stackoom
  简体   繁体   中英

WebSphere administrative role checking within servlet context

 原文  2018-06-27 13:42:40       java/ security/ servlets/ websphere/ roles

Question

I am simply trying to check whether a given user has a given WebSphere administrative role, within a Java servlet.

The idiom: 

HttpServletRequest#isUserInRole

... works for non-administrative roles, and the iscadmins administrative role defined in this documentation page.

However, all other roles in the page above (which seem to differ from iscadmins , scope-aside, by having their first letter capitalized) are not reflected when invoking isUserInRole .

I've tried checking both with the primary administrative user (file-based, created with the profile) and with other users whom I've explicitly added administrative roles to.

In all cases, only iscadmin role checks return true when assigned.

Using standard WAS 8.5.5 if that's any relevant.

I am wondering whether there is something crucial I misunderstand about security and scope in this context.

Note

I have tried different combinations to check for role names that have a first capitalized letter: as is, lowercase, all-caps, etc. even got more creative with the Admin Security Manager role...

1 answers

solution1
 0  2018-07-25 14:48:43

After hours and hours of headaches and searches through undocumented APIs, I think I've found what I'm looking for.

Fair warning

I couldn't find any documentation about this, not even javadocs. I cannot honestly tell if this is the recommended approach.

This said, the approach below works for me (tested by assigning and removing the Admin security manager role from the logged on user, then reloading the servlet and debugging).

Also, the mistery remains on why these roles are not visible through the HttpServletRequest#isUserInRole idiom.

Code recipe 

// relevant imports
import com.ibm.websphere.management.authorizer.AdminAuthorizer;
import com.ibm.websphere.management.authorizer.AdminAuthorizerFactory;
import static com.ibm.ws.security.util.Constants.*;

// you'll need the com.ibm.ws.admin.core.jar plugin in your classpath for this
AdminAuthorizer aa = AdminAuthorizerFactory.getAdminAuthorizer();

// all admin roles are there as constants, 
// save for "iscadmins", which you can retrieve with
// the HttpServletRequest#isUserInRole idiom anyway
String role = com.ibm.ws.security.util.Constants.ADMINSECURITY_ROLE;

// that's it!
boolean test = aa.isCallerInRole(role);

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Java Servlet/JSP: Checking whether role is NULL or admin in Database Accessing context parameters within Servlet Filters Create WebSphere administrative client program for java websphere run as user for servlet How to get WebSphere ConfigService in a servlet? java servlet login with role servlet stores list in servlet context Checking if LDAP authentication is enabled in WebSphere checking session in servlet and jsp Propagate Java EE context Websphere
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM