/list</param-value>
      </init-param>
    </filter>
  
    <filter-mapping>
      <filter-name>CSRF</filter-name>
      <servlet-name>HTMLManager</servlet-name>
    </filter-mapping>
  
    <!-- Define reference to the user database for looking up roles -->
    <resource-env-ref>
      <description>
        Link to the UserDatabase instance from which we request lists of
        defined role names.  Typically, this will be connected to the global
        user database with a ResourceLink element in server.xml or the context
        configuration file for the Manager web application.
      </description>
      <resource-env-ref-name>users</resource-env-ref-name>
      <resource-env-ref-type>
        org.apache.catalina.UserDatabase
      </resource-env-ref-type>
    </resource-env-ref>
  
    <!-- Define a Security Constraint on this Application -->
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>Manager commands</web-resource-name>
        <url-pattern>/list</url-pattern>
        <url-pattern>/expire</url-pattern>
        <url-pattern>/sessions</url-pattern>
        <url-pattern>/start</url-pattern>
        <url-pattern>/stop</url-pattern>
        <url-pattern>/install</url-pattern>
        <url-pattern>/remove</url-pattern>
        <url-pattern>/deploy</url-pattern>
        <url-pattern>/undeploy</url-pattern>
        <url-pattern>/reload</url-pattern>
        <url-pattern>/save</url-pattern>
        <url-pattern>/serverinfo</url-pattern>
        <url-pattern>/roles</url-pattern>
        <url-pattern>/resources</url-pattern>
        <url-pattern>/findleaks</url-pattern>
      </web-resource-collection>
      <auth-constraint>
         <!-- NOTE: 1. These roles are not present in the default users file
                    2. The manager role is deprecated, it will be removed in
                       Tomcat 7.
                    3. Use the manager-script role to take advantage of the new
                       CSRF protection. Using the manager role or assigning both
                       the manager-script and manager-gui roles to the same user
                       will bypass the CSRF protection. -->
         <role-name>manager-script</role-name>
         <role-name>id=manager,ou=group,dc=opensso,dc=java,dc=net</role-name>
      </auth-constraint>
    </security-constraint>
  
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>HTML Manager commands</web-resource-name>
        <url-pattern>/html/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
         <!-- NOTE: 1. These roles are not present in the default users file
                    2. The manager role is deprecated, it will be removed in
                       Tomcat 7.
                    3. Use just the manager-gui role to take advantage of the new
                       CSRF protection. Assigning the manager role or manager-gui
                       role along with either the manager-script or manager-jmx
                       roles to the same user will bypass the CSRF protection. -->
         <role-name>manager-gui</role-name>
         <role-name>id=manager,ou=group,dc=opensso,dc=java,dc=net</role-name>
      </auth-constraint>
    </security-constraint>
  
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>JMX proxy</web-resource-name>
        <url-pattern>/jmxproxy/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
         <!-- NOTE: 1. These roles are not present in the default users file
                    2. The manager role is deprecated, it will be removed in
                       Tomcat 7.
                    3. Use the manager-jmx role to take advantage of the new
                       CSRF protection. Using the manager role or assigning both
                       the manager-jmx and manager-gui roles to the same user
                       will bypass the CSRF protection. -->
         <role-name>manager-jmx</role-name>
         <role-name>id=manager,ou=group,dc=opensso,dc=java,dc=net</role-name>
      </auth-constraint>
    </security-constraint>
  
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>Status</web-resource-name>
        <url-pattern>/status/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
         <!-- NOTE: 1. These roles are not present in the default users file
                    2. The manager role is deprecated, it will be removed in
                       Tomcat 7. -->
         <role-name>manager-status</role-name>
         <role-name>manager-gui</role-name>
         <role-name>manager-script</role-name>
         <role-name>manager-jmx</role-name>
         <role-name>id=manager,ou=group,dc=opensso,dc=java,dc=net</role-name>
      </auth-constraint>
    </security-constraint>
  
    <login-config>
      <auth-method>FORM</auth-method>
      <Realm>Default</Realm>
      <form-login-config>
        <form-login-page>/AMLogin.html</form-login-page>
        <form-error-page>/AMError.html</form-error-page></form-login-config>
    </login-config>
  
  
    <!-- Define the Login Configuration for this Application -->
  
    <!-- Security roles referenced by this web application -->
    <security-role>
      <description>
        The role that is required to access the HTML Manager pages
      </description>
      <role-name>manager-gui</role-name>
    </security-role>
    <security-role>
      <description>
        The role that is required to access the text Manager pages
      </description>
      <role-name>manager-script</role-name>
    </security-role>
    <security-role>
      <description>
        The role that is required to access the HTML JMX Proxy
      </description>
      <role-name>manager-jmx</role-name>
    </security-role>
    <security-role>
      <description>
        The role that is required to access to the Manager Status pages 
      </description>
      <role-name>manager-status</role-name>
    </security-role>
    <security-role>
      <description>
        Deprecated role that can access all Manager functionality
      </description>
      <role-name>id=manager,ou=group,dc=opensso,dc=java,dc=net</role-name>
    </security-role>
  
    <error-page>
      <error-code>401</error-code>
      <location>/401.jsp</location>
    </error-page>
    <error-page>
      <error-code>403</error-code>
      <location>/403.jsp</location>
    </error-page>
  
  </web-app>
  

web.xml について †

• URL 単位でアクセス制御をする場合には、普通の web.xml を書けば良い
• アクセスを許可するロール名 (<security-constraint><auth-constraint><role-name>) が LDAP のグループ名 (= ユーザの memberOf 属性) になる
• ログインフォームの設定

   <login-config>
     <auth-method>FORM</auth-method>
     <Realm>Default</Realm>
     <form-login-config>
       <form-login-page>/AMLogin.html</form-login-page>
       <form-error-page>/AMError.html</form-error-page>
     </form-login-config>
   </login-config>

  と設定し、OpenAM の tomcatAgent の設定で、該当するページの相対URLを指定する

JavaEE のインタフェースからは OpenAM の認証情報を使えないっぽい(tomcat系では?) †

• サンプルページ

  <%@page contentType="text/html" pageEncoding="UTF-8"%>
  <!DOCTYPE html>
  <html>
    <head>
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
      <title>OpenAM Example</title>
    </head>
    <body>
      <h1>Hello OpenAM!</h1>
      <table border="1">
        <tbody>
          <tr>
            <th>REMOTE USER</th>
            <td><%= request.getRemoteUser() %></td>
          </tr>
          <tr>
            <th>USER PRINICIPLE</th>
            <td><%= request.getUserPrincipal() %></td>
          </tr>
          <tr>
            <th>IS USER IN ROLE (wpadmin)</th>
          <td><%= request.isUserInRole("id=wpadmin,ou=group,dc=opensso,dc=java,dc=net") %></td>
          </tr>
          <tr>
            <th>IS USER IN ROLE (wpuser)</th>
          <td><%= request.isUserInRole("id=wpuser,ou=group,dc=opensso,dc=java,dc=net") %></td>
          </tr>
        </tbody>
  
      </table>
    </body>
  </html>
  

• 実行結果
  
• ちょっと古い記事(28/Apr/09) → http://java.net/jira/browse/OPENSSO-4874
  • tomcat系ではうまくいかない？
  • glassfish系ではうまくいく？
• Java でも、必要な情報を HTTP Header に入れるようにするのが吉かも → OpenAM HTTP Header にユーザ情報を格納

Java#OpenAM