How to add “Disable User” admin-feature in Java EE application?
https://stackoverflow.com/questions/7688155
-
07-02-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have a Java EE application that uses JDBCReal as JAAS Context for authentication on GlassFish 3.1. And below is the authentication code in a JSF2.0 managedbean -
FacesContext context = FacesContext.getCurrentInstance();
HttpServletRequest request = (HttpServletRequest) context.getExternalContext().getRequest();
try {
if (request.getUserPrincipal() != null) {
request.logout();
}
if (request.getUserPrincipal() == null) {
request.login(this.username, this.password);
}
I am trying to add some admin functionalities (like create/delete/update/disable user). I am almost done with all of them except for the "disable" one, which is confusing me on how to proceed.
The only way that I can think of right now is to add a field, something like "status", in the "users" table, which will have a value ("enabled" or "disabled"). And check that "status" before doing the authentication.
Is that how I should do it considering that I am using JAAS (JDBCRealm)? Or, is there some other (standard) way?
I am trying to see, if there is someone here who has some experience in this area and can point me towards the right direction.
La solution
I suppose you manage your users table through JDBC/JPA.
In unix/linux the passwd -l change the hash to an invalid value. From man passwd:
-l This option is used to lock the specified account and it is
available to root only. The locking is performed by rendering
the encrypted password into an invalid string (by prefixing the
encrypted string with an !).
In practice an unlocked account from /etc/shadow:
test:$6$c7Lz2A2l$8AoSBy8C2U7uUns4aDRP2J/QRzUOYF...o69XPR/:15259:0:99999:7:::
And the same account after passwd -l test:
test:!$6$c7Lz2A2l$8AoSBy8C2U7uUns4aDRP2J/QRzUOYF...o69XPR/:15259:0:99999:7:::
The prefixed value is invalid because hash functions always return the same number of bits. If your stored value is longer than that length they will never match. You can do the same with your hashed passwords - just prefix the password with an ! (or any other string) through JDBC/JPA.
Of course this does not work with plaintext passwords.
Another solution is removing the user's roles from the database. In this case the user could login but if you set up the security-constraints well in the web.xml the user wouldn't be able to do anything (except logout).
