Last week, we had the author of TDD for a Shopping Website LiveProject. Friday at 11am Ranch time, Steven Solomon will be hosting a live TDD session just for us. See for the agenda and registration link
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Jeanne Boyarsky
  • Tim Cooke
  • Liutauras Vilda
  • paul wheaton
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Frits Walraven
  • Piet Souris
  • Himai Minh

Getting defined security-roles programatically

Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi everybody,

I have a question concerning the information provided by the web.xml of a TomCat web application. Within the application I can configure so called security-roles.

Is there a way to retrieve the defined roles of the web-application programatically? I'm not talking about the roles that a user has or has not, I'm talking about the defined security-roles for the web-application. In the above example the mentioned (and not known) method would return e.g. auth, admin.

Thanks for any hint how to get this information.
Posts: 4109
Hibernate Fedora Chrome
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Welcome to CodeRanch, Jogi Krupp!

This might be a general servlet specification related question....

The Servlet specification provides the means to configure the security for components of your application through XML. They are (security information) not intended to be extracted by the application because it's not the job of the application rather is an domain specific which should be configurable against components. This is the complete opposite from what you are trying to accomplish here.

But there are ways in the Servlet specification where you can use the defined roles in XML to check whether a user in a particular role or not? Is this what you want? If not why you want to do this? Perhaps there may be other better way to do what you are trying to do here...
Saloon Keeper
Posts: 25473
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It's bad security to volunteer ANYTHING about the security system. The conventional wisdom is that those who need to know should already know, and allowing those who don't to "fish" for potential points of attack shouldn't be an option.

I was unaware of it until just yesterday, but apparently, Tomcat6 did allow the admin app to discover roles, but Tomcat 7 removed that ability because "not all security Realms supported it". There is, in fact, no Realm API method to obtain roles, only to test to see if a user is a participant.

I should also note that roles are not actually unique to a single app. If multiple apps are all participants in a single Realm - even if it isn't an SSO Realm - then the role namespace is common to all of them. So any given app might not employ all possible roles for the Realm. Also most Realms don't actually constraint role names, so you could define a rolename in the Realm's database (or equivalent) that might not currently be in use. Then there's the whole business with rolename remapping/aliasing.

There are times, of course, when knowing such things could be important. A sterling example would be a security administration function where you would setup user accounts and define their roles. However, it's really a lot safer not to make such a function an integral part of the application itself, but to instead make it a separate app. Which might not even be a webapp, as for example shops where they used Active Directory to manage security. In a complex enterprise, there's a lot of appeal for a Master Security Console to ride herd on users from an Enterprise perspective, instead of piecemeal. Especially since access to such an app could be limited to the Security group and/or authorized delegates.
F is for finger. Can you stick your finger in your nose? Doesn't that feel nice? Now try this tiny ad:
Free, earth friendly heat - from the CodeRanch trailboss
    Bookmark Topic Watch Topic
  • New Topic