You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Taylor, Larry" <hi...@visa.com> on 2016/12/04 07:04:55 UTC
re: Tomcat Realm/LDAP - userRoles and Organization Unit name for
authenticated users
Hello,
For Users that have authenticated from the Web Login page through Tomcat Realm LDAP configuration is it possible to get the authenticated user's ou=Organizational Unit or Department name? and also what their role names are? I need this information to pass to a servlet or jsp page.
I saw documentation about the java.security.Principal class but could not find any documentation or examples on how to get this type of information after users are authenticated.
I am able to get the username with ${pageContext.request.userPrincipal.name} & request.getRemoteUser(); but nothing about how to get the user's member affiliations and roles.
Any information or pointers on this is appreciated.
________________________________
Larry Taylor
Re: Tomcat Realm/LDAP - userRoles and Organization Unit name for
authenticated users
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Larry,
On 12/5/16 12:25 PM, Taylor, Larry wrote:
> If isUserinRole has information to make determination to
> different component accesses in the application that would be
> sufficient - although, what I really need to know is what
> department or Organizational unit they belong to after
> authentication in order to give them specific page component
> accesses.
What if they belong to multiple organizational units or departments?
Usually a user has multiple roles but only one CN, and certainly only
one DN. Are you taking the CN/DN and removing some of it in order to
obtain the user's "username"? If so, don't do that and use their whole
CN/DN as their username and then parse it yourself to determine their
organization unit, etc.
As it stands, Tomcat's LDAP authenticator only provides two pieces of
information that is visible to the application: username and
(indirectly) list of roles.
You might want to make another connection to your directory to look-up
any additional information on that user to complete the set of
metadata you want to use to customize the UI for each user.
Hope that helps,
- -chris
> -----Original Message----- From: Felix Schumacher
> [mailto:felix.schumacher@internetallee.de] Sent: Sunday, December
> 04, 2016 2:17 AM To: users@tomcat.apache.org Subject: Re: Tomcat
> Realm/LDAP - userRoles and Organization Unit name for authenticated
> users
>
> Am 04.12.2016 um 08:04 schrieb Taylor, Larry:
>> Hello,
>>
>> For Users that have authenticated from the Web Login page
>> through Tomcat Realm LDAP configuration is it possible to get the
>> authenticated user's ou=Organizational Unit or Department name?
>> and also what their role names are? I need this information to
>> pass to a servlet or jsp page.
>>
>> I saw documentation about the java.security.Principal class but
>> could not find any documentation or examples on how to get this
>> type of information after users are authenticated.
>>
>> I am able to get the username with
>> ${pageContext.request.userPrincipal.name} &
>> request.getRemoteUser(); but nothing about how to get the user's
>> member affiliations and roles.
> The standard way to get the roles is to iterate over your expected
> roles and ask for request.isUserInRole(role). The servlet spec has
> no API to get directly a list of roles.
>
> If you are willing to bind yourself to the implementation of
> JNDIRealm you could get the list of roles. But I don't recommend
> it, as that implementation is not guaranteed to stay stable.
>
> Do you really need to get the list, or is isUserInRole enough?
>
> Regards, Felix
>>
>> Any information or pointers on this is appreciated.
