I am pretty desperate because I think there should be an easy solution to my problem, but I am looking for - to no avail.
I am using custom Realm in Glassfish 3.1.1. This custom area (implementing AppservPasswordLoginModuleInterface) takes the security token from the HTTPS request, checks the security token, and then returns the user to Glassfish.
The problem is that the security token does not contain any groups, which means that the public String [] getGroupsList () method or user kingdom returns an empty list (correctly, because there is no role in the security market).
However, I would like to have a security restriction that only verified users can confirm. I know that I can use the following restriction in web.xml:
<security-constraint> <web-resource-collection> <web-resource-name>mywebapp</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>Users</role-name> </auth-constraint> </security-constraint>
But since I do not have groups, I cannot map groups to roles, so I cannot use the auth constraint with the role name.
Is there a way in web.xml to determine that only authenticated users are allowed, ignoring what role they are in and ignoring if they are in any role at all.
There are several solutions that I cannot implement:
- I cannot change the underlying LDAP to include roles because the LDAP schema and the way to map LDAP users to security tokens are out of scope.
- I need to use the current user scope handler, I can not replace it with one of mine, which just returns the default group. I tried it once and it worked. But I cannot replace my existing kingdom with my own, because the user kingdom must be shared.
But I really think that there should be a way in web.xml: just ignore all groups and roles, I just want the user to be authenticated?
Any help would be appreciated.
source share