Provide a getAllUserRoles method

[glassfishrobot]

The Servlet API offers a method to retrieve the current user's principal (HttpServletRequest#getUserPrincipal) and a method that can be used to determine if the current user has a specific role (HttpServletRequest#isUserInRole).

There is however no corresponding method or way to retrieve a list with all roles that the current user has in a portable way. There is potentially a way to do this via JACC, but that's not exactly a straightforward way, plus JACC is not universally available in Servlet containers. A use case for this is e.g. displaying to the user a list of all roles he or she has, or the ability to input such a list of roles into a custom authorization system.

I would be great if such a method could be added.

[glassfishrobot]

@glassfishrobot Commented
Reported by arjan_t

[glassfishrobot]

@glassfishrobot Commented
@shingwaichan said:
JACC provide a way to plugin a custom authorization system.
There are corresponding API to add role in javax.security.jacc.PolicyConfiguration.

I am not sure whether it is necessary to add those API in Servlet as we already have a mechanism to do that in JACC.

Adding it to the bucket of FUTURE_RELEASE.

[glassfishrobot]

@glassfishrobot Commented
arjan_t said:

I am not sure whether it is necessary to add those API in Servlet as we already have a mechanism to do that in JACC.

I indeed mentioned JACC as a potential way, but it's not exactly trivial. See this post (it's one of the few sources on this topic): https://blogs.oracle.com/monzillo/entry/using_jacc_to_determine_a and an associated forum thread: http://glassfish.10926.n7.nabble.com/Fetch-all-roles-assigned-to-an-user-td30843.html

If you look at the code and some of the assumptions, then it can be seen that it's really not trivial. In practice I rarely see people using such code, and I'm not 100% convinced it really works everywhere.

Whether it should be in Servlet is perhaps another question. Maybe there should be an overarching modern and easy to use security system in Java EE so a similar method would not have to be duplicated for e.g. EJB. However, since such overarching security system is not there now and HttpServletRequest already has methods that come close, it seems like a natural addition.

[glassfishrobot]

@glassfishrobot Commented
kithouna said:

I am not sure whether it is necessary to add those API in Servlet as we already have a mechanism to do that in JACC.

But JACC tells us only how to interface with a custom authorization system. If we don't want that (majority of the cases) but just want to use the default authorization system, it's still reasonable to want to know the roles of the current user.

If JACC only required that each server had a default JACC implementation corresponding to the standard Servlet and EJB authorization rules, then yeah, JACC would work. But as it stands it doesn't.

[glassfishrobot]

@glassfishrobot Commented
This issue was imported from java.net JIRA SERVLET_SPEC-62

[glassfishrobot]

• Issue Imported From: https://github.com/javaee/servlet-spec/issues/62
• Original Issue Raised By:@glassfishrobot
• Original Issue Assigned To: @shingwaichan