How to get the user roles in Servlet?

Question

I'm using Jbos AS 5 and the DatabaseServerLoginModule for the authorization. I've my application policy defined as (for example only, not the actual code):

<application-policy name = "jbossmq">
  <authentication>
    <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
       flag = "required">
       <module-option name = "unauthenticatedIdentity">guest</module-option>
       <module-option name = "dsJndiName">java:/MyDatabaseDS</module-option>
       <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option>
       <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option>
    </login-module>
  </authentication>
</application-policy>

Once the user is successfully authorized, how can I retrieve the user roles from my servlet? In the above code snippet, the roles are selected from the database, but where are they being stored? In session !? If yes, under which session variables?

Also, is it possible to use Ldap Authentication and Database Authorization combinely in JBoss?

Answer 1

I am aware of the method:

boolean HttpServletRequest.isUserInRole(String role)

I know that doesn't give you a list of all the roles, but would it serve your purpose?

Answer 2

Clinton is basically right, the

boolean HttpServletRequest.isUserInRole(String role)

method can be used to check if a user has a certain roles assigned. However, this method is intended to check for the J2EE roles defined byt the application (in EAR's descriptor, the application.xml).

During deploy, or by packaing an AS-specific descriptor within your EAR file, you need to specify mapping of the application server's user roles (these you set to principals in your login module) to the J2EE app. roles.