>>
>>
>> ________________________________ Larry Taylor
>>
>>
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJYUHWVAAoJEBzwKT+lPKRYGRsQAMVvdK9RXFyuwmzrn3+GhfBW
j/klYRW2rD4+xOQdFw8swx7xoTT2fO0IstYkKg0bpgiOKKS5pns7p5XGp0SxcMKQ
j0/a54lp+QDuLsAWcXnW+cRPCXhMLrgt9aTqZViwiQnU6qld8Pk/55HyyDFf1n64
jLV0BrNkQg/STojG4z45yqQpShK3UGmKXtBYPjXo5O12siGE8+c8USUi0fPrbMob
HQt7QUaiMt4dQzeOjjjfl9bTE+REtG5DjnlKx6gT+LsRP3MlnljZAfTo23hSyIbQ
JmFHmL0enChZFG85yUaf6JXMSX1bQNPIPB+ph8/liCWIVUQae/mT7xOAWw/DAEFq
cHtDL1TywEqNy732wvSwZ022ylceA71yWpqU2+p1BadVqUPmNIYWE49q3/KjXrw/
mRNK/paHqTZ943eAet7YQ2N6FP2BZv8X0eJ6Ine4ml9HwNcWE6fcfzGNIdlGt4ZH
j+9W4iABfgfbRMC58s8mXxyM1DgIUYOyTfH4O9Ip4MfJ3P/2iMrQdgpk0mt9N1tb
7YgMc5iaoPikj57fsfnbrQOvJK3zTZS0amEOu/5yz3JzW1CyURUJbsFchg+rhqaK
Zr5dZwq9VJuqm8zW+ZMm2ZsfEhGJRZ2T+FvO//6aWnGRGALbob+irpG4twIyVoWs
HrADC4ou0Hsf6W0jPM5y
=7T+b
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Realm/LDAP - userRoles and Organization Unit name for
authenticated users
Posted by "André Warnier (tomcat)" <aw...@ice-sa.com>.
On 05.12.2016 18:25, Taylor, Larry wrote:
> Hi Felix
>
> If isUserinRole has information to make determination to different component accesses in the application that would be sufficient - although, what I really need to know is what department or Organizational unit they belong to after authentication in order to give them specific page component accesses.
>
> Any help on this is appreciated.
>
In the "any help" category :
I believe that there are 2 distinct aspects involved, which are somewhat mixed up here :
- the user authentication itself
- the gathering of additional information about a user (authenticated and current, or not)
and that it may be better, from the start, to distinguish them, if only for future
portability reasons.
Many user authentication schemes will only tell you whether yes or no the current user is
authenticated, given the credentials supplied. This may happen, in the background, via
some scheme which allows a server (given the *server* credentials), to verify with some
back-end authority, that the current webapp user credentials check out.
In the big scheme of things, there is nothing however that says that additional user
information (such as "groups" or "organisational unit" or "email address" or even name or
whatever) can be obtained via the same scheme, or using the same "server credentials". (*)
The concept of tomcat "roles" also does not necessarily match the concept of "user
groups". The fact that for some authentication schemes, the "isUserInRole" call would
return yes/no if the user is/is not in some "user group" is also a kind of convenience,
rather than something really solid and portable.
What I am saying thus, is that rather than looking for something wich can provide this
additional information right within the authentication part of the request cycle, maybe
you should look at doing this in two separate steps, such as :
- let the authentication verify the credentials and return an authenticated user-id
- then later, in a separate "request filter", use this authenticated user-id to access the
back-end database system of your choice, to retrieve any additional user information which
you require, and add it as some session attribute. (The case where both the authentication
and the user data retrieval would use the same back-end, being then merely a coincidence).
That would be much more portable if ever the authentication method (or the source of the
additional user information) would change in the future.
As someone else regularly says here, "just my 2 cent".
(*) What I mean precisely here, is that the "server credentials" which the authentication
scheme uses to verify that a user is authenticated, may not allow the same server to get
any additional information about that user, even with the same back-end "user database"
system. The first may need only some "computer account", while the second may need some
"admin account" e.g. It may be messy to try to do this in the same bit of code.
>
>
>
> -----Original Message-----
> From: Felix Schumacher [mailto:felix.schumacher@internetallee.de]
> Sent: Sunday, December 04, 2016 2:17 AM
> To: users@tomcat.apache.org
> Subject: Re: Tomcat Realm/LDAP - userRoles and Organization Unit name for authenticated users
>
> Am 04.12.2016 um 08:04 schrieb Taylor, Larry:
>> Hello,
>>
>> For Users that have authenticated from the Web Login page through Tomcat Realm LDAP configuration is it possible to get the authenticated user's ou=Organizational Unit or Department name? and also what their role names are? I need this information to pass to a servlet or jsp page.
