This discussion is archived
7 Replies Latest reply: Feb 6, 2007 4:24 AM by 807574 RSS

Portlet using isUserInRole method to determine users LDAP roles

807574 Newbie
Currently Being Moderated
We are trying to create a portlet that displays dynamic content based on a users roles. In order to do this we are trying to implement the isUserInRole method in the portlet request object but we are failing.

In the doView code below all the isUserInRole method calls return false even if the user of portal actually has the LDAP role we have mapped to the logical role we are passing in.

Our code is as follows:

Portlet doVeiw method
if(request.isUserInRole("student"))
      {
          // do some stuff
      }
      else if(request.isUserInRole("faculty"))
      {
          // do some stuff
      }
      else if(request.isUserInRole("employee"))
      {
          // do some stuff
      }
      else if(request.isUserInRole("staff"))
      {
          // do some stuff      
     }
In the web.xml
<security-role>
 <role-name>student</role-name>
</security-role>
<security-role>
 <role-name>faculty</role-name>
</security-role>
<security-role>
 <role-name>employee</role-name>
</security-role>
<security-role>
 <role-name>staff</role-name>
</security-role>
In the portlet.xml:
<security-role-ref>
 <role-name>student</role-name>
</security-role-ref>
<security-role-ref>
  <role-name>faculty</role-name>
</security-role-ref>
<security-role-ref>
 <role-name>employee</role-name>
</security-role-ref>
<security-role-ref>
 <role-name>staff</role-name>
</security-role-ref>
In the roleMaps.properties file we have the following LDAP=logical role mapping:
cn-student,dc-ouru,dc-ca=student
cn-faculty,dc-ouru,dc-ca=faculty
cn-employee,dc-ouru,dc-ca=employee
cn-staff,dc-ouru,dc-ca=staff
The war file is then pdeployed with a
-r
reference to the properties file. Has anyone done this before, can you see see anything obvious or anything I've missed? Or is there a better/different way to get roles?

Allan

P.S. One thing I was curious about was the semantics of the properties file, in LDAP the role is displayed as cn=student,dc=ouru,dc=ca but I converted the = to - because all the examples I found did. Is this correct?
  • 1. Re: Portlet using isUserInRole method to determine users LDAP roles
    807574 Newbie
    Currently Being Moderated
    This does in fact work. You are very close and it looks like you have done all of the right steps.

    One thing I noticed is that you need to escape the "=" character in the role name. Try this in your roles file:
    cn\=student,dc\=ouru,dc\=ca=student
    cn\=faculty,dc\=ouru,dc\=ca=faculty
    cn\=employee,dc\=ouru,dc\=ca=employee
    cn\=staff,dc\=ouru,dc\=ca=staff
    You also need the "role-link" element in the portlet.xml file. Modify your portlet.xml to be like this:
    <security-role-ref>
     <role-name>student</role-name>
     <role-link>student</role-link>
    </security-role-ref>
    <security-role-ref>
      <role-name>faculty</role-name>
      <role-link>faculty</role-link>
    </security-role-ref>
    <security-role-ref>
     <role-name>employee</role-name>
     <role-link>employee</role-link>
    </security-role-ref>
    <security-role-ref>
     <role-name>staff</role-name>
     <role-link>staff</role-link>
    </security-role-ref>
    Also, are these filtered or static roles? Portal 6 has a bug that prevents this from working with filtered roles. The roles must be static. Note that filtered roles do work correctly in other areas of the portal, but they do cause a problem for JSR 168.

    One last step is to undeploy and then deploy the portlet for these changes to be effective.

    - Jim
  • 2. Re: Portlet using isUserInRole method to determine users LDAP roles
    807574 Newbie
    Currently Being Moderated
    Thanks for your guidance, this does in fact work when I make the changes you suggest. I would really like to know how you learned to do this since I can't find this correctly documented anywhere. It seems such an obvious thing that developers would want to do so I am not sure why SUN has no documentation that I could find (except a vague reference in their pdeploy instructions with incorrect/incomplete directions). So if I have missed some "How to get roles" document somewhere I would really like to know about it (perhaps this posting is it).

    In any case I was hoping that you (or anyone else) might then tell me how to access filtered roles, since as you say, this method doesn't work for filtered roles in portal server 6. I notice ProviderContext has a getRoles() method but it is not exposed in the tag lib? Is there a way to get at the ProviderContext object in a provider and use this method. Does it return filtered roles?

    Thanks again for all your help. You have saved me days of trial and error.

    Allan
  • 3. Re: Portlet using isUserInRole method to determine users LDAP roles
    807574 Newbie
    Currently Being Moderated
    You can access filtered roles by including the Access Manager SDK in your portlet. Making direct calls to the am sdk resolves the issue, however your portlet is no longer portable. It will be a specific implementation for the Sun Access Manager. Unfortunately this is the only workaround for access filtered roles within a portlet.

    Read this thread for a little more information:
    http://swforums.sun.com/jive/thread.jspa?threadID=59403

    - Jim
  • 4. Re: Portlet using isUserInRole method to determine users LDAP roles
    807574 Newbie
    Currently Being Moderated
    Thanks again!

    I have found many references to this methodology in this forum but there seems to be some confusion about implementation. For instance:

    Do I have access to the SSOToken from the doView method of the portlet, or do I need a servlet?

    Since I will reference a jsp from my portlet doView method anyway will that do as a servlet? Can I access the SSOToken from there?

    Can I reference this from a jsp provider? SInce I am using SUN specific technology anyway, I might as well just use jsp provider I think.

    Do I need any special jars when I deploy? One that holds the AM SDK?

    I think I would at least need these to develop a JSR-168 portlet in Enterprise 8. Any idea where I can download them? (From my AM server ;-))
  • 5. Re: Portlet using isUserInRole method to determine users LDAP roles
    807574 Newbie
    Currently Being Moderated
    For filtered role, can you try giving role name in lower case? I think, this should work.
  • 6. Re: Portlet using isUserInRole method to determine users LDAP roles
    807574 Newbie
    Currently Being Moderated
    You are correct. Using lower case role names in the rolesfile.txt is also a work around. I just found this myself about 2 weeks ago. I have filed a bug: CR 6415998. This is scheduled to be fixed in JES5.

    - Jim
  • 7. Re: Portlet using isUserInRole method to determine users LDAP roles
    807574 Newbie
    Currently Being Moderated
    Can you show me the contents of you web.xml and portlet.xml? I think I have done something wrong, because I see the "Content not available" error, after deploying my portlet with security roles mapping.

    Details: http://forum.java.sun.com/thread.jspa?threadID=5132942