I have configured my test environment using WebSphere 8.5.5.5 and Active Directory for authorization.
I would like to get access to more user data.
For now I have access only to user "id" using java bean with:
String userName = facesContext.getExternalContext().getRemoteUser();
That's okay, but I would like to get more information, for example email adress, but I can't find any other methods.
Is there a way to do it?
That ExternalContext in this case is only the authentication context, and only contains things like the auth token and principal.
To get more information from Active Directory you need to query as an LDAP source.
Here's a big blog post about how to do that.
Related
Here I found a simple vertx project that uses apache-shiro for auth.
Here the user informations are stored inside src/main/resources/vertx-users.properties file like this:
user.tim = sausages,morris_dancer,developer,vtoons
role.developer=do_actual_work
role.vtoons=place_order
Is this a good approach to store user name and password in a file? Can we store these information in encrypted format or anywhere in a database. Can apache-shiro access these info from a db?
Please provide if you have some sample projects
Better use LDAP or DB
use blog
http://meri-stuff.blogspot.in/2011/04/apache-shiro-part-2-realms-database-and.html
for reference
Also this stackflow post Configure shiro.ini for JDBC connection
I have created a web application using JSP, Servlet and JDBC (NO FRAMEWORKS). We have form based authentication security, where the user has to log in first. The user names and passwords are in the database and as in any internet based web application, user name and passwords are created by users them selves.
We have used Java Sessions to identify the users and find out whether the person is logged in or not. what we do is in every servlet page and JSP page we check whether the session is new or not and whether the session is available, if there is any issue we forward the users back to the login page. This protects the users directly accessing URL's like www.xxx.com/questions?idEmployee=1.
Now the issue comes. I know we don't have to write the java code in every page to check whether the person is logged in or not. There is something we can do with the deployment descriptor right? So it can automatically check the things and forward the users.
However the answers I found in google are all about hard coding the user name and password to the deployment descriptor, so it is useless for us. So, how can we solve this problem without hard coding the usernames and passwords to the deployment descriptor?
Best solution is write one Filter class(Servlet) that will avoid rewrite the code each and every JSP files.
In filter class you can validate the session.
Option 1: As suggested by others use Filters.
Option 2: Write a jsp to validate session and redirect user if required. Now import the said jsp in reset of the jsp's which require valid session.
I'm creating a simple web app that has a user login. I'm trying to use Spring Security to manage authorization and I want to know if it is possible to use SS without setting up roles. There is no admin or special permissions, a user is either logged in or they aren't.
All tutorials I found make you setup a roles table and userroles join table in your database and the same entities in your files. This seems like overkill for what I want. Is it possible to just use SS to check a username and password and log the user in if they match what is in the database without doing all the role stuff?
You can use isAuthenticated(). See more in Spring documentation: http://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html
I do not think you have to setup roles in spring security.
And in my opinion, the role is for different page access, like you have admin and normal user, and you want to let the different roles go to different pages.
You can use authorities="ROLE_USER" everywhere, if you just have a small application.
Hope this can help you.
I'm working on implementing a role-based authorization service under WS Liberty.
There are two main goals:
if the user without the correct user group tries to open a restricted url, show an error page
the user should see a menu, listing all pages available for him
My question is: are there best practices to implement this behaviour? Should I create the first part in server.xml AND the second part in the appropriate view?
(this way the "logic" will be stored in two different parts of the code, and for example if I have to add a new URL, I have to insert it into two different places)
So is there a way to store this role-URL mapping in one place?
Thanks,
krisy
In you application you can protect links checking roles (pseudo code, some frameworks have already custom tags for it):
if(request.isUserInRole("roleX")) {
// render menu item for roleX
}
By default, if user is already logged in and tries to access page that is restricted for him, he will receive 403 Not authorized, you can provide error page for that code via web.xml configuration.
In the server.xml via Application binding element you provide only mapping from your application roles to groups defined in the registry. Depending on the registry type you will be able to add/remove users to the given group granting or rejecting them right for example via server.xml or LDAP management tool in case of LDAP registry.
Hi I am actually trying to get tips or ideas on a very specific problem. The technology context is
java web app with JSF 2.1 .
So I have a simple java ee app powered by JSF 2.1. The structure is the following
\webapp
\WEB-INF
\templates
header.xhtml
menu.xhtml
web.xml
\secured
\operation1
op1.xhtml
\operation2
op2.xhtml
\operation3
op3.xhtml
userhome.xhtml
login.xhtml
I have one #WebFilter that restricts the access to /secured/* in case the 'user' bean is not set (Actually a Session Scoped Bean).
At the same time upon login, I create a dynamic Menu depending on the user credential. this menu (MenuItems) point to one or more operations (xhtml pages).
So far so good, the user logins, the menu is dynamic, links are being generated and upon clicking he/she can navigate to whatever operations he/she is supposed to do.
My problem is that I can not decide on an elegant way on restricting access to the absolute url of these pages . If user1 is 'authorized' to execute operation1 but not operation2 or operation3, currently I can not find the most elegant way on checking his session state and applying a generic rule (navigation rule?), if the actual web user, writes on the url bar the absolute path of the operation.
'/secured/operation1/op2.xhtml'
What is the most JSF2 compatible way on achieve that kind of requirement?
I have tried the preRenderView on each separate opxx.xhtml page , unfortunately it did not work + i dont like repeating it on each operation
Many thanks for your tips.
Security in web applications is a more advanced topic. Basically you have two ways:
Container based: This means your servlet container like Tomcat does the job for you (recommended)
Application based: You have to do the job on your own
How to setup container based security is explained in detail here. To summarize it, you have to implement a simple form (no JSF form!) with a specific action and specific ids for the username and password field. Afterwards you can easily restrict access to specific URL patterns using your web.xml file. In the web.xml file you restrict access to certain URL patterns for certain user roles. The mapping from usernames to user roles is done by a security realm. How to setup a security realm is desribed e.g. for Tomcat here.
If you want to implement security on your own, you have to implement a ServletFilter that inspects all requested URLs and either forwards users that are not logged in to your login form or passes the request through if the user is authorized. If the user is not authorized to see the page, you will have to forward the user to your error page. As CDI injection does not work for ServletFilter, you will have to lookup the bean that stores the information about your user (logged in, rights) from the HttpSession.