Hi Donald,
I guess you'll have to deal with implementation specifics
here. From the Servlet 2.3 specs (Chapter 12):
"A security role is a logical grouping of users defined
by the Application Developer or Assembler. When the
application is deployed, roles are mapped by a
Deployer to principals or groups in the runtime
environment. A servlet container enforces declarative
or programmatic security for the principal associated
with an incoming request based on the security
attributes of the principal."
>From what I read, the specs cover the generics
of the role concept, but leave the implementation
details to the server manufacturer. Users exist and
can be assigned 'roles' which may be queried for
programmatic security. There is a HTTPServletRequest
(note: not specified in the more generic ServletRequest
interface -- why not there, btw?) method named
isUserInRole() and also the getRemoteUser() and
getUserPrincipal() methods for providing 'program-
matic' security. On the other hand, there is nothing
like a 'getUsersInRole()' method specified which might
return a List or some other Collection type. Notably,
in Tomcat, user declarations and role assignments
are made in a file named 'tomcat-users', to be
put inside an XML element of the same name
('tomcat-users'). So I guess that there just is no
specified way of querying the list of users in
a special role on top of 'isUserInRole()'. Consulting
Bergsten's (JSP) book on this topic, it notably
states the following:
"A role is an abstract grouping of users that needs
to be mapped to real user and group names for a
particular server. How the mapping is done also
depends on the server, so you need to consult
your web server and servlet container documen-
tation if you use a different server than Tomcat."
So, I guess, there is at least no specified (read:
guaranteed) way of getting a list of users put
in a special role, and my general impression is
that in recent versions of the Servlet API, get-
ting 'meta' information about an app's internals
is more or less on a way back (check the docs
for getServlets(), for example; the deprecation
list is rather long).
HTH a bit,
-- Chris (SCPJ2)
----- Original Message -----
From: "Donald Ball" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, July 09, 2002 8:49 PM
Subject: getting list of usernames
> we're writing a webapp which requires access control for various
> operations. we wish to rely on the servlet container to handle
> authenticating users, but we need to internally associate usernames with
> sets of permissions. to make things easy on the superuser, we would like
> to acquire a list of usernames in a given role instead of requiring her
> to enter each username manually. i can find no way in the servlet spec
> to do this. does anyone have any suggestions?
>
> - donald
>
>
___________________________________________________________________________
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the
body
> of the message "signoff SERVLET-INTEREST".
>
> Archives: http://archives.java.sun.com/archives/servlet-interest.html
> Resources: http://java.sun.com/products/servlet/external-resources.html
> LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
>
>
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
