5 Replies Latest reply on Feb 9, 2006 8:21 AM by chris griffith

    Obtaining user data

    Tomasz Zab?ocki Newbie


      I'm using JBossSX security infrastructure on my webapp. I specified ClientLoginModule and DatabaseServerLoginModule in my login-config.xml file. I'm authenticating users with the form authentication method. Everything seems to work allright - the resources are secured correctly.

      The issue is - how do I obtain authenticated user data?
      I want to personalize the web page depending on the roles assigned to that user. How do I access the user roles from the JSP level?


        • 1. Re: Obtaining user data
          chris griffith Expert

          Hello tzablock,

          Two ways immediately come to mind(assuming you are using Tomcat)...

          1.) per servlet spec, call HttpServletRequest's getUserPrincipal() method which if using Tomcat, will be an instance of org.apache.catalina.realm.GenericPrincipal principal. This class has a public String[] getRoles() method that will give you the roles.

          2.) another and in my opinion a better way, is to set the SecurityAssociationValves's subjectAttributeName parameter which will store the authenticated subject in the session under the configured name. Then you only need to get subject from HttpSession.

          let me know if I have not been clear enough, cgriffith

          • 2. Re: Obtaining user data
            Tomasz Zab?ocki Newbie

            Well the problem persists...

            I'm using standard installation of JBoss 4.0.3 EJB3 version. I didn't change anything about the container.

            Using the first option:

            request.getUserPrincipal() returned org.jboss.security.SimplePrincipal and this class doesn't supply me with getRoles() method.

            I'm quite confused about the second option though I'm interested in storing the subject data in the session rather than in the request - but still I can't understand how to do it...I'd like to have the subject stored in the HttpSession object and later on retreive the subject's principals and credentials...

            • 3. Re: Obtaining user data
              chris griffith Expert

              Oh yes, I forgot. The CustomPrincipalValve will replace the principal stored in the request with the "CallerPrincipal" added to authenticated subject.

              In that case, option 2 sounds better. Look at...


              In this xml file you will find a setting called "SubjectAttributeName".

              Let me know if you still can not get this going...


              • 4. Re: Obtaining user data
                Rick Gruber-Riemer Newbie


                You made my day with your solution 2 :-) Thank you very much.

                I am a bit unsure about the best way to put principals like email-address etc. into the subject. Chapter 8.4.7 of the JBoss 4.03 documentation says that "User identities (username, social security number, ...) are stored as Principal objects in the Subject Principals set".
                The challenge with Principals like org.jboss.security.SimplePrincipal is, that there is no key for the type of the user identity. Therefore I made my own class "ValuePrincipal", which has both the default name field and a new field "value". I use the name field as a key.
                So I store a new ValueObject("email", "foo@bar.com") in the principals set. The I can retrieve my email among all Prinicpals via a key.

                Is this the way to do it? Or is there another "key"-concept?

                • 5. Re: Obtaining user data
                  chris griffith Expert


                  Certainly your method of storing the email will work fine. I prefer to use custom Principals that have meaning by themselves. This is OOD. That is to say, If you create an EmailPrincipal class then you design will be cleaner by looking for the EmailPrincipal principal in the principal set.

                  Just my $.02. Enjoy and glad I could point you in the right direction,