10

The javax.servlet.http.HttpServletRequest class has a method called isUserInRole. I use this to check if a user has, for example, the admin role. However, that method is case sensitive. So, if the role in the request was Admin or ADMIN, then isUserInRole("admin") would be false. I use the isUserInRole method in a number of places accross multiple applications to check for a number of different roles.

Is there a way to achieve the isUserInRole functionality case-insensitively that does not require checking each different possible case combination with isUserInRole?

Andrew Mairose
  • 10,615
  • 12
  • 60
  • 102
  • 1
    Why? You have trouble spelling your role names consistently? – user207421 Dec 15 '15 at 21:23
  • There are multiple versions of a third party authentication service that I am using in different environments, one of which lowercases role names, while the other preserves case. – Andrew Mairose Dec 16 '15 at 17:21

2 Answers2

13

You could implement a filter that wraps requests using a HttpServletRequestWrapper - implement your HttpServletRequestWrapper to override the isUserInRole() method to make it case-insensitive (eg, configure all roles in upper-case, test role params by converting to upper-case).

A quick search will find plenty of HTTPServletRequestWrapper examples...

Apostolos
  • 10,033
  • 5
  • 24
  • 39
MattR
  • 6,908
  • 2
  • 21
  • 30
3

http://docs.oracle.com/javaee/6/tutorial/doc/gjiie.html

Just map multiple role names to the admin role:

<servlet>
    <security-role-ref>
        <role-name>admin</role-name>
        <role-link>admin</role-link>
    </security-role-ref>
    <security-role-ref>
        <role-name>Admin</role-name>
        <role-link>admin</role-link>
    </security-role-ref>
</servlet>

<security-role>
    <role-name>admin</role-name>
</security-role>
isak gilbert
  • 2,541
  • 1
  • 14
  • 11
  • The call to `isUserInRole` is used to execute different code paths on rest endpoints based on role. We already have this kind of setup in our web.xml for access restriction. – Andrew Mairose Dec 22 '15 at 23:04