Set of user roles in Tomcat servlets

Similar Messages

• Read the user-role of TomCat in Struts

  Hi guys !
  I'm developping an application based on tomcat and struts. I have securize my application with tomcat and I want to know if it's possible to get the role name of the user in an struts action class ?
  How can I do that ?
  Thank you in advance.
  Bye

  The struts action class has access to the HttpSession object (session). I think the role is stored in there somewhere..
  //inside Action
  HttpSession session = request.getSession();
  String role = (String)session.getAttribute("role");
  if(role.equals("admin"){
      //do the naughty business
  }Correct me if the name of the attribute is not "role", please.

• User Role problems in Sun Java Application Server Platform Edition 8

  I am having two problems setting up user roles in Sun Java Application Server Platform Edition 8. At first, I thought that it was a problem with the higher level features that I was using, so I created a very simple example using the simplest authentication I can use, but the problem still occurs. I am using the file realm and configuring the users in the App Server Admin Console. I create 2 users in different roles. One user should have access, the other should not.
  1) The first problem is that both users can access the page
  2) The second problem is that the isUserInRole() method returns false for both users with the role that it should be authenticating against.
  Here is a sample of my code:
  Users Configured in Console:
  username password roles
  user1 ********** admin
  user2 ********** noaccess
  web.xml
       <security-role>
            <role-name>admin</role-name>
       </security-role>
       <security-constraint>
            <web-resource-collection>
                 <web-resource-name>My Protected Area</web-resource-name>
                 <url-pattern>/*</url-pattern>
            </web-resource-collection>
            <auth-constraint>
                 <role-name>admin</role-name>
            </auth-constraint>
            <user-data-constraint>
                 <transport-guarantee>NONE</transport-guarantee>
            </user-data-constraint>
       </security-constraint>
       <login-config>
            <auth-method>BASIC</auth-method>
            <realm-name>file</realm-name>
       </login-config>
       <servlet>
            <servlet-name>
                 TestServlet
            </servlet-name>
            <servlet-class>
                 mypackage.TestServlet
            </servlet-class>
            <security-role-ref>
                 <role-name>admin</role-name>
                 <role-link>admin</role-link>
            </security-role-ref>
       </servlet>
       <servlet-mapping>
            <servlet-name>
                 TestServlet
            </servlet-name>
            <url-pattern>
                 /TestServlet
            </url-pattern>
       </servlet-mapping>
  TestServlet.java:
            out.println("admin role: " + request.isUserInRole("admin") + "<BR/>");
  Thanks before hand for any responses.
  - Brian

  Hi Jeanfrancois,
  Your suggestion has lead me to find my problem. There were actually three problems.
  1) First, you suggestion to reorder my xml file did not cause any errors to occur. I got suspicious that my web.xml file was wrong. I looked at some sample web-xml files and found that I was missing the header as follows:
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN' 'http://java.sun.com/dtd/web-app_2_3.dtd'>
  2) When I added this information, the deploy feature failed stating the my web.xml file was out of order. I fixed the ordering. It now deployed, but the security still wasn't working.
  3) I then added the sun-web.xml file. This file was missing before hand as I thought it was unnessary. However, this file added the essential mapping from a role to a group. After adding this, it now started to work.
  Thanks so much for you time and effort. You really did help me.
  - Brian Blank

• Trying to set up multiple users, multiple roles in Tomcat

  I've been learning webapps by making a webapp for the school where my wife works -- to manage assigning students to the rotating schedule of art periods throughout the year. Lots of fun and very good learning. I bought a Tomcat book, installed Tomcat 4.1.24, and have been writing html, jsp's, servlets, etc.
  I've got a good deal of it working. Now I see that there will be areas of the app where it makes sense to restrict access to only those who have the roles -- the teacher who does the basic assignments work will have "manage" role, my wife who works in admissions will have "admin" access to the areas that allow students to be added to the database, general users will have access to areas where information is available but they can't change things. That sort of security planning.
  I'm not worried about industrial strength security. It's a nice place, no big security worries with the students, it's not on the web, just the school's local network. So I plan to use Tomcat's BASIC auth, and I've tried to set it up in the tomcat-users.xml and the webapp's web.xml.
  So I have 3 roles in tomcat-users.xml - user, manage, and admin. There would be a general user, named "user" with user role. That one could get in to the opening page, and to any other page not further restricted. The teacher would have "user" role to get in, and "manage" role to get to those pages that involve assignment tasks. My wife would have "user" to get in, and "admin" for admin stuff. A user would be blocked at the "secure" pages, but having logged in with both roles, the teacher and my wife would get them without further authentication.
  <tomcat-users>
  <role rolename="user"/>
  <role rolename="manage"/>
  <role rolename="admin"/>
  <user username="user" password="userhat" roles="user"/>
  <user username="hillary" password="managehat" roles="user,manage"/>
  <user username="susan" password="adminhat" roles="user,admin"/>
  </tomcat-users>
  In the web.xml, I thought I could set up 2 different "security areas" in the web.xml, as a "proof of concept" exercise.
  <security-constraint>
  <display-name>Entry Level Security</display-name>
  <web-resource-collection>
  <web-resource-name>Open Pages</web-resource-name>
  <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>user</role-name>
  </auth-constraint>
  </security-constraint>
  <security-constraint>
  <display-name>Art Blocks Secure Pages</display-name>
  <web-resource-collection>
  <web-resource-name>Secure Pages</web-resource-name>
  <url-pattern>/secure/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>admin</role-name>
  <role-name>manage</role-name>
  </auth-constraint>
  </security-constraint>
  However I find that the general user, after passing the BASIC authentication popup, gets the opening page, but then can get to the admin stuff without any further popups. I must be missing something.

  Hi,
  Tomcat is not big on security. It doesn't have good security in standalone mode.Whenever I used Tomcat, another web server like Apache was used to provide authentication. This doesn't answer questions but you know at least not to expect too much.
  http://galileo.spaceports.com/~ibidris/

• User Valid to changed while assigning role to a set of users in SU10

  Hi All
  I had a task of assigning a role to a set of users in various systems across landscape. I find that some of the users had their valid to date (logon data tab) changed to their last login date. Moreover, in every system; the list of user ids who had this issue of valid to date changed to their last logon date is different. It seems it occurs randomly in various system but out of every 10-11 users 3-4 get affected with this issue. Has anyone faced such an issue before and how could we resolve this issue.
  Many thanks for your help and time !!
  Best Regards
  Prashant

  Have you checked OSS notes? Maybe note 1325775 may be relevant for you.
  Cheers

• To set a default role according to the user.

  Hi,
  I would like to set different default roles according to users. For example, we have the following prerequisites:
  1) 3 roles: roleA | roleB | roleC (in this order).
  2) 3 differents users: user1, user2, user3.
  So, if I log-in with the user1, the default role should be the roleA; if I log-in with the user2, the default role should be the roleB; and so on.
  But I don't want to change the order of the roles using "sort priority" property.
  How can I do this?
  Thanks,
  Samantha.

  Hello Samantha,
  Does each of the users need to have each of the roles? If not you could just not assign the other roles except the one you want to display as default role (a assume you mean the role that is displayed first after logon).
  If each of your users need every role, I am afraid your requirement is not realizable unless you use the sort priority property. Why don't you want to use it in the first place?
  On possible yet circuitous way to meet your requirements would be the following:
  Create another role for each of your user(-group)s. Say in your case Role 1, Role 2 and Role 3 which are not defined as entry points.
  Assign roleA, roleB and roleC to Role 1 where roleA has the lowest sort priority; and assign user1 to role 1.
  Assign roleA, roleB, roleC to Role 2 where roleB has the lowest sort priority; and assign user 2 to Role 2
  and so on.
  Of course you need to use sort priority for that and I think thats hard to maintain. (probably not even what you are looking for)
  Maybe you can get a litle more concrete what you are trying to achieve.
  best regards
  Stefan

• Setting personal tab layout to User Role default

  Hi All,
  Does anyone know of a way that a user can return their personal tab layout to the User Role default layou if they have made changes? I know how to do this with individual page layouts, but can't seem to find a way to do it for tabs.
  Cheers,
  Cameron

  Not quite what I was hoping to hear, but thanks for the response Arvindh.
  Regards,
  Cameron.

• Unable to authorize user using AccessControlService and user.roles and user.privileges are not set properly

  Hi,
  I am trying to enable/disable a feature based on user.roles.
  Added a constraint for that feature as below,
      <adfmf:constraints>
        <adfmf:constraint property="user.roles" operator="contains" value="manager" id="c1"/>
      </adfmf:constraints>
  In this case, Users have manager role should be able to access this feature.
  My AccessControlService response is
  {"userId" : "sales_mgr","roles" : [ "manager","MOO_OPPORTUNITY_SALES_MANAGER_DUTY","ZBS_ENT_SALES_MANAGER_DUTY"],"privileges" : [ "managerPriv","ZSF_DEFINE_SALES_FORECAST_PRIV","MOO_MANAGE_OPPORTUNITY_GROUP_SPACE_PRIV"]}
  Repsonse has "manager" as one such role.
  After adding constraint to the feature, am unable to access it.
  I tried many possibilities like  operator="contains" or "not" or "equal", but no use.
  I don't know what is going wrong. Appreciate you help.
  Thanks.

  If you are on 11.5.10 or greater or standalone 2.6.4 if you pass the responder value to wf_notification.respond API it should be updated in wf_notifications.responder column. The comments is now updated in wf_comments table against the notification id and not wf_notifications.user_comment column.
  Thanks, Vijay

• User profiles. Tomcat's web authentication

  hi all ! I dont know if this has an easy implementation in JAVA.
  My webapp can have one user with different profiles, lets say administrative and manager. So one user could access both restricted areas in my program.
  The users/pass are saved in a Database and make use of Tomcat's user authentication
  So far Im just able to save one profile per user and I would like to know the best way to do it the way I want.
  Thanks for the help.

  ok thanks for the clarification thats what I used when I first set up the form authentication.
  Still I have problems to give the users more than one role even if it seems to be permited.
  So for example for a user role I use: Gerencia,Administracion and both roles are valid separately
  I get when when used toguether "Access denied".
  Thanks for the help.

• How to hide custom fields in Shopping cart depening on user role

  Hi,
  We have some custom fields in shopping cart for basic view. Every thing works fine. Now client is asking to hide all the custom fields based on user role.
  I found some function module to fund roles. now my main problem is unable to find the cusotm filed screen field name.
  When I tryed to find the screen field name using BBPSC02/03, its giving 'GT_DISPLAY_100-FIELD'. If I try to use this field, its not working.
  Could you pls tell me how to find custom screen filed name to hide in shopping cart.
  Thanks,
  Ram

  Hi Ram,
  As Laurent suggested,to hide the custom fields based on the user role,you need to implement the logic in BADi "BBP_CUF_BADI_2".
  You have the importing parameter IV_USER in this BADI.
  Pass this parameter to tables AGR_USERS and AGR_USERT  to get the user role
  OR
  Use FM: BAPI_USER_GET_DETAIL
  with USERNAME= user id and can retrieve Table: ACTIVITYGROUPS Field:AGR_NAME
  if you want the otherway around
  you can also use FM: RSRA_USERS_OF_AGR_GET
  with I_AGR_NAME= role and you can retieve Table: ACTIVITY_GROUPS_USERS Field: UNAME(usr Id)
  Then check the value for the User role as obtained using the above steps and accordingly set the property for the custom fields to hide them.
  BR,
  Deepti.

• How to set the number of seconds a servlet is allowed to run

  I use JSP to generate a report, but it will take about 10 minutes to search.
  IE Client screen displays an error message what is "Cannot find out your page" after 8 minutes. How to set the number of seconds a servlet is allowed to run.

