Win a copy of Design for the Mind this week in the Design forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

how to bypass j2ee security roles

 
imran tariq
Greenhorn
Posts: 24
Eclipse IDE Firefox Browser Java
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi, I want to bypass server security i.e. in deployment descriptor we define security here



I want my default user say "DefUser" after authenticating from databse can access all the pages by bypass these security-constraints.

I am digging in to solution from 2 days but not finding a suitable solution. How can I do that?
 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
"Bypassing" security sounds fishy. If you don't want to use the security constraints, remove them from web.xml. But as long as they're there, they apply to all users.
 
Ashutosh M Kulkarni
Ranch Hand
Posts: 41
Eclipse IDE Firefox Browser Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You may wanna try posting a little more of your code.

Also, is it mandatory to put <security-constraint> tags in your DD?
 
imran tariq
Greenhorn
Posts: 24
Eclipse IDE Firefox Browser Java
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Here is the example code from my web.xml



Only user having role "Admin" can access "ResetPassword.html" page.

There is an API that lets us to test whether current user has access to a specific role or not.

request.isUserInRole("Admin");

My default user "DefUser" is returning false because he has no role assigned and I got 403 error as DefUser cannot asscess "ResetPassword.html" page. Can I make request.isUserInRole("Admin") return true if I login with DefUser? Is there any other way to do it?

I do want to use the security constraints. This is one of the requirements that there could be a user like "DefUser" which should have permission to all pages having no roles assigned to it.

I just want to bypass these security constraints. Is there any way for "DefUser" to access "ResetPassword.html" page?

http://www.imrantariq.com/blog/





 
Paul Sturrock
Bartender
Posts: 10336
Eclipse IDE Hibernate Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

My default user "DefUser" is returning false because he has no role assigned and I got 403 error as DefUser cannot asscess "ResetPassword.html" page. Can I make request.isUserInRole("Admin") return true if I login with DefUser? Is there any other way to do it?

I do want to use the security constraints. This is one of the requirements that there could be a user like "DefUser" which should have permission to all pages having no roles assigned to it.

What you have described there is a role some sort of access all or super user role. Why not just give that user that specific role?

 
imran tariq
Greenhorn
Posts: 24
Eclipse IDE Firefox Browser Java
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why not just give that user that specific role?


I am authenticating users from LDAP. For some reason suppose I cannot assign "DefUser" the role of "Admin".

I just want to bypass these web-server security constraints? Is there any way to that?

Thanks in advance.
 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In that case, replace

request.isUserInRole("Admin")

by

request.isUserInRole("Admin") || request.getRemoteUser().equals("DefUser")

or -much better- move that into its own method

boolean isAdminUser (HttpServletRequest request) { ... }
 
imran tariq
Greenhorn
Posts: 24
Eclipse IDE Firefox Browser Java
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
request.isUserInRole("Admin")


J2EE provides this API. isUserInRole()
This is not my check. This check is checked by the server itself. On behalf of this check server allow to access a particular resource like ResetPassword.html.

I want to bypass through j2ee security constraints? Is there any way to that?
 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I want to bypass through j2ee security constraints? Is there any way to that?

Not as long as you're using container-managed security. The proper way to do this is to set up the LDAP repository so that it corresponds to your user/permission model.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic