Reputation: 1667
How to get the security role with the user id in Websphere Application server
My application is hosted by server A, and the other application is hosted by server B. "the other application" sometimes posts a request to my application, and in the request header, I can get the user id. Is it possible for me to get the user security role by this user id that is posted by "the other application". All the requests from server B are trusted.
I'm using Websphere Application server 8.0.0.5
Update
Let me rephrase the scenario, and not using "server" this time. There are A, B, C applications. When a specific user request from "the user" goes to A, A would publish an JMS event to B, and then B sends a request to C. C is my application, and B is "the other application" I mentioned above. So, the request from B to C is not an authenticated request (Not able to get the principal from the request instance). And all I can get from the request header if the user's id.
- I'm not able to use
isUserInRolemethod - The role is managed by WebSphere
Upvotes: 1
Views: 2675
Answers (1)
Reputation: 12988
As for the servlet/EJB API, you can only check if a user is in a certain role, but you cannot get the list of assigned roles.
If the user you get in the request header is authenticated by server A, you can call HttpServletRequest.isUserInRole against a list of known role names.
In your case the user is probably not authenticated by server A (because there is a trust), so this is not possible - there is no official API. I am not aware of a WebSphere specific API.
Options (all of these are only applicable, if there is really a trust)
- Server B could pass the role(s) in a request header as well
- Implement an EJB/web service etc. on server B, so that server A can query for the roles of a given user
- If the roles are managed by an external system (LDAP etc.), you could get the roles from that system
Update (considering the comment which changes the scenario)
B could put the role of the calling user in a message property as well.
B could authenticate on C (C requires authentication from B)
If you cannot do that, and you cannot get the role neither from WebSphere or any other external system (LDAP for example), then I am not aware of another possibility.
Upvotes: 1
Related Questions
- How to get user roles in a JSP / Servlet
- WebSphere Application > Security role to user/group mapping - Missing
- How to programatically obtain roles defined by @DeclareRoles
- How to access role in JSP using spring security?
- Retrieve list of defined roles in java ee 5
- Not able to see special subject "AllAuthenticatedInTrustedRealms" while mapping security roles to users in Websphere 8.0.0.9
- Map JavaEE app roles to weblogic security roles
- Get Security Roles From Weblogic for Spring Security
- How to get the user roles in Servlet?
- Enabling role based security in Websphere7