Thanks for pointing out that the latest WebLogic can finally leverage multiple domains. About time!

Regarding your question, I haven’t tried it but my guess is that the user would not be able to access App B without logging in again. The reason is that App B’s realm can’t be sure it’s the same user.

Mike

I believe your two last statements before the conclusion are inaccurate, though:

A stanza in web.xml such as

BASIC
MyFancyWebAppSpecificRealm

can select any of the configured realms. This means that App A can use different authenticators, users, and groups than App B, no?

Would be interesting to consider if WL maintains on the session which Realm a user has been authenticated against, in case user name and roles (but not password) match between realms. Can one log in to App A, then successfully use App B?

Thanks for following up.

LOL. I’m guessing they didn’t even look at the method signatures of RoleListerMBean. Nothing there about the roles a user has…

Mike

Funny, but I ended taking the same path you suggested — base the decision on group membership vs role. This will work well for us since we are not yet using any of the fancy dynamic role-determination stuff (i.e. “Is time of day between x and y and creepy parameter check stuff passes muster”). We use the MBean to check the group membership but I’ll also check out the Security class idea you have suggested above.

I appreciate your explanation of the issue; BEA support was not as concise or informative.

Regarding the console, no I do not know of a screen to show me the roles a user has. Here is what the BEA Support told me:

“The MBeans generally support anything you can do through the console. However, the difficult and hidden parts are the J2EE specific things like isUserInRole(), isCallerInRole(), etc.
The RoleListerMBean may help here.”

Thanks.

Roles are going to be very hard to get. Would group membership be satisfactory? If that’s the case, the proprietary weblogic.security.Security class can help. It has a getCurrentSubject() method where the returned Subject has the groups to which the user belongs. You can get the same information by querying the MBeans but the Security class way is so much easier.

Getting back to roles… The problem is that they are dynamic based upon the resource the user requested and sometimes other factors such as time of day. There is no static mapping of a user to a role. Instead, role mapping providers implement the RoleMapper interface. It has the following method:

Map getRoles(Subject subject, Resource resource, ContextHandler handler)

Given a Subject (user) and what the user accessed, the role mapper can tell which roles apply. From what I can tell, there is no way to access the getRoles() method from the role mapper MBean. Besides, utility classes would have no way of re-constructing the resource.

You mention trickery in Console… I don’t know of any place in Console that shows roles that a user has. Is there such a place?

Mike

Question: In WLS 9.1, do you know of a general way to determine if the “current user” is acting in a particular role? By general, I mean it does not require that the caller is a servlet or EJB.

I really want to create a Spring-managed SecurityService with a method like this: isUserInRole(String roleName).

This service class can be invoked in any java code — utility class, domain object, servlet, ejb, etc. And magically it can check the current user’s roles against the rolename provided in the parameter.

BEA’s stellar support staff has not found anything for me including MBeans (which I was certain would provide what I need). The veiled comment was that BEA’s oen WLS console app uses secret techniques to access the role info.

Thanks!