File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes EJB and other Java EE Technologies and the fly likes Ldap and security-role-ref mappings Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » EJB and other Java EE Technologies
Bookmark "Ldap and security-role-ref mappings" Watch "Ldap and security-role-ref mappings" New topic

Ldap and security-role-ref mappings

M. Hofstetter

Joined: Nov 12, 2008
Posts: 2

I am building an application that authentificates it's users on an LDAP Server (Active Directory). I am using the LdapExtLoginModule of JBoss. This works well for the authentification of users.

However I have to get further infos from the ldap Server. For example I need the name and surname of a user. To do this I am currently using a javax.naming.context and a Filter on the Attributes I am intrested in.

Furthermore I wan't to map the rolename from the ldapname to a name we use inside our application for authorization purposes. To achieve this we used the <security-role-ref> element in the web.xml


So a call to isUserInRole("Leader") returns true for an admin. I do this to be more independent of the underlying ldap representation of the roles.

The problem is the following:
The application has some methods where a groupleader displays data of the members of the group he is in. So in ldap he is member of the groupleader-group and member of the group that he leads.


So now I would like to get all the members of workgroup1 from the ldap server. I can do this using javax.naming (directory.DirContext etc). This does not work however with the mapped names, since ldap does not know about them.

So my question is: Can I somehow get the mapping for Group1 to the real ldap group (workgroup1) from the server, so I can use it to query ldap for every member in that group?

Also on a more general note; Is this the right way to represent groups in an ActiveDir? I think it is a bit strange because on one hand the ldap groups are used to denote the role of an user (Leader) and on the other hand the ldap groups are used to organize the workforce into workgroups.

I hope I managed to make my problem clear. Any help or comments would be greatly appreciated.


[ November 12, 2008: Message edited by: M. Hofstetter ]

[ November 12, 2008: Message edited by: M. Hofstetter ]

[ November 12, 2008: Message edited by: M. Hofstetter ]
[ November 12, 2008: Message edited by: M. Hofstetter ]
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 17417

Well, I'm not sure if I understood all that, but here's some answers that may help.

First, I've discovered that a lot of people tend to think of "role" as being related to a person or a group of people. The JEE security role is actually related to a business function. That is actually more flexible, since in the real world, job responsibilities tend to shift and as they shift, the security needs of the system's users shift too in order to carry out those responsibilities. That's one of the reasons why a user can participate in multiple roles. If the boss goes on holiday, the #2 may be given the ability to maintain user accounts, for example.

Requiring the role names to be coded in the application to be the same as they are in the authentication data repository would be limiting, so there is a provision in web.xml to map the external role names (LDAP, in your case) to the actual role names you reference in your application. I don't remember the exact XML elements that do that, but they're there.

An IDE is no substitute for an Intelligent Developer.
I agree. Here's the link:
subject: Ldap and security-role-ref mappings
It's not a secret anymore!