This week's book giveaway is in the Java 8 forum.
We're giving away four copies of Java 8 in Action and have Raoul-Gabriel Urma, Mario Fusco, and Alan Mycroft on-line!
See this thread for details.
The moose likes JSF and the fly likes resetting security authorization Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Java 8 in Action this week in the Java 8 forum!
JavaRanch » Java Forums » Java » JSF
Bookmark "resetting security authorization" Watch "resetting security authorization" New topic
Author

resetting security authorization

jeroen dijkmeijer
Ranch Hand

Joined: Sep 26, 2003
Posts: 131
Hi,
We java a myfaces application in which we have implemented security. Part is declaritive in the web.xml part is java based (used for rendering menu items, or navigation).
Now we often need to assign a role a user using an ldap tool. This all works fine but after the user is added to group/role the application doesnt pick up the new roles. We retrieve whether a user is having a role by using:
FacesContext.getCurrentInstance().getExternalContext().isUserInRole(arg0);
Unless we restart the application (appserver) the role changes are not visible. Is there a way (programatically or otherwise) to force a reload of roles the user is assigned to?
thanks and regards,
Jeroen.
Oh jah I'm using Websphere 6.1.0.13, myfaces 1.1.5, ibms jdk (1.5)
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15662
    
  15

Actually, you shouldn't have to completely restart Websphere, just log the user out. The new roles should kick in on next login.

Or at least that's what Tomcat would do. It's actually the most reasonable action, since, as you're observed, restarting the entire server would be punitive on a system with many users. Conversely, dynamically reflecting the roles as they change - especially when serving them from a non-transactional environment - could potentially open up security holes in the app. So a clean transition is best, and barring anyone's supplying an API so the app can intelligently demarcate the role changing, a logout/login works. It's also fairly easy to explain in user terms ("Just log out and log back in again and you're be able to do X").


Customer surveys are for companies who didn't pay proper attention to begin with.
jeroen dijkmeijer
Ranch Hand

Joined: Sep 26, 2003
Posts: 131
Thanks for your reply,
But unfortunately this doesnot work for us. For some reason the removal of roles is detected on logout/login but the addition of roles does not get picked up even after we log out/and log back in.
The logout is performed doing a:
HttpSession ses = (HttpSession) FacesContext.getCurrentInstance().getExternalContext().getSession(false);
ses.invalidate();

Now we're using spring under jsf, and maybe we should use a logout filter as the acegi docs point out.
regards,
jeroen.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15662
    
  15

This is really odd. I'd expect either nothing to update (stale properties cache) or everything to update.

If it were Tomcat, I'd slap a few traces in the Realm code, having had some experience there when I developed a web-service-to-LDAP Realm. For WebSphere, however, since it's closed source, I'd be tempted to ask IBM for an explanation.
jeroen dijkmeijer
Ranch Hand

Joined: Sep 26, 2003
Posts: 131
Really strange behavior.
using the session.invalidate is logging the user out, the getprincipal on the external context returns null, which is as expected.
But than I can access the pages again without reauthenticating. Than I started using the ibm way: ibm_security_logout and form action. Which first displays a page not found in the browser, then hitting the url http://localhost:port/my_app/ibm_security_logout will display the message logout succesful. Now accessing the app_pages will force a reauthentication which is good, but.. the roles don't get reloaded. I'm afraid the acegi security together with the websphere security is doing some wild things.
Any help is greatly welcomed.
regards and thanks in advance.
Jeroen.
[ May 06, 2008: Message edited by: jeroen dijkmeijer ]
jeroen dijkmeijer
Ranch Hand

Joined: Sep 26, 2003
Posts: 131
I continued this thread on ibm websphere.
Many thanks for your time and support!
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: resetting security authorization
 
Similar Threads
EJB 3 Overview Enthuware
isUserInRole() doubt
Security
Security question - HFEJB - page 595 - question 10.
Security roles in web.xml