aspose file tools*
The moose likes EJB and other Java EE Technologies and the fly likes Ldap and security-role-ref mappings Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Soft Skills this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Java » EJB and other Java EE Technologies
Bookmark "Ldap and security-role-ref mappings" Watch "Ldap and security-role-ref mappings" New topic
Author

Ldap and security-role-ref mappings

M. Hofstetter
Greenhorn

Joined: Nov 12, 2008
Posts: 2
Hello

I am building an application that authentificates it's users on an LDAP Server (Active Directory). I am using the LdapExtLoginModule of JBoss. This works well for the authentification of users.

However I have to get further infos from the ldap Server. For example I need the name and surname of a user. To do this I am currently using a javax.naming.context and a Filter on the Attributes I am intrested in.


Furthermore I wan't to map the rolename from the ldapname to a name we use inside our application for authorization purposes. To achieve this we used the <security-role-ref> element in the web.xml

<security-role-ref>
<role-name>Leader</role-name>
<role-link>groupleader</role-link>
</security-role-ref>
...

So a call to isUserInRole("Leader") returns true for an admin. I do this to be more independent of the underlying ldap representation of the roles.

The problem is the following:
The application has some methods where a groupleader displays data of the members of the group he is in. So in ldap he is member of the groupleader-group and member of the group that he leads.

Example:


So now I would like to get all the members of workgroup1 from the ldap server. I can do this using javax.naming (directory.DirContext etc). This does not work however with the mapped names, since ldap does not know about them.

So my question is: Can I somehow get the mapping for Group1 to the real ldap group (workgroup1) from the server, so I can use it to query ldap for every member in that group?

Also on a more general note; Is this the right way to represent groups in an ActiveDir? I think it is a bit strange because on one hand the ldap groups are used to denote the role of an user (Leader) and on the other hand the ldap groups are used to organize the workforce into workgroups.

I hope I managed to make my problem clear. Any help or comments would be greatly appreciated.

Cheers
MH

[ November 12, 2008: Message edited by: M. Hofstetter ]

[ November 12, 2008: Message edited by: M. Hofstetter ]

[ November 12, 2008: Message edited by: M. Hofstetter ]
[ November 12, 2008: Message edited by: M. Hofstetter ]
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16303
    
  21

Well, I'm not sure if I understood all that, but here's some answers that may help.

First, I've discovered that a lot of people tend to think of "role" as being related to a person or a group of people. The JEE security role is actually related to a business function. That is actually more flexible, since in the real world, job responsibilities tend to shift and as they shift, the security needs of the system's users shift too in order to carry out those responsibilities. That's one of the reasons why a user can participate in multiple roles. If the boss goes on holiday, the #2 may be given the ability to maintain user accounts, for example.

Requiring the role names to be coded in the application to be the same as they are in the authentication data repository would be limiting, so there is a provision in web.xml to map the external role names (LDAP, in your case) to the actual role names you reference in your application. I don't remember the exact XML elements that do that, but they're there.


Customer surveys are for companies who didn't pay proper attention to begin with.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Ldap and security-role-ref mappings