Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is it possible to determine group membership of a user on demand instead of when logging in in ServerAuthModule (JASPIC)

Tags:

java

jakarta-ee

jaspic

I'm trying to write my own ServerAuthModule, to use a custom login system.

If I understood everything right, what happens is that the container calls the validateRequest method for every incoming request, and that my SAM will check for credentials, and tell the container the username and groups of the user (if the credentials are right) via the CallbackHandler. 

public class MySAM implements ServerAuthModule {

    @Override
    public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException {

        // check user credentials
        ...

        // set username and groups
        CallerPrincipalCallback cpCallback = new CallerPrincipalCallback(clientSubject, username);
        GroupPrincipalCallback gpCallback = new GroupPrincipalCallback(clientSubject, groups);
        callbackHandler.handle(new Callback[]{cpCallback, gpCallback}

        return AuthStatus.SUCCESS;
    }

    ...
}

My problem now is, that when a user logs in, I don't know to which groups the user belongs. I can only check whether the user is in a given group. Is it somehow possible to give the container a method with which it can check whether a user is in a given group, instead of giving it an array with groups in the validateRequest method?

boolean isInGroup(String username, String group) {
    // ask backend system
}
like image 885
Misch Avatar asked Dec 07 '14 10:12

Misch

1 Answers

What you're doing looks right indeed.

There's no concept in JASPIC of handing the container a method like you intend. The container creates a set of Principals from the groups array you give it, and there's no room for a method there.

In Java EE, JACC should be able to do this. A JACC policy provider is consulted everytime the isUserInRole question needs to be answered and everytime it needs to be decided whether a user has some permission (eg allowed to access /adminpanel).

At that point you can do a kind of reverse check to see what role is required for a given Permission (using the role to Permission Maps that JACC builds up at startup time). With that role you can then use your own logic to determine if the user indeed has that role or group.

like image 107
Mike Braun Avatar answered Oct 21 '22 17:10

Mike Braun
Sign in to Comment

Related questions

Logstash + Kibana terms panel without breaking words
Formatting Dates while using the UCanAccess JDBC driver
Java: Call a base super class method while skipping intermediate inherited super classes [duplicate]
Get json user from json tweet
Is there an easy way to create a logger instance for every class?
date and time picker in JAVA [closed]
JDBC driver doesn't support batch update with retrieval of identity column. Why?
Google App Engine Task Queue gets a 404 when invoking Google Cloud Endpoints API
Animate new ListView entries in Javafx
FAIL - Deployed application at context path /RxCircle but context failed to start
How to set a Spring profile to a package?
Checking for equality of RDDs
Java Strategy pattern - can I delegate strategies instantiation in the Context class?
What is the difference between using JDK 7 vs using JDK 8 with compiler compliance level 1.7?
Java JVM on Docker/CoreOS
Error casting T4CConnection to OracleConnection
How to prevent null check before equals
How to iterate hashmap in reverse order in Java
int array initialization
Import eclipse project to Android studio - error "this project refers to Eclipse workspace..."

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!