Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Security constraint in web.xml for authenticated users without role memberships

Tags:

java

glassfish

web.xml

jaas

I am quite desperate, because I think there must be an easy solution to my problem but I am searching - to no avail.

I am using a custom Realm in Glassfish 3.1.1. This custom realm (implements AppservPasswordLoginModuleInterface) takes a security token from the HTTPS request, validates the security token and then returns the user to Glassfish.

The problem is that the security token does not contain any groups, meaning that the method public String[] getGroupsList() or the custom realm returns an empty list (correctly, because there are no roles in the security token).

That said, I would like to have a security contraint that only validated users can login. I know that I can use the following constraint in web.xml:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>mywebapp</web-resource-name>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name>Users</role-name>
  </auth-constraint>
</security-constraint>

But because I don't have any groups, I cannot map any groups to roles, and therefore I cannot use the auth-constraint with role-name.

Is there a way in web.xml to define that only authenticated users are allowed, ignoring in which role they are and ignoring whether they are in any role at all.

There are a couple of solutions which I cannot implement:

  • I cannot change the underlying LDAP to include roles, because the LDAP schema and the way how LDAP users are mapped to security tokens our out of scope.
  • I have to use the current custom realm handler, I cannot replace it with one of my own which just returns a default group. I did try this once, and it worked. But I cannot replace the existing custom realm with my own because the custom realm should be generic.

But I really think there should be a way in web.xml just to say: Ignore all groups and roles, I just want an authenticated user?

Any help would be appreciated.

like image 532
msaladin Avatar asked Jan 11 '12 17:01

msaladin

Video Answer

1 Answers

Pretty old, but for those looking for an answer, you can use an * role name:

<auth-constraint>
    <role-name>*</role-name>
</auth-constraint>

This guy managed to solve it.

like image 77
Will Avatar answered Sep 20 '22 18:09

Will
Sign in to Comment

Related questions

Is there a way to force a classloader to load a package even if none of its classes have been loaded?
Generic Map of Generic key/values with related types
Editing/Modifying a .java file programmatically? (not the .class file)
Fingertip drawing applications on Android?
Releasing from development into production in maven
Reading and Writing out TIFF image in Java
How can I add entries to an existing zip file in Java? [duplicate]
JDBC Connection Pooling: Connection Reuse?
Retrieving the underlying error when File.listFiles return null
java web start alternative [closed]
How to disable the automatic HTML support of JLabel?
Lucene as data store
Java equivalent to C# dynamic class type?
Custom attributes in UiBinder widgets
pass array to oracle procedure
Interface versus concrete class
How can one Java thread check the state of another one, e.g. whether the other one is blocked?
Pure Java alternative to JAI ImageIO for detecting CMYK images
Difference between servlet/servlet-mapping and filter/filter-mapping?
Create a standalone application with Maven

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!