Getting defined security-roles programatically

Hi everybody,

I have a question concerning the information provided by the web.xml of a TomCat web application. Within the application I can configure so called security-roles.

<web-app> [...] <!-- Security roles referenced by this web application --> <security-role> <description>Role specifying that the user is logged in</description> <role-name>auth</role-name> </security-role> <security-role> <description>Role specifying that the user is an admin</description> <role-name>admin</role-name> </security-role> [...] </web-app>

Is there a way to retrieve the defined roles of the web-application programatically? I'm not talking about the roles that a user has or has not, I'm talking about the defined security-roles for the web-application. In the above example the mentioned (and not known) method would return e.g. auth, admin.

Thanks for any hint how to get this information.

Welcome to CodeRanch, Jogi Krupp!

This might be a general servlet specification related question....

The Servlet specification provides the means to configure the security for components of your application through XML. They are (security information) not intended to be extracted by the application because it's not the job of the application rather is an domain specific which should be configurable against components. This is the complete opposite from what you are trying to accomplish here.

But there are ways in the Servlet specification where you can use the defined roles in XML to check whether a user in a particular role or not? Is this what you want? If not why you want to do this? Perhaps there may be other better way to do what you are trying to do here...

It's bad security to volunteer ANYTHING about the security system. The conventional wisdom is that those who need to know should already know, and allowing those who don't to "fish" for potential points of attack shouldn't be an option.

I was unaware of it until just yesterday, but apparently, Tomcat6 did allow the admin app to discover roles, but Tomcat 7 removed that ability because "not all security Realms supported it". There is, in fact, no Realm API method to obtain roles, only to test to see if a user is a participant.

I should also note that roles are not actually unique to a single app. If multiple apps are all participants in a single Realm - even if it isn't an SSO Realm - then the role namespace is common to all of them. So any given app might not employ all possible roles for the Realm. Also most Realms don't actually constraint role names, so you could define a rolename in the Realm's database (or equivalent) that might not currently be in use. Then there's the whole business with rolename remapping/aliasing.

There are times, of course, when knowing such things could be important. A sterling example would be a security administration function where you would setup user accounts and define their roles. However, it's really a lot safer not to make such a function an integral part of the application itself, but to instead make it a separate app. Which might not even be a webapp, as for example shops where they used Active Directory to manage security. In a complex enterprise, there's a lot of appeal for a Master Security Console to ride herd on users from an Enterprise perspective, instead of piecemeal. Especially since access to such an app could be limited to the Security group and/or authorized delegates.