• Post Reply Bookmark Topic Watch Topic
  • New Topic

How Does The Security Role Mapping Work?

 
JiaPei Jen
Ranch Hand
Posts: 1309
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am studying the security part of the deployment descriptor. I am confused about how the mapping works.
Suppose we have
<security-role>
<role-name>manager</role-name>
</security-role>
and
<security-role-ref>
<role-name>FOO</role-name>
<role-link>manager</role-link>
</security-role-ref>
My first question is when a client of the servlet supplies a name for authentication, the name supplied should be FOO or can be, say, John Smith?
Then, according to the Servlet Specification, a security role is a logical grouping of users defined by the Application Developer
or Assembler. When the application is deployed, roles are mapped by a Deployer to principals or groups in the runtime environment.
My second question is how deployer maps the role, say, manager, to principals or groups in the runtime environment?
Thanks in advance.
 
Joe Gilvary
Ranch Hand
Posts: 152
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think these are both the same question. The user would not
authenticate with the role-name, but with a user name like
JohnSmith or whatever. If I change "John Smith" in your
question to "Joe", this example might help.
In a demo of the Tomcat 4 server I used this in a particular
web application's web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- NOTE: This role is not present in the default users file -->
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>

Then, in the tomcat-users.xml, I defined the usernames for
the security roles:
<tomcat-users>
<user name="tomcat" password="tomcat" roles="tomcat" />
<user name="role1" password="tomcat" roles="role1" />
<user name="both" password="tomcat" roles="tomcat,role1" />
<user name="joe" password="secret" roles="tomcat,role1,manager" />
</tomcat-users>

I used Emacs but other app servers may have other tools for
doing this. The user information can come from a database, from
a directory service, etc.
Thanks,
Joe
 
Kyle Brown
author
Ranch Hand
Posts: 3892
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, the previous poster is right. Each application server will have a different way of mapping roles to users or groups (say in an LDAP directory, which is the way WebSphere works). Check your application server documentation.
------------------
Kyle Brown,
Author of Enterprise Java (tm) Programming with IBM Websphere
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!