Help coderanch get a
new server
by contributing to the fundraiser
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Devaka Cooray
  • Liutauras Vilda
Sheriffs:
  • Jeanne Boyarsky
  • paul wheaton
  • Henry Wong
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Tim Moores
  • Carey Brown
  • Mikalai Zaikin
Bartenders:
  • Lou Hamers
  • Piet Souris
  • Frits Walraven

Ldap and security-role-ref mappings

 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello

I am building an application that authentificates it's users on an LDAP Server (Active Directory). I am using the LdapExtLoginModule of JBoss. This works well for the authentification of users.

However I have to get further infos from the ldap Server. For example I need the name and surname of a user. To do this I am currently using a javax.naming.context and a Filter on the Attributes I am intrested in.


Furthermore I wan't to map the rolename from the ldapname to a name we use inside our application for authorization purposes. To achieve this we used the <security-role-ref> element in the web.xml

<security-role-ref>
<role-name>Leader</role-name>
<role-link>groupleader</role-link>
</security-role-ref>
...

So a call to isUserInRole("Leader") returns true for an admin. I do this to be more independent of the underlying ldap representation of the roles.

The problem is the following:
The application has some methods where a groupleader displays data of the members of the group he is in. So in ldap he is member of the groupleader-group and member of the group that he leads.

Example:


So now I would like to get all the members of workgroup1 from the ldap server. I can do this using javax.naming (directory.DirContext etc). This does not work however with the mapped names, since ldap does not know about them.

So my question is: Can I somehow get the mapping for Group1 to the real ldap group (workgroup1) from the server, so I can use it to query ldap for every member in that group?

Also on a more general note; Is this the right way to represent groups in an ActiveDir? I think it is a bit strange because on one hand the ldap groups are used to denote the role of an user (Leader) and on the other hand the ldap groups are used to organize the workforce into workgroups.

I hope I managed to make my problem clear. Any help or comments would be greatly appreciated.

Cheers
MH

[ November 12, 2008: Message edited by: M. Hofstetter ]

[ November 12, 2008: Message edited by: M. Hofstetter ]

[ November 12, 2008: Message edited by: M. Hofstetter ]
[ November 12, 2008: Message edited by: M. Hofstetter ]
 
Saloon Keeper
Posts: 28064
198
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Well, I'm not sure if I understood all that, but here's some answers that may help.

First, I've discovered that a lot of people tend to think of "role" as being related to a person or a group of people. The JEE security role is actually related to a business function. That is actually more flexible, since in the real world, job responsibilities tend to shift and as they shift, the security needs of the system's users shift too in order to carry out those responsibilities. That's one of the reasons why a user can participate in multiple roles. If the boss goes on holiday, the #2 may be given the ability to maintain user accounts, for example.

Requiring the role names to be coded in the application to be the same as they are in the authentication data repository would be limiting, so there is a provision in web.xml to map the external role names (LDAP, in your case) to the actual role names you reference in your application. I don't remember the exact XML elements that do that, but they're there.
 
reply
    Bookmark Topic Watch Topic
  • New Topic