  It's not a matter of how long the servlet is running... it's the browser timing out because the servlet hasn't responded to its request.
  You have several options:
  1) "Browser Pinging"
  Your servlet sends some small data which can be either seen or unseen (html comments, hidden chars, etc) by the user at short intervals while your report is running. When the report is finished, the browser will not have timed out because it has been "snacking" on those small bits of data which tell the browser its original request was both heard and being handled. I don't think there is any timeout in IE as long as it receives data continually (or at least before its own timeout mark over and over again...)
  2) Multithreaded processing
  This would probably be a better approach. Have the report run in a separate thread running on the server. You'd want to store a reference to this executing report in the user's session. Instead of making the browser wait for the report to be finished, have the servlet check the user's session to see if a report exists and is running. If one does not exist, create one and start its execution. If one does exist, and is still running, print a "please wait" type of message OR an animation, etc... along with some javascript which will reload the page every few seconds. If the page reloads and the servlet sees that the report is finished, it can then display it to the user.
  Hope this helps,
  -Scott

• Request Offerings not showing up for custom User role in SMPortal

  Hello All,
  I've created a custom End User role and scoped it to the domain users group.
  To this role I want to show a specific set of Request Offerings on the portal
  For that Purpose I created a new Service Offering and added these Request Offerings to it.
  I then went on to create a Catalog Group and added the Service Offering to it.
  I then created the custom user role based on the EndUser role and allowed them to see all Forms, all Queues, All CI's and on the Catalog group I select that they could only see the Catalog Group which I just created.
  I then logged in into the SMPortal and was expecting that my Service Offering would be shown to them.
  However, they don't see the service offering.
  What could cause this?
  Is there something I'm missing?
  Thanks in advance!
  Filip

  You have to add the Service Offerings and the Request Offerings in the Catalog Group. Nesting doesn't work because Service Offerings and Request Offerings are different types of objects.
  This offers the option the manage the access to Service Offerings and Request Offerings very granular if needed. For instance you can control access to a Service Offering in one Catalog Group related to one user role (A) and use two additional Catalog Groups
  with different Request Offerings related to other user roles (B) and (C). Result will lead to:
  User in Role A and B -> Can see Service Offerings A containing Request Offerings B
  User in Role A and C -> Can see Service Offerings A containing Request Offerings C
  User in Role A, B and C -> Can see Service Offerings A containing Request Offerings B and C
  User in Role A only -> Don's see anything because of the missing permission on any Request Offering. So the "empty" Service Request won't show up in the portal.
  Hope his helps.
  Andreas Baumgarten | H&D International Group

• Tomcat servlet respond with "302 Moved Temporarily" to HTTP GET requests

  I started Tomcat (4.1.31) on a Unix machine (SunOS 5.8)
  I tested the tomcat servlet using the following commands:
  telnet 0 80
  Trying 0.0.0.0...
  Connected to 0.
  Escape character is '^]'.
  GET /index.html HTTP/1.0
  HTTP/1.1 302 Moved Temporarily
  Location: http://localhost/
  Content-Length: 0
  Date: Mon, 17 Oct 2005 18:09:15 GMT
  Server: Apache-Coyote/1.1
  Connection: close
  Any other servlet that I test responses with the same result
  Tomcat version 4.1.31
  SDK build 1.3.1_02-b02
  Solaris SunOS 5.8

  "302 Moved Temporarily" is a web server error (I googled it - see e.g. http://www.checkupdown.com/status/E302.html)
  Two recommendations that you can try:
  - do not use 'localhost' - use computer assigned name, or at worst IP address
  - in my system, Server URL is set to http://ecm-base:16200/cs/idcplg (from ODC). Try to modify yours accordingly.

• User Library - User Roles RoboSource 3

  When using RoboHelp Server 7 and RoboSource Control 3.1,
  there is a short help topic that describes the User Library - User
  Roles - and each permission (what it enables or disables). This is
  pretty brief information. I'm having many different issues with
  getting permissions set up for each of the authors on my technical
  writing team at my company. Does anyone out there have any more
  information (more details) on what each permission does and
  enables? I don't think I should have to assign all rights,
  especially admin and subadmin to all of my users just to get
  everything working the way I want it to.

