This week's book giveaway is in the Cloud/Virtualizaton forum.
We're giving away four copies of Mesos in Action and have Roger Ignazio on-line!
See this thread for details.
Win a copy of Mesos in Action this week in the Cloud/Virtualizaton forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

How to set a user's role

 
James Adams
Ranch Hand
Posts: 188
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
How do you set a user's role ? I have a servlet (actually a Struts Action) which is doing authentication of the username/password using a LDAP server. If the username/password is good then I lookup the user's role, also stored in the LDAP server. Now I want to set this role into the user's session somehow so that later they will have the correct security role to access the role-restricted resources of the web application. How is this done ? And out of curiousity I wonder how it's done if you use form-based authentication - i.e. where does the role information for users come from and how is it set in their session ?
Thanks in advance for any suggestions or insight.

-James
 
Maulin Vasavada
Ranch Hand
Posts: 1873
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi James,
In form based auth I don't think we have to follow any standard way of setting a role. If we wanted to put it in the session we would go with using our session variable storing it. Something like,
session.setAttribute("userRole","admin"); and use it in our application where we want to check for the role as,
String useRole = (String)session.getAttribute("userRole");
if (userRole.equals("admin") ) {}
else {} ....
I am not aware of any specific API method or way to set the role in the session...
Any more ideas by ppl?
Regards
Maulin
 
James Adams
Ranch Hand
Posts: 188
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the feedback. Yes when you use form-based authentication you get the role as if by magic. The beauty of it is that once it's set the container can then use it to check against security constraints of resources declared in the deployment descriptor. With the approach suggested above there is no chance of taking advantage of this feature, and all security constraints must be enforced programmatically. What I am interested in doing is to set the same "role" in the user's session that the container is setting when it does its authentication, so that the role checking done automatically by the container can then happen as if the role were set by the container by way of one of its built-in authentication mechanisms. But from the looks of things this just isn't possible, at least from what I can tell from the API.
Something else has occured to me - if I pass a username and password to an authentication servlet or Struts Action, instead of using form-based authentication, how can I be sure that they'll be strongly encrypted in the POST method request ? Perhaps I am not getting anymore security by going that route, unless I also use SSL, than by using form-based authentication with its transparent usernames and passwords, since the form parameters may not be any more encrypted than are the form-based authentication form parameters. Can anyone comment ?
It seems that using SSL with form-based authentication is the only way to go if you want to get the "role" business correct and still be very secure. Any pointers to references which explain how this is accomplished ? What if you do want to use an LDAP server for authenticating users, instead of letting the container do the authentication ? Is there really no way to get the role from LDAP and then set this for the user in such a way that the container can then use the role for resource security constraint checking ?

-James
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As Maulin says, it's all a bit vendor specific. Some of the form-based details are common, but linking in where the passwords are kept is not.
You can still use form-based authentication with LDAP holding the authorisation and authentication details, but you'll have to tell us which server you are using. I've only done it with Tomcat and WebSphere using IBM SecureWay as the LDAP server. I used iPlanet and the Sun LDAP server years ago, but I can't rememeber a thing about it.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic