How Does The Security Role Mapping Work?
JiaPei Jen
Ranch Hand
Posts: 1309
posted 15 years ago
I am studying the security part of the deployment descriptor. I am confused about how the mapping works.
Suppose we have
<security-role>
<role-name>manager</role-name>
</security-role>
and
<security-role-ref>
<role-name>FOO</role-name>
<role-link>manager</role-link>
</security-role-ref>
My first question is when a client of the servlet supplies a name for authentication, the name supplied should be FOO or can be, say, John Smith?
Then, according to the Servlet Specification, a security role is a logical grouping of users defined by the Application Developer
or Assembler. When the application is deployed, roles are mapped by a Deployer to principals or groups in the runtime environment.
My second question is how deployer maps the role, say, manager, to principals or groups in the runtime environment?
Thanks in advance.
Suppose we have
<security-role>
<role-name>manager</role-name>
</security-role>
and
<security-role-ref>
<role-name>FOO</role-name>
<role-link>manager</role-link>
</security-role-ref>
My first question is when a client of the servlet supplies a name for authentication, the name supplied should be FOO or can be, say, John Smith?
Then, according to the Servlet Specification, a security role is a logical grouping of users defined by the Application Developer
or Assembler. When the application is deployed, roles are mapped by a Deployer to principals or groups in the runtime environment.
My second question is how deployer maps the role, say, manager, to principals or groups in the runtime environment?
Thanks in advance.
Joe Gilvary
Ranch Hand
Posts: 152
posted 15 years ago
I think these are both the same question. The user would not
authenticate with the role-name, but with a user name like
JohnSmith or whatever. If I change "John Smith" in your
question to "Joe", this example might help.
In a demo of the Tomcat 4 server I used this in a particular
web application's web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- NOTE: This role is not present in the default users file -->
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
Then, in the tomcat-users.xml, I defined the usernames for
the security roles:
<tomcat-users>
<user name="tomcat" password="tomcat" roles="tomcat" />
<user name="role1" password="tomcat" roles="role1" />
<user name="both" password="tomcat" roles="tomcat,role1" />
<user name="joe" password="secret" roles="tomcat,role1,manager" />
</tomcat-users>
I used Emacs
but other app servers may have other tools for
doing this. The user information can come from a database, from
a directory service, etc.
Thanks,
Joe
authenticate with the role-name, but with a user name like
JohnSmith or whatever. If I change "John Smith" in your
question to "Joe", this example might help.
In a demo of the Tomcat 4 server I used this in a particular
web application's web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- NOTE: This role is not present in the default users file -->
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
Then, in the tomcat-users.xml, I defined the usernames for
the security roles:
<tomcat-users>
<user name="tomcat" password="tomcat" roles="tomcat" />
<user name="role1" password="tomcat" roles="role1" />
<user name="both" password="tomcat" roles="tomcat,role1" />
<user name="joe" password="secret" roles="tomcat,role1,manager" />
</tomcat-users>
I used Emacs
but other app servers may have other tools for doing this. The user information can come from a database, from
a directory service, etc.
Thanks,
Joe
Kyle Brown
author
Ranch Hand
Ranch Hand
Posts: 3892
5
posted 15 years ago
Yes, the previous poster is right. Each application server will have a different way of mapping roles to users or groups (say in an LDAP directory, which is the way WebSphere works). Check your application server documentation.
------------------
Kyle Brown,
Author of Enterprise Java (tm) Programming with IBM Websphere
------------------
Kyle Brown,
Author of Enterprise Java (tm) Programming with IBM Websphere
Kyle Brown, Author of Persistence in the Enterprise and Enterprise Java Programming with IBM Websphere, 2nd Edition
See my homepage at http://www.kyle-brown.com/ for other WebSphere information.
