java - Servlet - isUserInRole() -



java - Servlet - isUserInRole() -

spec:

servlet: 3.0 java: 7 tomcat: 7.0.54

intro:

it possible check programatically if user has specific role using method httpservletrequest.isuserinrole()

for example:

class="lang-java prettyprint-override">public void doget(httpservletrequest request, httpservletresponse response) throws ioexception, servletexception{ string username = null; string password = null; //get username , password manually authorization header //... request.login(username, password); if (request.isuserinrole("boss")) { //do } else { //do else } request.logout(); }

this works fine, solution requires manually retrieve username , password authorization header , login using these credentials.

questions:

is possible that? no retrieving info header , manually login()?

class="lang-java prettyprint-override">public void doget(httpservletrequest request, httpservletresponse response) throws ioexception, servletexception{ if (request.isuserinrole("boss")) { //do } else { //do else } }

trying reply myself:

from understanding code requires proper configuration in web.xml. illustration works configuration in web.xml file, example:

<web-app ...> ... <security-constraint> <web-resource-collection> <url-pattern>/helloworld</url-pattern> </web-resource-collection> <auth-constraint> <role-name>boss</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>basic</auth-method> <realm-name>defaultrealm</realm-name> </login-config> </web-app>

but means programatically checking roles not required since configuration in web.xml need restrict access.

summary:

is possible programatically checking roles without specifing restrictions (auth-constraint) in web.xml? if not, mean, using iscallerinrole() performing checking additional roles, becouse main required role specified in web.xml?

thanks.

edit 1: since first reply suggest adding login-config element web.xml, must have it. added code snippet, didn't include when posting question. , illustration works configuration. when remove auth-constraint or whole security-constraint, presence of login-config not enought. added info container: tomcat 7.0.54.

question1:

is possible programatically checking roles without specifing restrictions (auth-constraint) in web.xml?

answer:

yes, possible. there no need specify restrictions in web.xml. there no need set scurity-contraint in web.xml.

in add-on there no need manually retrieve credentials header authorization , manually login().

solution:

here working example:

class="lang-java prettyprint-override">public void doget(httpservletrequest request, httpservletresponse response) throws ioexception, servletexception{ request.authenticate(response); //solution if (request.isuserinrole("boss")) { //do } else { //do else } }

web.xml:

<web-app ...> ... <login-config> <auth-method>basic</auth-method> <realm-name>defaultrealm</realm-name> </login-config> </web-app>

and works.

as see method httpservletrequest.authenticate() used nad trick. documentation says:

triggers same authentication process triggered if request resource protected security constraint.

that need. hope helps in future.

java security java-ee servlet-3.0

Comments

Post a Comment

Popular posts from this blog

php - Android app custom user registration and login with cookie using facebook sdk -

php - Android app custom user registration and login with cookie using facebook sdk - i developing android application in users need register , log in using facebook. approximately, flow. open app first time, authenticate facebook, data, send info server create them business relationship in application, start session new business relationship in server, cookie perform later interactions. so far good. what need know wich info have send server, can able identify users when log in seccond time. because need start session in server , send cookie android app farther interactions. i'm using php server side language. i thinking getting getaccesstoken() in android facebook sdk, pass server on business relationship creation , storing in android app. but can't manage how login users on sec time utilize app. any suggestions ? in advance ! to uniquely identify user within app, should create request /me , user's id. guaranteed unique , remain con
Read more

django - Access session in user model .save() -

django - Access session in user model .save() - is possible access current session in user model .save()? pseudo code of want achieve: # users.models.py def save(self, *args, **kwargs): created = true if self.pk: created = false super(abstractuser, self).save(*args, **kwargs) # post-save if created: look_for_invite_in_session_and_register_if_found(self, session) seems wrong in architecture. shouldn't access request in models layer. work request must done in view. can this: user, created = abstractuser.objects.get_or_create(name=name) if created: look_for_invite_in_session_and_register_if_found(user, request.session) django session
Read more

php - .htaccess Multiple Rewrite Rules / Prioritizing -

php - .htaccess Multiple Rewrite Rules / Prioritizing - here current htaccess file: rewriteengine on rewritecond %{http_host} !^www\.website\.com [nc] rewritecond %{http_host} ([^.]+)\.website\.com [nc] rewriterule ^(.*)$ http://www.website.com/gotourl.php?urlid=?%1 [l] rewriterule ^(\w+)$ ./gotourl.php?urlid=$1 [nc,l] rewriterule ^(\w+)/$ ./gotourl.php?urlid=$1 [nc,l] the website in question url shortener i'm working on testing/developing , personal use. above code may not ideal i'm not familiar .htaccess , made via googling , testing. want url shortening aspect: http://website.com/1234 -> http://website.com/gotourl.php?urlid=1234 http://website.com/1234/ -> http://website.com/gotourl.php?urlid=1234 the problem cannot figure out how ignore directories. want specific directories go specific pages: http://website.com/img (or) http://website.com/img/ -> http://website.com/img.php http://website.com/img/1234 (or) http://website.com/
Read more