4

Questions:

  • Is there a concept of user & role that is general to Servlet Containers?
  • If so, is there a container agnostic way to access those users and roles?
  • If not, is there a way to access Tomcat Realm users & roles?

Background:

I would like to either get all users and their roles from the Java webapp context (Servlet Container) or, better yet, query the users and their roles directly.

I see that there are projects like Apache Directory which let you do this for LDAP if you know the connection string. However, I want to be agnostic to the technology serving up the users and roles.

Specifically, I'm on Tomcat and in the simplest scenario want to access the users & roles in a) tomcat-users.xml b) any other configured Realm in the context. However, I am really looking for a solution which isn't specific to Tomcat and it's Realms.

Sean Connolly
  • 5,692
  • 7
  • 37
  • 74
  • The Servlet really only cares about the security context of the given request, so you can work out who is calling and get some details around them. What you are asking about is really the directory (LDAP/Database/whatever) which the servlet spec doesn't know or care about. JNDI is probably the best bet for a generic API for access a directory (although you will need to implement `Realm` or a Realm-like component to actually dig through the object served back from JNDI). – stringy05 Jul 27 '15 at 04:49

1 Answers1

1

In tomcat(or any other conytainer) (using std. Servlet API), directly accessing of user roles is not possible (without using tomcat/third party specific mechanisms). the getUserPrincipal & isUSerInRole are the two methods, access to the role list is not directly possible.

Since the API does not provision for such an access, I guess you will have to rely on other mechanisms which is container or technology specific.

As you pointed out, if the realm configured is a JNDI realm and the realm store is implemented over an LDAP, it is possible to write a servlet filter and get the roles from the LDAP and set them on session or on a thread local.

Ironluca
  • 3,402
  • 4
  • 25
  • 32