background image

Mapping Security Roles

<< Security Roles | Propagating Security Identity >>
<< Security Roles | Propagating Security Identity >>

Mapping Security Roles

<ejb-name>AardvarkPayroll</ejb-name>
<method-name>getEmployeeInfo</method-name>
</method>
<method>
<ejb-name>AardvarkPayroll</ejb-name>
<method-name>updateEmployeeInfo</method-name>
</method>
<method>
<ejb-name>AardvarkPayroll</ejb-name>
<method-name>updateSalary</method-name>
</method>
</method-permission>
<method-permission>
<role-name>admin</role-name>
<method>
<ejb-name>EmployeeServiceAdmin</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
...
Mapping Security Roles to Application Server Groups
The Application Server assigns users to principals or groups, rather than to security roles. When
you are developing a Java EE application, you don't need to know what categories of users have
been defined for the realm in which the application will be run. In the Java EE platform, the
security architecture provides a mechanism for mapping the roles defined in the application to
the users or groups defined in the runtime realm.
To map a role name permitted by the application or module to principals (users) and groups
defined on the server, use the security-role-mapping element in the runtime deployment
descriptor (sun-application.xml, sun-web.xml, or sun-ejb-jar.xml) file. The entry needs to
declare a mapping between a security role used in the application and one or more groups or
principals defined for the applicable realm of the Application Server. An example for the
sun-application.xml
file is shown below:
<sun-application>
<security-role-mapping>
<role-name>CEO</role-name>
<principal-name>jschwartz</principal-name>
</security-role-mapping>
<security-role-mapping>
<role-name>ADMIN</role-name>
<group-name>directors</group-name>
</security-role-mapping>
</sun-application>
Securing Enterprise Beans
Chapter 29 · Securing Java EE Applications
811