>>
>> I saw documentation about the java.security.Principal class but could not find any documentation or examples on how to get this type of information after users are authenticated.
>>
>> I am able to get the username with ${pageContext.request.userPrincipal.name} & request.getRemoteUser(); but nothing about how to get the user's member affiliations and roles.
> The standard way to get the roles is to iterate over your expected roles and ask for request.isUserInRole(role). The servlet spec has no API to get directly a list of roles.
>
> If you are willing to bind yourself to the implementation of JNDIRealm you could get the list of roles. But I don't recommend it, as that implementation is not guaranteed to stay stable.
>
> Do you really need to get the list, or is isUserInRole enough?
>
> Regards,
> Felix
>>
>> Any information or pointers on this is appreciated.
>>
>>
>> ________________________________
>> Larry Taylor
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat Realm/LDAP - userRoles and Organization Unit name for
authenticated users
Posted by "Taylor, Larry" <hi...@visa.com>.
Hi Felix
If isUserinRole has information to make determination to different component accesses in the application that would be sufficient - although, what I really need to know is what department or Organizational unit they belong to after authentication in order to give them specific page component accesses.
Any help on this is appreciated.
-----Original Message-----
From: Felix Schumacher [mailto:felix.schumacher@internetallee.de]
Sent: Sunday, December 04, 2016 2:17 AM
To: users@tomcat.apache.org
Subject: Re: Tomcat Realm/LDAP - userRoles and Organization Unit name for authenticated users
Am 04.12.2016 um 08:04 schrieb Taylor, Larry:
> Hello,
>
> For Users that have authenticated from the Web Login page through Tomcat Realm LDAP configuration is it possible to get the authenticated user's ou=Organizational Unit or Department name? and also what their role names are? I need this information to pass to a servlet or jsp page.
>
> I saw documentation about the java.security.Principal class but could not find any documentation or examples on how to get this type of information after users are authenticated.
>
> I am able to get the username with ${pageContext.request.userPrincipal.name} & request.getRemoteUser(); but nothing about how to get the user's member affiliations and roles.
The standard way to get the roles is to iterate over your expected roles and ask for request.isUserInRole(role). The servlet spec has no API to get directly a list of roles.
If you are willing to bind yourself to the implementation of JNDIRealm you could get the list of roles. But I don't recommend it, as that implementation is not guaranteed to stay stable.
Do you really need to get the list, or is isUserInRole enough?
Regards,
Felix
>
> Any information or pointers on this is appreciated.
>
>
> ________________________________
> Larry Taylor
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Realm/LDAP - userRoles and Organization Unit name for
authenticated users
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 04.12.2016 um 08:04 schrieb Taylor, Larry:
> Hello,
>
> For Users that have authenticated from the Web Login page through Tomcat Realm LDAP configuration is it possible to get the authenticated user's ou=Organizational Unit or Department name? and also what their role names are? I need this information to pass to a servlet or jsp page.
>
> I saw documentation about the java.security.Principal class but could not find any documentation or examples on how to get this type of information after users are authenticated.
>
> I am able to get the username with ${pageContext.request.userPrincipal.name} & request.getRemoteUser(); but nothing about how to get the user's member affiliations and roles.
The standard way to get the roles is to iterate over your expected roles
and ask for request.isUserInRole(role). The servlet spec has no API to
get directly a list of roles.
If you are willing to bind yourself to the implementation of JNDIRealm
you could get the list of roles. But I don't recommend it, as that
implementation is not guaranteed to stay stable.
Do you really need to get the list, or is isUserInRole enough?
Regards,
Felix
>
> Any information or pointers on this is appreciated.
>
>
> ________________________________
> Larry Taylor
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org