usermanager, schmosermanager, its all the same. The usermanagers are really
for the backend security datastore. The two usermanagers have a
parent-child relationship built in...
XMLUserManager ... the mother of all usermanager's is the parent. It uses a
file called principals.xml to store groups, users and passwords, etc. The
other two usermanagers only implement the minimum for add users managing
users with groups and authenticating users. What they don't implement is
managed by XMLUserManager, since it is the parent. Each application has its
own application wide usermanager, and this is declared in the
orion-application.xml (or in the default application, the
config/application.xml).
In addition, you will need to provide a principals.xml file for your
application. The principals.xml file will tell our application wide
usermanager which groups are going to be used. Groups are that java thingy
like a Role, only its a Group..and there's this other thingy...Group-Role
mapping. You need to also provide this mapping in the orion-application.xml
file. If you don't do this, you will only have the built in groups users,
administrators and guests...and only if the application has EXACTLY the same
roles will this work.
Once the deployment issues are out of the way, you can forget about the
usermanager. Its like the plumbing, its not very nice if you have to get
into it, but once its works...you can forget about it. IF you have deployed
the usermanager properly, you will never see it again.
UserManagers should be deployed and not used as an API. I never make calls
to a usermanager to do anything. If you have setup a usermanager
(EJBUserManager or DataSourceUserManger or your own implementation), you
just deploy, and Orion takes care of the rest.
What we use to manage users and their roles is the roleManager. Its the
"facade" to the usermanager. Its a good thing to do your coding with this
"facade", because you can be darn sure that clients will want different
usermanager security from time to time. I have included some example code
below...notice that there is no usermanager code.
(Notes on this...DuplicateUserException is an exception which should be in
java.security, but its not. Basically, you can't have two users with the
same username. The contact entity bean (and Contact data model) holds user
information useful for marketing types and the web-site...This way we don't
have to go to the usermanager to check our usernames for, say, sending any
spam or so....just kidding.)
public void addUser(Contact contact, String username, String password)
throws RemoteException, DuplicateUserException{
Context context = null;
ContactHome chome = null;
System.out.println("we are adding username = "+username);
Collection r = null;
try {
context = new InitialContext();
Object obj = context.lookup("java:comp/env/ejb/contact");
chome = (ContactHome)PortableRemoteObject.narrow(obj,
ContactHome.class);
r = chome.findByUsername(username);
System.out.println("we got past the findByUsername");
}catch (NamingException e) {
throw new RemoteException("Could not obtain an " +
e.getMessage() +
"InitialContext.");
} catch (FinderException e){
// no problem, thats the whole point of this...
System.out.println("the finder exception " + e.getMessage());
}
System.out.println("does r exist?");
if(r != null && r.size() > 0){
System.out.println("r exists");
throw new DuplicateUserException("User already
exists");
}
//create the user
Principal principal = null;
RoleManager roleManager = null;
try {
// key bit here----> roleManager =
(RoleManager)context.lookup("java:comp/RoleManager");
principal= roleManager.createPrincipal(username, password);
roleManager.store();
contact.setUsername(username);
ContactRemote cr = chome.findByPrimaryKey(new
Long(contact.getId()));
cr.setContact(contact);
} catch (NamingException e) {
throw new RemoteException("Could not obtain an " + e.getMessage()
+
"InitialContext.");
} catch(Exception e){
//user exists...shouldn't happen, but you never know
}
}
back on the web front, we can create and login our user:
try {
MySLSBUtil.addUser(username,password,contact);
RoleManager roleManager =
(RoleManager)context.lookup("java:comp/RoleManager");
// get a principal and add a role, if necessary here...
// or you could manager your role adding in the slsb..its up to
you.
//
roleManager.login(username,password);
System.out.println("we should be logged in now");
getServletContext().getRequestDispatcher("/private/mypage.jsp").forward(requ
est,response);
} catch (RemoteException re){//do something }
catch (NamingException e) { // do something}
catch (DuplicateUserException due){//do something else}
regards,
the elephantwalker
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Qualence Inc
Sent: Thursday, July 26, 2001 6:29 PM
To: Orion-Interest
Subject: Question on ACLS
HI
Can anyone please help me in setting up application level security in
orion. I have read the tutorial on Security using UserManager from
orionsupport.com web-pages.
In that i cannot find out a way to add my users dynamically to the
respective groups that they belong to. I get the group information from the
users database table which holds the username/password.
I have done whatever was told in that tutorial like allocation certain
access rights to certain group of users .
Also can we set up security on the Servlets . Is there any security
related tag in the web.xml which will help me prevent users from a
particular group from accessing certain servlets
I would appreciate your co-operation and help
Regards
Sachin
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
