I am using rest web-service to fetch file path. Here i a using security context to provide some extra security. I used validation about logged-in user must be same as user name specified in web service URL (security check).
But i have one special case where, i have one user which is used to fetch special files path from server. If i passes this user from web-service URL, it is getting caught in security context validation, because logged-in user and URL specified user is not same.
So there is any other way to exclude special user from security check. Can i specify some config in web.xml to solve this problem.
e.g
condition 1
logged-in user - xyz
web-service URL - 192.168.0.132/download.ws/xyz/fileid
passed in security checked.
and
condition 2
logged-in user - xyz
abc is valid and authorized user.
web-service URL - 192.168.0.132/download.ws/abc/fileid
failed in security checked.
i want to make it passed without, doing when user from URL is abc then allow it in security check.
here is web-service code to check for valid user
public String getCallerId(SecurityContext sc) {
// we always create a GenericPrincipal object in AuthService
GenericPrincipal userPrincipal = (GenericPrincipal) sc.getUserPrincipal();
String szUserEmailID= userPrincipal.getName();
return szUserEmailID;
}
public boolean authorizeRequest(SecurityContext osc, String szResourceID, String reqType) {
if( getCallerId(osc).equalsIgnoreCase(szResourceID)) // check for logged-in user and user specified in web-service url
return true;
return false;
}
