-1

I am developing a Java Servlets webapp which will use container based security to authenticate users in. Now my question is that can a User be mapped to more than one security role ?

For example in my case-:

A User can be a

  • Teacher
  • Co-ordinator ( who can also be a Teacher)
  • Admin (who can also be a Teacher)

Now obviously the Admin will have privileges to access more functionality than the teacher. So how is that possible with just container based security for a container like Tomcat ?

I am also not using any framework like Spring Security or Apache Shiro.

Kramer786
  • 1,238
  • 1
  • 12
  • 26
  • *can a User be mapped to more than one security role ?* Yes. – dsh Aug 19 '15 at 16:32
  • @dsh Could you point me to a tutorial or resource that shows you how to do this ? – Kramer786 Aug 19 '15 at 17:41
  • JavaEE documentation: [Working with Realms, Users, Groups, and Roles](https://docs.oracle.com/javaee/7/tutorial/security-intro005.htm#BNBXJ) – dsh Aug 22 '15 at 13:35

1 Answers1

1

In short - user or even better a group - can be mapped to many security roles. The easiest is to define security roles in web.xml, like this:

  <security-role>
    <role-name>teacher</role-name>
  </security-role>
  ....

and then use it in <security-constraint> where you specify which role has access to given set of resources.

Finally you need to map these roles to users, which is server specific.

You can find some basic information regarding security roles and constraints in WebSphere Application Server V7.0 Security Guide in Securing web application chapter.

Instead of using Tomcat, I'd suggest using WebSphere Liberty and Eclipse with WebSphere Developer Tools. It has nice graphical interface for editing web.xml, so you will be able to easily define these roles and constraints. It has also server configuration editor where you can configure basic registry with users and groups and create that mapping between roles and users.

If you will need more info how to set it up in Liberty you can check WebSphere Liberty Profile Guide for Developers

Gas
  • 17,601
  • 4
  • 46
  • 93
  • Can you store parameters in the cookie after authentication ? Like storing the user-id on the cookie ? – Kramer786 Aug 22 '15 at 18:32
  • @Kramer786 After successful authentication userdata is automatically stored either in the cookie or in http header, depends on the authentication method (form or basic). – Gas Aug 24 '15 at 00:11
  • Is the password also stored in the cookie in case of form based authentication ? – Kramer786 Aug 24 '15 at 09:11
  • @Kramer786 no, password is not stored in the cookie, as it is not secure. After form login, the session is established and it is platform specific what is in the cookie. In general, after login, password shouldn't be needed by developer and authentication is maintained via sessions, so all requests in the same sessions are authenticated. – Gas Aug 24 '15 at 11:19