aspose file tools*
The moose likes Servlets and the fly likes how to bypass j2ee security roles Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "how to bypass j2ee security roles" Watch "how to bypass j2ee security roles" New topic
Author

how to bypass j2ee security roles

imran tariq
Greenhorn

Joined: Mar 10, 2010
Posts: 24

Hi, I want to bypass server security i.e. in deployment descriptor we define security here



I want my default user say "DefUser" after authenticating from databse can access all the pages by bypass these security-constraints.

I am digging in to solution from 2 days but not finding a suitable solution. How can I do that?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42950
    
  70
"Bypassing" security sounds fishy. If you don't want to use the security constraints, remove them from web.xml. But as long as they're there, they apply to all users.
Ashutosh M Kulkarni
Ranch Hand

Joined: Jun 07, 2010
Posts: 41

You may wanna try posting a little more of your code.

Also, is it mandatory to put <security-constraint> tags in your DD?


SCJP 6, next stop - OCPJWCD!
imran tariq
Greenhorn

Joined: Mar 10, 2010
Posts: 24

Here is the example code from my web.xml



Only user having role "Admin" can access "ResetPassword.html" page.

There is an API that lets us to test whether current user has access to a specific role or not.

request.isUserInRole("Admin");

My default user "DefUser" is returning false because he has no role assigned and I got 403 error as DefUser cannot asscess "ResetPassword.html" page. Can I make request.isUserInRole("Admin") return true if I login with DefUser? Is there any other way to do it?

I do want to use the security constraints. This is one of the requirements that there could be a user like "DefUser" which should have permission to all pages having no roles assigned to it.

I just want to bypass these security constraints. Is there any way for "DefUser" to access "ResetPassword.html" page?

http://www.imrantariq.com/blog/





Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336


My default user "DefUser" is returning false because he has no role assigned and I got 403 error as DefUser cannot asscess "ResetPassword.html" page. Can I make request.isUserInRole("Admin") return true if I login with DefUser? Is there any other way to do it?

I do want to use the security constraints. This is one of the requirements that there could be a user like "DefUser" which should have permission to all pages having no roles assigned to it.

What you have described there is a role some sort of access all or super user role. Why not just give that user that specific role?


JavaRanch FAQ HowToAskQuestionsOnJavaRanch
imran tariq
Greenhorn

Joined: Mar 10, 2010
Posts: 24

Why not just give that user that specific role?


I am authenticating users from LDAP. For some reason suppose I cannot assign "DefUser" the role of "Admin".

I just want to bypass these web-server security constraints? Is there any way to that?

Thanks in advance.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42950
    
  70
In that case, replace

request.isUserInRole("Admin")

by

request.isUserInRole("Admin") || request.getRemoteUser().equals("DefUser")

or -much better- move that into its own method

boolean isAdminUser (HttpServletRequest request) { ... }
imran tariq
Greenhorn

Joined: Mar 10, 2010
Posts: 24

request.isUserInRole("Admin")


J2EE provides this API. isUserInRole()
This is not my check. This check is checked by the server itself. On behalf of this check server allow to access a particular resource like ResetPassword.html.

I want to bypass through j2ee security constraints? Is there any way to that?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42950
    
  70
I want to bypass through j2ee security constraints? Is there any way to that?

Not as long as you're using container-managed security. The proper way to do this is to set up the LDAP repository so that it corresponds to your user/permission model.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: how to bypass j2ee security roles