• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

request.isUserInRole()

 
Yogesh Hingmire
Ranch Hand
Posts: 61
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I read that mapping of the users to the roles is container dependent (for eg: in Tomcat you have tomcat-users.xml), also, it says that an appication may make use of looking up the database to see what roles a particular user has.

In that case, say i perform a authentication(looking up the db) and verify that the user has the correct credentials and forward that request to a servlet.

1) Now in such a scenario will the implementation of request.isUserInRole() in a servlet make sense, or i will have to write my own method to check the users role and take a decision in the servlet.

2) Does request.isUserInRole() apply in declarative security as opposed to programatic security.

Regards,
Yogesh
 
Yogesh Hingmire
Ranch Hand
Posts: 61
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Any takers for this one !! Charles..?

Thanks,
Yogesh
 
Charles Lyons
Author
Ranch Hand
Posts: 836
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I read that mapping of the users to the roles is container dependent (for eg: in Tomcat you have tomcat-users.xml), also, it says that an appication may make use of looking up the database to see what roles a particular user has.
This is correct: declarative security is supposed to work across all containers in your server, for example (with single sign-on enabled), it should be possible to log in to a Web application and have the client's credentials persisted to an EJB container in the same server.

You can, at any time, invent your own programmatic security mechanisms, but for these to interoperate with the container, you have to plug them in to the container's interface. So, programmatic security only works if you careful to design a system compatible with your container - and yes, this is container-dependent.

To answer your numbered questions, if you do want to take advantage of container services (including declarative authorisation configured in the DD), you'll need to build classes compatible with your container. It isn't sufficient just to do checks in a database and forward to another servlet... this is only good if you are writing a completely new application-specific security scheme and aren't relying on the container's security model at all.

Therefore:

1) No, this method will always return false if you haven't used a correct container security mechanism.

2) This is an almost correct statement: there are two types of programmatic security, the first where you choose to work with the container, the second where you develop a completely separate security model. In the first case the method will work as expected, in the second it will always return false.

Note that it is often not necessary to build your own security realms (a realm is basically a standard for performing user authentication), as containers tend to ship with the most common ones. For example, as well as tomcat-users.xml you mentioned (the MemoryRealm), Tomcat also supplies the JDBCRealm for interfacing with SQL databases. For more information, see the Tomcat configuration docs:

http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html

There are links on that page to the standard JAAS modules which allow you to build custom security mechanisms which still interface with your container.
 
Yogesh Hingmire
Ranch Hand
Posts: 61
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Charles !!! By the way i read your chapter no 18 on security and was impressed by the same. I will definitely have a read at the entire book..

Thanks again
Yogesh
 
Charles Lyons
Author
Ranch Hand
Posts: 836
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you're interested in custom security, those documents listed on page 521 of Chapter 18 might be of use as well as the Tomcat link above.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic