Win a copy of Mesos in Action this week in the Cloud/Virtualizaton forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Getting defined security-roles programatically

 
Jogi Krupp
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi everybody,

I have a question concerning the information provided by the web.xml of a TomCat web application. Within the application I can configure so called security-roles.



Is there a way to retrieve the defined roles of the web-application programatically? I'm not talking about the roles that a user has or has not, I'm talking about the defined security-roles for the web-application. In the above example the mentioned (and not known) method would return e.g. auth, admin.

Thanks for any hint how to get this information.
 
Vijitha Kumara
Bartender
Posts: 3913
9
Chrome Fedora Hibernate
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to CodeRanch, Jogi Krupp!

This might be a general servlet specification related question....

The Servlet specification provides the means to configure the security for components of your application through XML. They are (security information) not intended to be extracted by the application because it's not the job of the application rather is an domain specific which should be configurable against components. This is the complete opposite from what you are trying to accomplish here.

But there are ways in the Servlet specification where you can use the defined roles in XML to check whether a user in a particular role or not? Is this what you want? If not why you want to do this? Perhaps there may be other better way to do what you are trying to do here...
 
Tim Holloway
Saloon Keeper
Pie
Posts: 18164
53
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It's bad security to volunteer ANYTHING about the security system. The conventional wisdom is that those who need to know should already know, and allowing those who don't to "fish" for potential points of attack shouldn't be an option.

I was unaware of it until just yesterday, but apparently, Tomcat6 did allow the admin app to discover roles, but Tomcat 7 removed that ability because "not all security Realms supported it". There is, in fact, no Realm API method to obtain roles, only to test to see if a user is a participant.

I should also note that roles are not actually unique to a single app. If multiple apps are all participants in a single Realm - even if it isn't an SSO Realm - then the role namespace is common to all of them. So any given app might not employ all possible roles for the Realm. Also most Realms don't actually constraint role names, so you could define a rolename in the Realm's database (or equivalent) that might not currently be in use. Then there's the whole business with rolename remapping/aliasing.

There are times, of course, when knowing such things could be important. A sterling example would be a security administration function where you would setup user accounts and define their roles. However, it's really a lot safer not to make such a function an integral part of the application itself, but to instead make it a separate app. Which might not even be a webapp, as for example shops where they used Active Directory to manage security. In a complex enterprise, there's a lot of appeal for a Master Security Console to ride herd on users from an Enterprise perspective, instead of piecemeal. Especially since access to such an app could be limited to the Security group and/or authorized delegates.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic