aspose file tools*
The moose likes BEA/Weblogic and the fly likes custom security provider (role mapper) called every request Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Products » BEA/Weblogic
Bookmark "custom security provider (role mapper) called every request" Watch "custom security provider (role mapper) called every request" New topic

custom security provider (role mapper) called every request

periquin el de los palotes pequeños

Joined: Apr 29, 2009
Posts: 3
I have developed a custom role mapper security provider. I have deployed it and proved it, it works great, but I have to problems with it.

it is called every request made to the server. I was expecting the security provider only be called the first time a client access the server.

for example, the default behaviour in jboss is that. a user tries to access a secured server resource, the login module does its job, and that client has it roles associated during all the session. the module is only called the first time.

is there any way to achive this, to make the role mapper security provider be only called once ?

and the other problem, is that is called for roles to every type of resource (jndi, web service, url ...) i would like it to be called only when url request. I can always make a big if resouce == url ... but i think it is not a very "good and clean" solution

I hope to have explain correctly

thank you very much in advance.
R Bieringa

Joined: Nov 04, 2009
Posts: 25
You could try to make the different requests depending on the resourcetype. So skip all stuff that's not resourcetype url. Might not look very smart. On the other hand, if you want to, you could make it configurable, which sounds a lot more elegant.

Using constructions like this one...
for (Resource res = resource; res != null; res = res
.getParentResource()) {
if (res instanceof URLResource) {
return delegate.isProtectedResource(subject, resource);

Best of all: wrap 'm in one method that determines what a protected-resource is and what isn't.

That should be elegant: so you can use one method to determine whether authorizations should be checked and have some sort of property file (read only once of course) that you can use to configure the resources and types that are to be protected.


periquin el de los palotes pequeños

Joined: Apr 29, 2009
Posts: 3
thank you very much, that could be a possible solution.

but I am still worried about the every request called security provider.

our security implementation implies access a data base to do something like select roles where user = subjet.getPrincipal. and there is no way to change this.

I think executing this select every request made to the server is not really efficient. I know I can cache the results somehow, but I am looking for something similiar to the jboss implementation, I have mentioned on my previus post, roles are only asked the first time.

I have googled, no solution though. any ideas ?

thank you very much in advance again!
R Bieringa

Joined: Nov 04, 2009
Posts: 25
I think that the results(delay etc.) may depend on your database etc.
What a solution could be is caching them. That is, by adding them to your sessionparams, you can keep 'm and omit challenging the database (like: if I don't have challenged yet, I'll challenge and stuff the results on my session.
That type of logic.

The url-based stuff, you can do that in the mapper. But you have to put it in place.
There are a number of methods (you should be able to track 'm in the "simple authentication provider" example on BEA) where you would have to implement it. Introduce a new private static method to authenticate etc. and use that from the other methods (one point of decision).
I think you should consider making a wrapper (that 'll just filter the resource-request like I showed before) and make it use your real rolemapper. That's I think the cleanest.

There's always the possibility to create some kind of singleton and have that caching all security data and access it from all threads, but it seems to me that it won't make you happy.
I don't know how to make the security rolemapper only called once in another way. Maybe there is, but I'm not a real expert in that area. But I also think that the authentication/security implementations of JBoss and BEA differ.
I agree. Here's the link:
subject: custom security provider (role mapper) called every request
Similar Threads
Custom Role Mapping, roles stored in a database - where can I find the samples at dev2dev
Webapp-Security chapter revision notes from HFSJ , may be useful
Access to restricted pages via login page
Test 252: Mock exam
EJB and Security (JAAS)