background image

Defining Security Roles

<< Adding Users to the Certificate Realm | Mapping Roles to Users and Groups >>
<< Adding Users to the Certificate Realm | Mapping Roles to Users and Groups >>

Defining Security Roles

For applications, you define security roles in the Java EE deployment descriptor file
application.xml
, and the corresponding role mappings in the Application Server deployment
descriptor file sun-application.xml. For individually deployed web or EJB modules, you
define roles in the Java EE deployment descriptor files web.xml or ejb-jar.xml and the
corresponding role mappings in the Application Server deployment descriptor files
sun-web.xml
or sun-ejb-jar.xml.
The following is an example of a security constraint from a web.xml application deployment
descriptor file where the role of DEPT-ADMIN is authorized for methods that review employee
data and the role of DIRECTOR is authorized for methods that change employee data.
<security-constraint>
<web-resource-collection>
<web-resource-name>view dept data</web-resource-name>
<url-pattern>/hr/employee/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>DEPT_ADMIN</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>change dept data</web-resource-name>
<url-pattern>/hr/employee/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>DIRECTOR</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
The web.xml application deployment descriptor is described in more detail in
"Declaring
Security Requirements in a Deployment Descriptor" on page 851
.
After users have provided their login information, and the application has declared what roles
are authorized to access protected parts of an application, the next step is to map the security
role to the name of a user, or principal. This step is discussed in the following section.
Working with Realms, Users, Groups, and Roles
Chapter 28 · Introduction to Security in the Java EE Platform
783