stackoom
  简体   繁体   中英

how to bypass through Java EE security roles

 原文  2011-02-10 11:40:51       java/ java-ee/ security

Question

Here is the example code from my web.xml 

<security-constraint>
    <display-name>
    change password</display-name>
    <web-resource-collection>
        <web-resource-name>change password</web-resource-name>
        <url-pattern>/ResetPassword.html</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <description>Roles which can access landing page</description>
        <role-name>Admin</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

Only user having role "Admin" can access "ResetPassword.html" page.

There is a Java EE API that lets us to test whether current user has access to a specific role or not.

request.isUserInRole("Admin");

My default user "DefUser" is returning false because he has no role assigned and I got 403 error as DefUser cannot asscess "ResetPassword.html" page. Can I make request.isUserInRole("Admin") return true if I login with DefUser? Is there any other way to do it?

I do want to use the security constraints. This is one of the requirements that there could be a user like "DefUser" which should have permission to all pages having no roles assigned to it.

I just want to bypass these security constraints. Is there any way for "DefUser" to access "ResetPassword.html" page?

http://www.imrantariq.com/blog/

3 answers

solution1
 4 ACCPTED  2011-02-10 11:55:16

Java EE security cannot be by-passed. Otherwise, it would be as useful as a chocolate teapot.

solution2
 1  2011-04-07 08:23:36

Deploy your application to an application server. Go to the application server's administration and assign your DefUser to the role Admin. If you have other roles, assign your DefUser to those roles as well.

There you go. No bypass required.

solution3
 0  2011-02-10 14:25:41

Not sure about web.xml, but at least with security annotations on EJBs, if I remember correctly, you can configure each service either to be accessible:

  • by any user
  • by any authenticated user
  • by specific roles

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring Security / Java EE solutions for hierarchy tree roles Java EE 7 dynamic user roles dynamic roles on a Java EE server Java EE 6 security and redirection Java EE Web Security Java EE Security Realms Java EE/Java Browser Security How to bypass path in servlet filter with Jersey security annotations in Java Java EE Server Independent Security Retrieve list of defined roles in java ee 5
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM