wood burning stoves 2.0*
The moose likes Servlets and the fly likes How to set a user's role Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "How to set a user Watch "How to set a user New topic

How to set a user's role

James Adams
Ranch Hand

Joined: Sep 12, 2003
Posts: 188
How do you set a user's role ? I have a servlet (actually a Struts Action) which is doing authentication of the username/password using a LDAP server. If the username/password is good then I lookup the user's role, also stored in the LDAP server. Now I want to set this role into the user's session somehow so that later they will have the correct security role to access the role-restricted resources of the web application. How is this done ? And out of curiousity I wonder how it's done if you use form-based authentication - i.e. where does the role information for users come from and how is it set in their session ?
Thanks in advance for any suggestions or insight.

Maulin Vasavada
Ranch Hand

Joined: Nov 04, 2001
Posts: 1871
Hi James,
In form based auth I don't think we have to follow any standard way of setting a role. If we wanted to put it in the session we would go with using our session variable storing it. Something like,
session.setAttribute("userRole","admin"); and use it in our application where we want to check for the role as,
String useRole = (String)session.getAttribute("userRole");
if (userRole.equals("admin") ) {}
else {} ....
I am not aware of any specific API method or way to set the role in the session...
Any more ideas by ppl?
James Adams
Ranch Hand

Joined: Sep 12, 2003
Posts: 188
Thanks for the feedback. Yes when you use form-based authentication you get the role as if by magic. The beauty of it is that once it's set the container can then use it to check against security constraints of resources declared in the deployment descriptor. With the approach suggested above there is no chance of taking advantage of this feature, and all security constraints must be enforced programmatically. What I am interested in doing is to set the same "role" in the user's session that the container is setting when it does its authentication, so that the role checking done automatically by the container can then happen as if the role were set by the container by way of one of its built-in authentication mechanisms. But from the looks of things this just isn't possible, at least from what I can tell from the API.
Something else has occured to me - if I pass a username and password to an authentication servlet or Struts Action, instead of using form-based authentication, how can I be sure that they'll be strongly encrypted in the POST method request ? Perhaps I am not getting anymore security by going that route, unless I also use SSL, than by using form-based authentication with its transparent usernames and passwords, since the form parameters may not be any more encrypted than are the form-based authentication form parameters. Can anyone comment ?
It seems that using SSL with form-based authentication is the only way to go if you want to get the "role" business correct and still be very secure. Any pointers to references which explain how this is accomplished ? What if you do want to use an LDAP server for authenticating users, instead of letting the container do the authentication ? Is there really no way to get the role from LDAP and then set this for the user in such a way that the container can then use the role for resource security constraint checking ?

David O'Meara

Joined: Mar 06, 2001
Posts: 13459

As Maulin says, it's all a bit vendor specific. Some of the form-based details are common, but linking in where the passwords are kept is not.
You can still use form-based authentication with LDAP holding the authorisation and authentication details, but you'll have to tell us which server you are using. I've only done it with Tomcat and WebSphere using IBM SecureWay as the LDAP server. I used iPlanet and the Sun LDAP server years ago, but I can't rememeber a thing about it.
I agree. Here's the link: http://aspose.com/file-tools
subject: How to set a user's role
Similar Threads
Migrating JAAS from JBoss to Websphere 6.1
best practice for authentication and role assignation.
Serving content based on authenticated roles
question about how to use LDAP in J2EE projects
LDAP Java client - Old password being cached