Win a copy of Testing JavaScript Applications this week in the HTML Pages with CSS and JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
Sheriffs:
  • Tim Cooke
  • Liutauras Vilda
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • fred rosenberger
  • salvin francis
Bartenders:
  • Piet Souris
  • Frits Walraven
  • Carey Brown

Getting defined security-roles programatically

 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi everybody,

I have a question concerning the information provided by the web.xml of a TomCat web application. Within the application I can configure so called security-roles.



Is there a way to retrieve the defined roles of the web-application programatically? I'm not talking about the roles that a user has or has not, I'm talking about the defined security-roles for the web-application. In the above example the mentioned (and not known) method would return e.g. auth, admin.

Thanks for any hint how to get this information.
 
Bartender
Posts: 4107
72
Hibernate Fedora Chrome
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to CodeRanch, Jogi Krupp!

This might be a general servlet specification related question....

The Servlet specification provides the means to configure the security for components of your application through XML. They are (security information) not intended to be extracted by the application because it's not the job of the application rather is an domain specific which should be configurable against components. This is the complete opposite from what you are trying to accomplish here.

But there are ways in the Servlet specification where you can use the defined roles in XML to check whether a user in a particular role or not? Is this what you want? If not why you want to do this? Perhaps there may be other better way to do what you are trying to do here...
 
Saloon Keeper
Posts: 22289
151
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It's bad security to volunteer ANYTHING about the security system. The conventional wisdom is that those who need to know should already know, and allowing those who don't to "fish" for potential points of attack shouldn't be an option.

I was unaware of it until just yesterday, but apparently, Tomcat6 did allow the admin app to discover roles, but Tomcat 7 removed that ability because "not all security Realms supported it". There is, in fact, no Realm API method to obtain roles, only to test to see if a user is a participant.

I should also note that roles are not actually unique to a single app. If multiple apps are all participants in a single Realm - even if it isn't an SSO Realm - then the role namespace is common to all of them. So any given app might not employ all possible roles for the Realm. Also most Realms don't actually constraint role names, so you could define a rolename in the Realm's database (or equivalent) that might not currently be in use. Then there's the whole business with rolename remapping/aliasing.

There are times, of course, when knowing such things could be important. A sterling example would be a security administration function where you would setup user accounts and define their roles. However, it's really a lot safer not to make such a function an integral part of the application itself, but to instead make it a separate app. Which might not even be a webapp, as for example shops where they used Active Directory to manage security. In a complex enterprise, there's a lot of appeal for a Master Security Console to ride herd on users from an Enterprise perspective, instead of piecemeal. Especially since access to such an app could be limited to the Security group and/or authorized delegates.
 
Whatever you say buddy! And I believe this tiny ad too:
Thread Boost feature
https://coderanch.com/t/674455/Thread-Boost-feature
    Bookmark Topic Watch Topic
  • New Topic