Show or Hide Button or Link on Page Based on Active Directory GroupsThe javax.servlet.http.HttpServletRequest API is an interface that defines the method named getRemoteUser, in addition the API defines the method named isUserInRole. The SPNEGO Library also implements both of those methods. Summary: A web application uses the getRemoteUser method to get an answer to the question 'who are you' and uses the isUserInRole method to get an answer to 'what are you allowed to do'.
<%@ page import="net.sourceforge.spnego.*" %>
<%
String username = request.getRemoteUser();
boolean hasADGroup = request.isUserInRole("Some Active Directory Group");
String msg;
if (hasADGroup) {
msg = "You have access!";
} else {
msg = "You do NOT have access to the edit button!";
}
%>
<br />Hello <%= username %>
<br /><%= msg %>
Before Getting Started Be sure to complete the enable authZ with LDAP guide before proceeding with this example. Completing that guide ensures that we are ready to perform user authorization/credential checks. In the authZ for standalone apps example, we used the LdapQueryExample.java program to connect to the LDAP server and output the Active Directory Groups that are directly assigned to a user.
The memberOf attribute contains the LDAP CN, OU and DC. We will pass the value in CN to the isUserInRole method. Be sure to compile and run LdapQueryExample.java from the authZ for standalone apps example to determine Active Directory Groups for your environment. Creating the hello_edit_button.jsp file Download or create a hello_edit_button.jsp file and modify the contents with values specific to your environment Testing the hello_edit_button.jsp file Place the hello_edit_button.jsp file on your app server, open a web browser and go to the hello_edit_button.jsp page. This guide used the LdapAccessControl class included with the SPNEGO Library. The LdapAccessControl class is a reference implementation of the UserAccessControl interface. To see additional examples, take a look at the javadocs for the SpnegoAccessControl interface and the UserAccessControl interface. If you would like to query your own RDBMS, xml file, REST Service, etc. to get user group/role information, instead of LDAP, and you would like the SPNEGO Library to use your own custom access control class, simply implement the methods defined in the UserAccessControl interface. The source code for the LdapAccessControl class is good place to start to get an idea on how to implement the UserAccessControl interface.
Links:
Troubleshooting:
Examples:
Licensing:
© 2009 Darwin V. Felix. All rights reserved.
|
