• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Liutauras Vilda
Sheriffs:
  • Rob Spoor
  • Junilu Lacar
  • paul wheaton
Saloon Keepers:
  • Stephan van Hulst
  • Tim Moores
  • Tim Holloway
  • Carey Brown
  • Scott Selikoff
Bartenders:
  • Piet Souris
  • Jj Roberts
  • fred rosenberger

How Does The Security Role Mapping Work?

 
Ranch Hand
Posts: 1309
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am studying the security part of the deployment descriptor. I am confused about how the mapping works.
Suppose we have
<security-role>
<role-name>manager</role-name>
</security-role>
and
<security-role-ref>
<role-name>FOO</role-name>
<role-link>manager</role-link>
</security-role-ref>
My first question is when a client of the servlet supplies a name for authentication, the name supplied should be FOO or can be, say, John Smith?
Then, according to the Servlet Specification, a security role is a logical grouping of users defined by the Application Developer
or Assembler. When the application is deployed, roles are mapped by a Deployer to principals or groups in the runtime environment.
My second question is how deployer maps the role, say, manager, to principals or groups in the runtime environment?
Thanks in advance.
 
Ranch Hand
Posts: 152
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think these are both the same question. The user would not
authenticate with the role-name, but with a user name like
JohnSmith or whatever. If I change "John Smith" in your
question to "Joe", this example might help.
In a demo of the Tomcat 4 server I used this in a particular
web application's web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- NOTE: This role is not present in the default users file -->
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>

Then, in the tomcat-users.xml, I defined the usernames for
the security roles:
<tomcat-users>
<user name="tomcat" password="tomcat" roles="tomcat" />
<user name="role1" password="tomcat" roles="role1" />
<user name="both" password="tomcat" roles="tomcat,role1" />
<user name="joe" password="secret" roles="tomcat,role1,manager" />
</tomcat-users>

I used Emacs but other app servers may have other tools for
doing this. The user information can come from a database, from
a directory service, etc.
Thanks,
Joe
 
author
Posts: 3892
5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes, the previous poster is right. Each application server will have a different way of mapping roles to users or groups (say in an LDAP directory, which is the way WebSphere works). Check your application server documentation.
------------------
Kyle Brown,
Author of Enterprise Java (tm) Programming with IBM Websphere
 
pie. tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop
https://coderanch.com/wiki/718759/books/Building-World-Backyard-Paul-Wheaton
reply
    Bookmark Topic Watch Topic
  • New Topic