8 Replies Latest reply on Aug 28, 2007 6:37 PM by Abhijit Ambadkar

    isUserInRole(String role) doesn't work

    Bruce Newbie

      In jBoss portal 2.0, I create a user, and assign roles to the user.
      Then I login jboss portal2.0 with this user account.
      But in my portlet, isUserInRole method doesn't work, it always return false. getRemoteUser() method works and returns the authenticated name.
      What's wrong? Did I make any mistakes? Or is it a jBoss Portal bug?
      Thanks.

      Bruce

        • 1. Re: isUserInRole(String role) doesn't work
          Viet Master

          yes you need to put the role name in the section portlet of the portlet.xml deployment descriptor

          • 2. Re: isUserInRole(String role) doesn't work
            Patrick Dalla Bernardina Apprentice

            Well, Julien is correct.

            But I think this behavior is not the best behavior.

            Roles and role membership can be created after the portlet is deployed, and sometimes the portlet needs to know the existence of this changes without change in its configuration and redeploy.

            It would be nice to change this behavior in next releases.

            I had to change JBoss portal code and recompile to change this behavior.

            • 3. Re: isUserInRole(String role) doesn't work
              Viet Master

              this is what the spec says though ....

              • 4. Re: isUserInRole(String role) doesn't work
                Bruce Newbie

                Thanks Julien and Patrick, your replies really make my understanding more clearly.

                • 5. Re: isUserInRole(String role) doesn't work
                  Antoine Herzog Master

                  Hello,

                  an old topic, but I still have the same need.

                  the spec is nice.
                  --------------------------------------------------------------------------
                  it allows that the portlet knows what features it provide, and what it's portlet-roles are needed for thoses.
                  then the portlet declaration allows to map the application roles (user roles) to theses features specific roles.

                  example :
                  Portlet has two features :
                  delete some record, with role authorization PRoleA
                  create a business process, with role authorization PRoleB
                  all other features are allowed to PRoleC

                  then, mapping of role allow to set, for use of this portlet in any application (portal), to map the users roles to theses three "portlet features roles".
                  As : URole_Admin to PRoleA, PRoleB, PRoleC
                  URole_BP_Manager to PRoleB, PRoleC
                  URole_Editor to PRoleA, PRoleC
                  and so on...

                  Advantages :
                  Decouple of roles, between "portlet features roles" and application user roles,
                  Allow to provide a portlet to "others" without knowing the user roles in the application/portal.
                  nice.
                  --------------------------------------------------------------------------

                  but, it is quite heavy to manage. It forces to declare explicitly all roles that must be available inside the portlet.

                  Use Case
                  --------------------------------------------------------------------------
                  20 to 30 roles
                  15 to 30 portlets
                  to manage either :
                  - internal users features (admin, manager, editor, data validator, hotliner for user),
                  - and external user features (visitor, loggued user of customer type A, loggued manager of customer type A, ... for customer type B and C).

                  and in the situation where portlets are dedicated to this application : ie, there is identity between portlet features roles and application user roles.
                  Example : they are developped specifically for this application.
                  --------------------------------------------------------------------------
                  Then, the decoupling is a heavy overhead.
                  The descriptors become a huge XML file of repeating the associations of roles, always the same. (30 portlets x 30 role-ref items !).
                  Maintenance and evolution is heavy, and bug generating.

                  Proposition :
                  --------------------------------------------------------------------------
                  To allow to define identity of role, for a bunch of them.
                  Using a regular expression, or at least wildcards.

                  <security-role-ref>
                   <role-name>*</role-name>
                   <role-link>*</role-link>
                  </security-role-ref>
                  

                  --------------------------------------------------------------------------

                  This would lightened the constraint to declare all explicitly, with preserving the nice decoupling capability (for commercial portlets, etc...).

                  Questions 1 :
                  How to send this request to the spec definition group ?

                  Questions 2 :
                  How to workaround this for the time being ?

                  What class is responsible for reading the descriptor and set the role visible in the portlets ?

                  To overload it, knowing it is not JSR-168 compliant...

                  Thanks,


                  • 6. Re: isUserInRole(String role) doesn't work
                    Viet Master

                    I think that the real issue needs to be adressed at the Servlet Spec level.

                    The portlet container itself is just delegating to the servlet request the isUserInRole(String roleName) method.

                    The only issue today I see with portlet container is that if the role is never specified in the portlet.xml then the portlet container will not make an access to the isUserInRole(String roleName) of the HttpServletRequest object provided at runtime.

                    • 7. Re: isUserInRole(String role) doesn't work
                      Viet Master

                      Here is the implementation of isUserInRole(String roleName) :

                       public boolean isUserInRole(String roleName)
                       {
                       // Get the map role name to role link
                       Map securityRoleRefsMap = ((PortletContainerImpl)((ContainerPortletInfo)(PortletInfo)invocation.getAttribute(PortletInvocation.INVOCATION_SCOPE, PortletContainerInvoker.PORTLET_CONTAINER_INFO)).getContainer()).getSecurityRoleRefsMap();
                      
                       // Process the role link
                       String roleLink = (String)securityRoleRefsMap.get(roleName);
                       if (roleLink == null)
                       {
                       if (securityRoleRefsMap.containsKey(roleName))
                       {
                       // The role name exist without a role link value
                       return securityContext.isUserInRole(roleName);
                       }
                       else
                       {
                       // No role name is defined
                       return false;
                       }
                       }
                       else
                       {
                       // We have the role link value
                       return securityContext.isUserInRole(roleLink);
                       }
                       }
                      



                      • 8. Re: isUserInRole(String role) doesn't work
                        Abhijit Ambadkar Newbie

                        I know that this question has been answered many times, but I cant seem to make it work so please help me.

                        I read PLT.20.3

                        I have update portlet.xml and added my role

                        <security-role-ref>
                         <role-name>myrole</role-name>
                         <role-link>myrole</role-link>
                        </security-role-ref>
                        


                        I have updated web.xml and added my role
                        <security-role>
                         <role-name>myrole</role-name>
                        </security-role>
                        


                        I have entered the value in the jbp_roles table

                        Since I am logging in against LDAP I am sure I am getting the role in the profile.

                        Yet I do not get isUserInRole("myrole") == true

                        Is there something I am missing?