Show or Hide Button or Link on Page Based on Active Directory Groups

The javax.servlet.http.HttpServletRequest API is an interface that defines the method named getRemoteUser, in addition the API defines the method named isUserInRole. The SPNEGO Library also implements both of those methods.

Summary:

A web application uses the getRemoteUser method to get an answer to the question 'who are you' and uses the isUserInRole method to get an answer to 'what are you allowed to do'.


<%@ page import="net.sourceforge.spnego.*" %>

<%
    String username = request.getRemoteUser();

    boolean hasADGroup = request.isUserInRole("Some Active Directory Group");

    String msg;

    if (hasADGroup) {
        msg = "You have access!";
    } else {
        msg = "You do NOT have access to the edit button!";
    }
%>

<br />Hello <%= uesrname %>
<br /><%= msg %>

Before Getting Started

Be sure to complete the enable authZ with LDAP guide before proceeding with this example.

Completing that guide ensures that we are ready to perform user authorization/credential checks.

In the authZ for standalone apps example, we used the LdapQueryExample.java program to connect to the LDAP server and output the Active Directory Groups that are directly assigned to a user.

The memberOf attribute contains the LDAP CN, OU and DC.

We will pass the value in CN to the isUserInRole method.

...
    boolean hasADGroup = request.isUserInRole("Marketing");
...

Be sure to compile and run LdapQueryExample.java from the authZ for standalone apps example to determine Active Directory Groups for your environment.

Creating the hello_edit_button.jsp file

Download or create a hello_edit_button.jsp file and modify the contents with values specific to your environment

<%@ page import="net.sourceforge.spnego.*" %>

<%
    String username = request.getRemoteUser();

    boolean hasADGroup = request.isUserInRole("Marketing");

    String msg;

    if (hasADGroup) {
        msg = "You have access!";
    } else {
        msg = "You do NOT have access to the edit button!";
    }
%>

<br />Hello <%= uesrname %>
<br /><%= msg %>

Testing the hello_edit_button.jsp file

Place the hello_user_info.jsp file on your app server, open a web browser and go to the hello_edit_button.jsp page.

This guide used the LdapAccessControl class included with the SPNEGO Library. The LdapAccessControl class is a reference implementation of the UserAccessControl interface.

To see additional examples, take a look at the javadocs for the SpnegoAccessControl interface and the UserAccessControl interface.

If you would like to query your own RDBMS, xml file, REST Service, etc. to get user group/role information, instead of LDAP, and you would like the SPNEGO Library to use your own custom access control class, simply implement the methods defined in the UserAccessControl interface.

The source code for the LdapAccessControl class is good place to start to get an idea on how to implement the UserAccessControl interface.

Links:
pre-flight checklist
install guide - tomcat
install guide - jboss
install guide - glassfish
enable authZ with LDAP
get user group info from LDAP
reference docs
api docs
download

Troubleshooting:
HelloKDC.java
hello_spnego.jsp
HelloKeytab.java
hello_delegate.jsp
SpnegoHelloClient.java
ExampleSpnegoAuthenticatorValve.java

Examples:
create keytab for client
create keytab for app server
credential delegation
protected SOAP Web Service
tomcat authenticator valve
jboss authenticator valve
authZ for standalone apps
protecting edit button on page

Licensing:
GNU LGPL


© 2009 Darwin V. Felix. All rights reserved.