6 Replies Latest reply on Jul 15, 2004 5:45 AM by ceasaros

    Roles dependent on username and a company.

    ceasaros

      I have a situation in which the roles a Subject gets depends not only on the username but also on for example a company.

      e.g.
      user1 has roles 'guest' and 'admin' for company1 but
      user1 has only role 'guest' for company2.

      I solved this now by writing my own LoginModule in which I use my own defined Group. In the public boolean isMember(Principal member) method I retrieve the current Subject and get the authenticated Principal (my own defined Principal). This Principal contains the company name which I placed there using a Filter in the web layer.

      In my opion this is not the best solution.

      I can think to 2 other ways but don't know how to configure/program them:
      1) The Subject contains a authenticated user and for every company the Subject contains a different "Roles"-group. And only the "Roles"-group the user is currently interested in is check if it contains the right role.
      Or
      2) For every user/company combination a different Subject is created containing the correct "Roles".

      For either situation I don't have a solution if any one has suggestion there welcome.

      Thanks in advance.

      Cees van Wieringen.

        • 1. Re: Roles dependent on username and a company.
          pnevado

          I have a problem similar to yours and I resolved it just modifying the query used for getting roles in the login-config.xml/DatabaseServerLoginModule.

          <module-option name="rolesQuery">select id_servicio, 'Roles' from bd.registro where id_usuario=? AND id_website=1 AND (fecha_fin >= NOW() OR fecha_fin IS NULL)</module-option>
          


          • 2. Re: Roles dependent on username and a company.
            ceasaros

            Thank you for your reply but for me this isn't the solution, cause if have a dynamic company. In your solution only the 'id_usuario' can be replaced, what I would like to have is a database query like this:

            select roles from userroles where userid=? AND company=?


            In this query both userid and company have to be inserted into the query and in the DatabaseServerLoginModule only the userid (principal name) get inserted.


            • 3. Re: Roles dependent on username and a company.

              If you wrote your own CustomLogin Module did you not write your own
              protected Group[] getRoleSets().

              That would allow you the query you wish.

              • 4. Re: Roles dependent on username and a company.
                ceasaros

                That's correct I wrote my own getRoleSets() and I can get al the roles for every company for that user, but when the users authorization is checked the boolean isMember(Principal member) method of the Group is called here is where I need to check if the user has the correct role for that company. I only know which role is needed but I don't know for which company the role is required. Simply said I would like to have something like:
                boolean isMember(Principal member, String company)
                but that not possible, cause JAAS doesn't support it :-).

                I also have already a solution see my first message at the top of this topic but it's not a nice one in my opion. I'm looking if somebody knows a better way to achieve my goal.

                In my solution I modified the isMember-method in MyGroup and retrieve the current Subject that is trying to authenticate and from this subject I retrieve the CallerPrincipal in which I placed the company (in the tomcat environment using a Filter) the current user is interrested in. Still this isn't 100% correct because the authentication/authorization is performed first and after this is succeded the filter is applied to the request, this result that only the second time a user is authorizated I can retrieve the company name.


                • 5. Re: Roles dependent on username and a company.

                  ok. i thinlk i get it now. the same user can be in multiple companies?
                  If you kept the same solution but used a custom principal that contained all of the companies the princilpal then you would just have to check to see if company was contained the principal. See the thread about Custom Principals about 3 weeks back.

                  • 6. Re: Roles dependent on username and a company.
                    ceasaros

                    Thanks for all you're help but I already read that topic and applied it to my own LoginModule.

                    I will try to be more clear now:
                    This is the isMember(Principal member) method I wrote in my custom Group class.

                    public class MyGroup extends MyPrincipal implements Group {
                    
                    ...
                    
                     public boolean isMember(Principal member) {
                     MyPrincipal callerPrincipal = getCallerPrincipal(SecurityAssociation.getSubject());
                     String company = callerPrincipal.getCompany();
                     if ("com1".equals(company)) {
                     return members.contains(member);
                     }
                     return false;
                     }
                    
                     private MyPrincipal getCallerPrincipal(Subject subject) {
                     Set subjectGroups = subject.getPrincipals(Group.class);
                     Iterator iter = subjectGroups.iterator();
                     while (iter.hasNext()) {
                     Group grp = (Group) iter.next();
                     String name = grp.getName();
                     if (name.equals("CallerPrincipal")) {
                     Enumeration members = grp.members();
                     if (members.hasMoreElements()) {
                     Principal principal = (Principal) members.nextElement();
                     if (principal instanceof MyPrincipal) {
                     return (MyPrincipal) principal;
                     }
                     }
                     }
                     }
                     return null;
                     }
                    
                    ...
                    
                    }
                    


                    This works fine but what I don't like in my code is the way I retrieve the current Subject.
                    SecurityAssociation.getSubject()

                    It would be nice to let the JAAS implementation of JBoss handle this.
                    My quote in the firste message of this topic.

                    I can think to 2 other ways but don't know how to configure/program them:
                    1) The Subject contains a authenticated user and for every company the Subject contains a different "Roles"-group. And only the "Roles"-group the user is currently interested in is check if it contains the right role.
                    Or
                    2) For every user/company combination a different Subject is created containing the correct "Roles".


                    An other thing I don't like in my solution is that I use javax.servlet.Filter to add the company to my MyPrincipal. The problem here is that the authentication / authorization is handled before the filter is applied to the request. This results in a situation where I have to do a second authorization step (request) to check if the user is really authorized to see the resource.

                    Maybe the only solution is to write my own JAAS implementation but I would like to make use as much as possible from the existing JAAS implementation in JBoss. I don't want to reinvent the wheel.

                    I hope you can understand me better now and maybe have a good idea, otherwise I stay with my current implementation an get used to the drawbacks.

                    Thanks a lot, Cees van Wieringen.