5 Replies Latest reply on Apr 17, 2005 6:58 AM by Jeff Schnitzer

    Using isUserInRole() on unsecured page

    huck Newbie

      I've observed that HttpServletRequest.isUserInRole() always returns false (regardless of the argument given) when called from an unsecured resource, even if the user has already been authenticated during the session. Similarly, getUserPrincipal() always returns null under these circumstances.

      I've seen several posts regarding this topic, and I'm curious if the JBoss development team is convinced that it works correctly. I think it's pretty clear from the servlet spec that once a user is authenticated, these methods should reflect this. I didn't see any exclusions regarding unsecured pages. And if there is any doubt, you can always check the reference implementation -- Tomcat 4.1.29 standalone returns the same values for these functions regardless of whether invoked in the context of a secured or unsecured page. In fact, I've never seen another servlet container that handles this the way JBoss does.

      The JBoss behavior is problematic for any web app that tailors the content of unsecured pages depending on the authenticated role of the user. For instance, you may want a JSP to omit links to secured resources on a page if the viewer is not authorized to access them anyway.

      Has this issue been reviewed by the development team, and is any action planned?

      Huck

        • 1. Re: Using isUserInRole() on unsecured page
          ahardy66 Novice

          Huck,
          is your embedded tomcat 4.x or 5.x?

          AFAIK tomcat 5.x standalone invokes this behaviour as well, PITA that it may be.

          While I mostly hold the servlet spec team & tomcat (& increasingly the JBoss) developers in high regard for the quality of their decisions, in this case it smacks to me of 'nanny-ism'.

          I believe it is done in the cause of increased security, although I am not quite clear and haven't been able to get a clear answer out of anybody (but I'm still trying). I have even been trying to get hold of the servlet spec team contact address, but haven't got there yet.

          Adam

          • 2. Re: Using isUserInRole() on unsecured page
            huck Newbie

            Adam,

            I was using the default embedded Tomcat for JBoss 3.2.3, which is 4.1.29. I compared it with the same version of the standalone product, with which the behavior differs. According to the last post in the thread at http://www.jboss.org/index.html?module=bb&op=viewtopic&t=26355,
            something has been added to the 2.4 servlet spec that supports our position -- in section (SRV.12.10 Login and Logout) it says

            "Being logged in to a web application corresponds precisely to there being a valid non-null value in getUserPrincipal method, discussed in SRV.12.3".

            Under this, the current behavior of JBoss will be equivalent to forcibly logging out a user every time he goes from a secured to an unsecured page.

            Barry

            • 3. Re: Using isUserInRole() on unsecured page
              ahardy66 Novice

              That is just your interpretation of the spec. It doesn't mention what should happen on pages that are not under any security constraint.

              I have to admit though that I am not prepared to read the whole spec from back to front to find out if they do mention what should happen anywhere, because I'm pretty sure they do.

              These guys interpret it, program their container and we use it.

              As I said though, I am trying to find out more in order to understand why they are doing it. Once I understand why, if I still disagree, then I'll probably launch some sort of petition to get it changed. I knew I wasn't the only one affected, but just how many of us there are, I don't know.

              • 4. Re: Using isUserInRole() on unsecured page
                mbeyer73 Newbie

                I just found out this workaround:

                1. Copy the the secured directory to an unsecured directory each time on build.

                2. Let a Filter log in to the unsecured pages automatically with a "guest account" (the methods will still return null there BUT you can access secured EJBs).

                Seems to work! What do you think?

                Cheers!
                Marcus

                • 5. Re: Using isUserInRole() on unsecured page
                  Jeff Schnitzer Newbie

                   

                  "ahardy66" wrote:
                  These guys interpret it, program their container and we use it.


                  What I like about JBoss is that it isn't just a dumb implementation of a spec. Fleury & Co can "do it right" no matter what the spec says.

                  It's pretty clear that the J2EE integrated security parts of the servlet spec are seriously deficient. I was making these exact same complaints four years ago and it's still not fixed. Just try implementing a "remember me" checkbox... you can't without bypassing the system entirely.

                  Useful software trumps "compliant" software...

                  Jeff