• Post Reply Bookmark Topic Watch Topic
  • New Topic

Authorize users via JNDIRealm without groups  RSS feed

 
Jay Sokolovsky
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have configured Tomcat 8.0.15 to leverage my company's Microsoft LDS environment via JNDIRealm. The authentication portion of my setup is working correctly as I see the following in catalina.out:


20-Dec-2014 15:17:41.206 FINE [http-nio-8080-exec-4] org.apache.catalina.realm.C
ombinedRealm.authenticate Authenticated user "sokoljp" with realm "org.apache.ca
talina.realm.JNDIRealm"

Now I want to be able to authorize MS LDS users to the manager-gui role of the tomcat Manager application. But, here's the catch - I do not want to use MS LDS groups to define the roles - I want to be able to hard code userIDs in the Manager web.xml instead.

Is this achievable?
 
Tim Holloway
Saloon Keeper
Posts: 18789
74
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the JavaRanch, Jay!

Hard-coding user IDs in a webapp isn't very flexible. It means that every time user responsibilities change, the WAR has to be rebuilt. It means that if Joe S. goes on vacation and Mike R. handles his responsibilities in the interim, you'd have to rebuild. And re-rebuild when Joe S. came back. If Sally G. got hospitalized because her selfie-taking quadrotor went berserk, it would be an emergency rebuild. And then there's the ever-popular "rightsizing" where the entire security staff is terminated and responsibility for security is given over to the janitor.

Using Role-Based Access Control (RBAC) means that you don't have to rebuild. You simply re-assign roles. It's a trivial operation that can be done by a security administrator without the need for programming skills, access to source code, or build tools.

And, as your organization gets progressively leaner, you can pile more and more roles on whoever's remaining.

So the long and short of it is, no. J2EE doesn't work with user-based access control. User rights are determined by whatever role(s) they are assigned.
 
Jay Sokolovsky
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the quick reply! I totally understand what you are saying - and I think I wasn't overly specific. My specific question is about the Tomcat manager application web.xml. In the <security-role> section I can add a JNDIRealm group using the <group-name> tag. Is there a corresponding tag for <user-name>? If not, is there a way to configure the JNDIRealm 'groups' function to actually use users instead?
 
Tim Holloway
Saloon Keeper
Posts: 18789
74
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No, there's no provision for user names in web.xml. You're not defining/referencing "groups", you're defining and referencing security roles.

If you were to use a database-backed Realm, there would (usually) be 2 tables. One containing authentication info (userid/password) and one containing role mappings (userid/rolename). So you could add a role for a user via a simple database insert operation.

JNDI/LDAP/Active Directory has the same basic concept except that there are 2 ways to authenticate. You can either set the Realm up to present the userid and password to the LDAP server for validation or you can instruct the Realm to connect to the server using the userid and password (if it connects, the user is logged in, otherwise login is rejected).

Likewise there are 2 ways to map roles to the user. You can either attach the roles to the user directory entry or you can define group entries and add users to those groups. I prefer the latter option because it's easy to see who's in a group. Usually there's a group for each app, a set of sub-groups for each role and the sub-groups are groupOfUniqueNames or memberUids. Note, however, that Tomcat's role-space doesn't actually make roles specific to just one app. You could define a role named "superAdministrator" and assign it to Dr. Evil and every app that declared and used superAdministrator with that particular role would be controlled by it.

It's a little bit messier if you use Active Directory. AD isn't as flexible as generic LDAP (not without extra-cost add-ins, anyway) and you'll usually want to co-ordinate with the structures that it uses for Windows authentication and authorization so as not to have the mess and bother of repeated/redundant user definitions. I've done that as well, using only the documents Tomcat provides and it was possible even when I wasn't granted direct access to the AD tools and the people who were were basically minimum-wage flunkies who didn't understand what I was doing. But we prevailed.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!