P
peeping_t
I've spent quite a few days now browsing the net and reading the
servlet specification, but I don't seem get any wiser.
I've set up my SUN APP Server to authenticate via LDAP using predefined
roles. E.g using this entry in sun-web.xml
<security-role-mapping>
<role-name>SpecialUser_role</role-name>
<group-name>cn=SpecialUser,o=GROUPS</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>SomeGroup_role</role-name>
<group-name>cn=SomeGroup,o=GROUPS</group-name>
</security-role-mapping>
I can protect my site from users that are not part of the SpecialUser
group in LDAP using the following in web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected-->
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>SpecialUser_role</role-name>
</auth-constraint>
</security-constraint>
The tricky bit is that I have a Filter servlet that I want to use to
protect the websites' highly sensitive areas even from SpecialUsers.
So adding this to the web.xml
<filter-mapping>
<filter-name>myAuthServletFilter</filter-name>
<url-pattern>/TopSecret/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
will make sure my filter gets called for all webpages that matches
http://host/TopSecret/...
I've also made sure that the sensitive areas are all layed out like
this
http://host/TopSecret/[SpecialGroup]/somepage.html
The idea was to have code like this in my filter
public void doFilter(req, res, chain) {
String role = extract [SpecialGroup] from URL
if(req.isUserInRole(role)){
chain.doFilter(req, res);
}else{
res.sendError(401);
}
}
Now, I don't know what [SpecialGroup] will be. Someone might add a new
area to the website that only users part of the Manager group should be
able to access.
The address would then be http://host/TopSecret/Manager/somepage.html
Finally the $10.000 question is, what are the requirements for the role
in req.isUserInRole(role). Does it need to be a predefined role listed
in the sun-web.xml?
If I don't have a role mapping in sun-web.xml am I supposed to be able
to do something like
req.isUserInRole("cn=Manager,o=GROUPS") to see if the current user is
in the Manager role? (I haven't tried the
isUserInRole("cn=Manager,o=GROUPS") yet cause I don't have access to
the ldap server)
Am I on the right track or do I need to communicate directly with the
LDAP server for this and forget about using isUserInRole?
Martin
servlet specification, but I don't seem get any wiser.
I've set up my SUN APP Server to authenticate via LDAP using predefined
roles. E.g using this entry in sun-web.xml
<security-role-mapping>
<role-name>SpecialUser_role</role-name>
<group-name>cn=SpecialUser,o=GROUPS</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>SomeGroup_role</role-name>
<group-name>cn=SomeGroup,o=GROUPS</group-name>
</security-role-mapping>
I can protect my site from users that are not part of the SpecialUser
group in LDAP using the following in web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected-->
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>SpecialUser_role</role-name>
</auth-constraint>
</security-constraint>
The tricky bit is that I have a Filter servlet that I want to use to
protect the websites' highly sensitive areas even from SpecialUsers.
So adding this to the web.xml
<filter-mapping>
<filter-name>myAuthServletFilter</filter-name>
<url-pattern>/TopSecret/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
will make sure my filter gets called for all webpages that matches
http://host/TopSecret/...
I've also made sure that the sensitive areas are all layed out like
this
http://host/TopSecret/[SpecialGroup]/somepage.html
The idea was to have code like this in my filter
public void doFilter(req, res, chain) {
String role = extract [SpecialGroup] from URL
if(req.isUserInRole(role)){
chain.doFilter(req, res);
}else{
res.sendError(401);
}
}
Now, I don't know what [SpecialGroup] will be. Someone might add a new
area to the website that only users part of the Manager group should be
able to access.
The address would then be http://host/TopSecret/Manager/somepage.html
Finally the $10.000 question is, what are the requirements for the role
in req.isUserInRole(role). Does it need to be a predefined role listed
in the sun-web.xml?
If I don't have a role mapping in sun-web.xml am I supposed to be able
to do something like
req.isUserInRole("cn=Manager,o=GROUPS") to see if the current user is
in the Manager role? (I haven't tried the
isUserInRole("cn=Manager,o=GROUPS") yet cause I don't have access to
the ldap server)
Am I on the right track or do I need to communicate directly with the
LDAP server for this and forget about using isUserInRole?
Martin