Win a copy of Mastering Corda: Blockchain for Java Developers this week in the Cloud/Virtualization forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Bear Bibeault
  • Liutauras Vilda
Sheriffs:
  • Jeanne Boyarsky
  • Tim Cooke
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Stephan van Hulst
  • Jj Roberts
  • Carey Brown
Bartenders:
  • salvin francis
  • Frits Walraven
  • Piet Souris

how to bypass j2ee security roles

 
Greenhorn
Posts: 24
Eclipse IDE Firefox Browser Java
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi, I want to bypass server security i.e. in deployment descriptor we define security here



I want my default user say "DefUser" after authenticating from databse can access all the pages by bypass these security-constraints.

I am digging in to solution from 2 days but not finding a suitable solution. How can I do that?
 
Rancher
Posts: 43016
76
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
"Bypassing" security sounds fishy. If you don't want to use the security constraints, remove them from web.xml. But as long as they're there, they apply to all users.
 
Ranch Hand
Posts: 41
Eclipse IDE Firefox Browser Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You may wanna try posting a little more of your code.

Also, is it mandatory to put <security-constraint> tags in your DD?
 
imran tariq
Greenhorn
Posts: 24
Eclipse IDE Firefox Browser Java
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Here is the example code from my web.xml



Only user having role "Admin" can access "ResetPassword.html" page.

There is an API that lets us to test whether current user has access to a specific role or not.

request.isUserInRole("Admin");

My default user "DefUser" is returning false because he has no role assigned and I got 403 error as DefUser cannot asscess "ResetPassword.html" page. Can I make request.isUserInRole("Admin") return true if I login with DefUser? Is there any other way to do it?

I do want to use the security constraints. This is one of the requirements that there could be a user like "DefUser" which should have permission to all pages having no roles assigned to it.

I just want to bypass these security constraints. Is there any way for "DefUser" to access "ResetPassword.html" page?

http://www.imrantariq.com/blog/





 
Bartender
Posts: 10336
Hibernate Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator


My default user "DefUser" is returning false because he has no role assigned and I got 403 error as DefUser cannot asscess "ResetPassword.html" page. Can I make request.isUserInRole("Admin") return true if I login with DefUser? Is there any other way to do it?

I do want to use the security constraints. This is one of the requirements that there could be a user like "DefUser" which should have permission to all pages having no roles assigned to it.


What you have described there is a role some sort of access all or super user role. Why not just give that user that specific role?

 
imran tariq
Greenhorn
Posts: 24
Eclipse IDE Firefox Browser Java
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Why not just give that user that specific role?



I am authenticating users from LDAP. For some reason suppose I cannot assign "DefUser" the role of "Admin".

I just want to bypass these web-server security constraints? Is there any way to that?

Thanks in advance.
 
Ulf Dittmer
Rancher
Posts: 43016
76
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In that case, replace

request.isUserInRole("Admin")

by

request.isUserInRole("Admin") || request.getRemoteUser().equals("DefUser")

or -much better- move that into its own method

boolean isAdminUser (HttpServletRequest request) { ... }
 
imran tariq
Greenhorn
Posts: 24
Eclipse IDE Firefox Browser Java
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

request.isUserInRole("Admin")



J2EE provides this API. isUserInRole()
This is not my check. This check is checked by the server itself. On behalf of this check server allow to access a particular resource like ResetPassword.html.

I want to bypass through j2ee security constraints? Is there any way to that?
 
Ulf Dittmer
Rancher
Posts: 43016
76
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

I want to bypass through j2ee security constraints? Is there any way to that?


Not as long as you're using container-managed security. The proper way to do this is to set up the LDAP repository so that it corresponds to your user/permission model.
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic