5 Replies Latest reply on Feb 9, 2006 8:21 AM by j2ee_junkie

Obtaining user data

tzablock Feb 7, 2006 9:32 AM

Hi

I'm using JBossSX security infrastructure on my webapp. I specified ClientLoginModule and DatabaseServerLoginModule in my login-config.xml file. I'm authenticating users with the form authentication method. Everything seems to work allright - the resources are secured correctly.

The issue is - how do I obtain authenticated user data?
I want to personalize the web page depending on the roles assigned to that user. How do I access the user roles from the JSP level?

tzablock

1. Re: Obtaining user data

j2ee_junkie Feb 7, 2006 10:03 AM (in response to tzablock)

Hello tzablock,

Two ways immediately come to mind(assuming you are using Tomcat)...

1.) per servlet spec, call HttpServletRequest's getUserPrincipal() method which if using Tomcat, will be an instance of org.apache.catalina.realm.GenericPrincipal principal. This class has a public String[] getRoles() method that will give you the roles.

2.) another and in my opinion a better way, is to set the SecurityAssociationValves's subjectAttributeName parameter which will store the authenticated subject in the session under the configured name. Then you only need to get subject from HttpSession.

let me know if I have not been clear enough, cgriffith
Actions
2. Re: Obtaining user data

tzablock Feb 7, 2006 11:13 AM (in response to tzablock)

Well the problem persists...

I'm using standard installation of JBoss 4.0.3 EJB3 version. I didn't change anything about the container.

Using the first option:

request.getUserPrincipal() returned org.jboss.security.SimplePrincipal and this class doesn't supply me with getRoles() method.

I'm quite confused about the second option though I'm interested in storing the subject data in the session rather than in the request - but still I can't understand how to do it...I'd like to have the subject stored in the HttpSession object and later on retreive the subject's principals and credentials...
Actions
3. Re: Obtaining user data

j2ee_junkie Feb 7, 2006 4:01 PM (in response to tzablock)

Oh yes, I forgot. The CustomPrincipalValve will replace the principal stored in the request with the "CallerPrincipal" added to authenticated subject.

In that case, option 2 sounds better. Look at...

${SERVER_HOME_URL}/deploy/jbossweb-tomcat55.sar/MET-INF/jboss-service.xml

In this xml file you will find a setting called "SubjectAttributeName".

Let me know if you still can not get this going...

cgriffith
Actions
4. Re: Obtaining user data

vanosten Feb 8, 2006 3:53 AM (in response to tzablock)

Hi

You made my day with your solution 2 :-) Thank you very much.

I am a bit unsure about the best way to put principals like email-address etc. into the subject. Chapter 8.4.7 of the JBoss 4.03 documentation says that "User identities (username, social security number, ...) are stored as Principal objects in the Subject Principals set".
The challenge with Principals like org.jboss.security.SimplePrincipal is, that there is no key for the type of the user identity. Therefore I made my own class "ValuePrincipal", which has both the default name field and a new field "value". I use the name field as a key.
So I store a new ValueObject("email", "foo@bar.com") in the principals set. The I can retrieve my email among all Prinicpals via a key.

Is this the way to do it? Or is there another "key"-concept?
Actions
5. Re: Obtaining user data

j2ee_junkie Feb 9, 2006 8:21 AM (in response to tzablock)

vanosten,

Certainly your method of storing the email will work fine. I prefer to use custom Principals that have meaning by themselves. This is OOD. That is to say, If you create an EmailPrincipal class then you design will be cleaner by looking for the EmailPrincipal principal in the principal set.

Just my $.02. Enjoy and glad I could point you in the right direction,
cgriffith
Actions

Go to original post