This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes EJB and other Java EE Technologies and the fly likes Ldap and security-role-ref mappings Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » EJB and other Java EE Technologies
Bookmark "Ldap and security-role-ref mappings" Watch "Ldap and security-role-ref mappings" New topic
Author

Ldap and security-role-ref mappings

M. Hofstetter
Greenhorn

Joined: Nov 12, 2008
Posts: 2
Hello

I am building an application that authentificates it's users on an LDAP Server (Active Directory). I am using the LdapExtLoginModule of JBoss. This works well for the authentification of users.

However I have to get further infos from the ldap Server. For example I need the name and surname of a user. To do this I am currently using a javax.naming.context and a Filter on the Attributes I am intrested in.


Furthermore I wan't to map the rolename from the ldapname to a name we use inside our application for authorization purposes. To achieve this we used the <security-role-ref> element in the web.xml

<security-role-ref>
<role-name>Leader</role-name>
<role-link>groupleader</role-link>
</security-role-ref>
...

So a call to isUserInRole("Leader") returns true for an admin. I do this to be more independent of the underlying ldap representation of the roles.

The problem is the following:
The application has some methods where a groupleader displays data of the members of the group he is in. So in ldap he is member of the groupleader-group and member of the group that he leads.

Example:


So now I would like to get all the members of workgroup1 from the ldap server. I can do this using javax.naming (directory.DirContext etc). This does not work however with the mapped names, since ldap does not know about them.

So my question is: Can I somehow get the mapping for Group1 to the real ldap group (workgroup1) from the server, so I can use it to query ldap for every member in that group?

Also on a more general note; Is this the right way to represent groups in an ActiveDir? I think it is a bit strange because on one hand the ldap groups are used to denote the role of an user (Leader) and on the other hand the ldap groups are used to organize the workforce into workgroups.

I hope I managed to make my problem clear. Any help or comments would be greatly appreciated.

Cheers
MH

[ November 12, 2008: Message edited by: M. Hofstetter ]

[ November 12, 2008: Message edited by: M. Hofstetter ]

[ November 12, 2008: Message edited by: M. Hofstetter ]
[ November 12, 2008: Message edited by: M. Hofstetter ]
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15960
    
  19

Well, I'm not sure if I understood all that, but here's some answers that may help.

First, I've discovered that a lot of people tend to think of "role" as being related to a person or a group of people. The JEE security role is actually related to a business function. That is actually more flexible, since in the real world, job responsibilities tend to shift and as they shift, the security needs of the system's users shift too in order to carry out those responsibilities. That's one of the reasons why a user can participate in multiple roles. If the boss goes on holiday, the #2 may be given the ability to maintain user accounts, for example.

Requiring the role names to be coded in the application to be the same as they are in the authentication data repository would be limiting, so there is a provision in web.xml to map the external role names (LDAP, in your case) to the actual role names you reference in your application. I don't remember the exact XML elements that do that, but they're there.


Customer surveys are for companies who didn't pay proper attention to begin with.
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Ldap and security-role-ref mappings
 
Similar Threads
web.xml hard work
mutiple groups to same security role
weblogic8.1 with open LDAP authentication
web.xml
Authorization verses Authentication ?