Win a copy of Cross-Platform Desktop Applications: Using Node, Electron, and NW.js this week in the JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

How to fetch the list of users using the role name?  RSS feed

 
Ramesh Etta
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I am using JDBC/LDAP realm for authentication and I need to fetch the list of user names using the role name.

Is there any API method that Glassfish provide to achieve this or how can we acheive this?


Thanks
Ramesh
 
Paul Clapham
Sheriff
Posts: 22374
42
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Normally when you try to authenticate a user, it isn't necessary to know about any other users. Could you explain why your authentication procedure needs this list? It's possible you could change your procedure instead of trying to solve this problem.
 
Tim Holloway
Bartender
Posts: 18662
71
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you are using the stock JDBC or LDAP Realms, they aren't going to know or care. Their authenticate() functions perform the equivalent of this SQL statement:


And if the count is 0, the user fails authentication. And if it's greater than 1, something's wrong with the password table.

Good security means not fetching back any data that you don't have to. If you'll notice, at no time does the true user ID or password appear in the authentication query. Only the database server can tell if there's a match and the response is basically yes/no (1/0).

The equivalent for the isUserInRole() authorization method is:


Again, the role(s) that the user participates in are never returned to the web application server from the database server.

If you actually wanted to do this:


You'd have to open the database within the webapp itself and do the query yourself in application code.

The Container-Managed security system doesn't expose the database (or LDAP server, whatever) to the application itself in any way shape or form. Which is what makes it easy to make authentication and authorization plug-replaceable. You can test a webapp using your own set of user IDs and passwords (for example, Tomcat's tomcat-users.xml file), then when it goes to production, aim the production server at your LDAP or JDBC credentials/authority store. No changes in the application logic or WAR required.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!