  Finally got an answer from Adobe customer support. Having
  gone back and forth for a while with a web case and getting no
  where fast, I called and talked to the customer support
  representative on the telephone. A couple of things helped clarify
  my issue. First of all, the difference between X5 and RH7 source
  control is that the default behavior when deleting using the client
  is now to "hide" topics rather than delete them from the database
  permanently. You can keep users from bringing those topics back by
  not giving them the unhide right. The only way to actually delete a
  topic from the database permanently now is to use the RoboSource
  Control Explorer, which breaks the project. Of course, I just check
  out the folder fpj file, modify it myself, and check it back in to
  fix that issue. But who wants to do that all the time? And not all
  of us understand XML and are able to do that. OK, so that is the
  first issue. One has to understand that hiding is deleting now. But
  on to the second issue. Why was the topic I was deleting only being
  hidden from me and not all of the other users are our team? Turns
  out I should not be giving Admin and Sub-Admin rights to myself as
  an authoring user. Only the "Admin" user account should have these
  rights, and only for administration, only use the Admin account.
  After removing these rights, I was then able to delete topics and
  the topics would then not show up for any of my team. I also found
  another issue resolved by taking these rights from my authoring
  user account. When I had the admin and sub-admin rights, I could
  not re-import topics another time. I would get a message that said
  the topic already existed in the project. After removing the
  rights, I could then choose to overwrite the existing topic or not.
  Thus, my other post in this RoboSource Control forum about wanting
  more than a one-liner on user rights is even more important. I
  submitted a feature request for better documentation of user
  rights. Let's hope someone listens!

• Tomcat Servlet - TCP Port Already in Use?

  My problem is that tomcat/servlet is not releasing its TCP port after my servlet closes the port. Next time a servlet tries to use the port it gets an error "Port already in use". Using netstat I can see the port is still in use. If I stop tomcat and restart it, the port is released. I have not had this sort of problem writing C programs that use sockets.
  My setup is Fedora Core 6 with JDK1.5_14 and Tomcat 5.5.26. I know it's not the latest, but sockets and streams have been around for a long time.
  Actual implementation uses a trivial javaserver page to instantiate a class to create/accept connection from a client (JApplet). After connection, it starts a thread to receive data. I am using ServerSocket(), InputStreamReader(), and OutputStreamWriter(). On ServerSocket I set ReuseAddress to true.
  I have try/catch on all my I/O and use tomcat context log for error and OK messages. Data transfer is perfect. Detect close by client works. In the context log I see close of streams and ServerSocket occur with no exceptions. Then, I manually close the jsp window. No indication of any problems. If I use different port 2nd time (e.g. 50001) it all works perfect. If I use my default (50000) again, servlet gets an error during bind, "Port already in use".
  2.5 years with Java. 5 years with Linux and C.
  Please advise or refer

  rwengr wrote:
  My problem is that tomcat/servlet is not releasing its TCP port after my servlet closes the port. Next time a servlet tries to use the port it gets an error "Port already in use". Using netstat I can see the port is still in use. If I stop tomcat and restart it, the port is released. I have not had this sort of problem writing C programs that use sockets.Nice.... Not sure that matters though.
  >
  My setup is Fedora Core 6 with JDK1.5_14 and Tomcat 5.5.26. I know it's not the latest, but sockets and streams have been around for a long time.
  Actual implementation uses a trivial javaserver page to instantiate a class to create/accept connection from a client (JApplet). Bleah! Don't use a JSP for that. Use a servlet at worst. At best use a Servlet to start some other socket manager class which you can/have tested outside the Servlet Container environment.
  After connection, it starts a thread to receive data. I am using ServerSocket(), InputStreamReader(), and OutputStreamWriter(). On ServerSocket I set ReuseAddress to true.
  I have try/catch on all my I/O and use tomcat context log for error and OK messages. Data transfer is perfect. Detect close by client works. In the context log I see close of streams and ServerSocket occur with no exceptions. Then, I manually close the jsp window. Closing the browser window has no affect on the server.
  No indication of any problems. If I use different port 2nd time (e.g. 50001) it all works perfect. If I use my default (50000) again, servlet gets an error during bind, "Port already in use".
  2.5 years with Java. 5 years with Linux and C.
  Please advise or referShow some code. If you just want some generic advice it would be to close the port, as soon as you don't need it anymore. But you know that. Without any further code I think that is about all that can be said.
  P.S. Make the code as small as possible, compilable, but still demonstrating the problem. Also see: [this tutorial as an example...|http://www.javaworld.com/javaworld/jw-12-1996/jw-12-sockets.html?page=1]