Propagating Security Identity
Propagating Security Identity
The role name can be mapped to either a specific principal (user), a group, or both. The
principal or group names referenced must be valid principals or groups in the current default
realm of the Application Server. The role-name in this example must exactly match the
role-name
in the security-role element of the corresponding web.xml file or the role name
defined in the @DeclareRoles or @RolesAllowed annotations.
Sometimes the role names used in the application are the same as the group names defined on
the Application Server. Under these circumstances, you can enable a default principal-to-role
mapping on the Application Server using the Admin Console. To enable the default
principal-to-role-mapping, follow these steps:
1. Start the Application Server, then the Admin Console.
2. Expand the Configuration node.
3. Select the Security node.
4. On the Security page, check the Enabled box beside Default Principal to Role Mapping.
For an enterprise application, you can specify the security role mapping at the application layer,
in sun-application.xml, or at the module layer, in sun-ejb-jar.xml. When specified at the
application layer, the role mapping applies to all contained modules and overrides same-named
role mappings at the module layer. The assembler is responsible for reconciling the
module-specific role mappings to yield one effective mapping for the application.
Both example applications demonstrate security role mapping. For more information, see
and
Propagating Security Identity
You can specify whether a caller's security identity should be used for the execution of specified
methods of an enterprise bean, or whether a specific run-as identity should be used.
illustrates this concept.
Initiating
Client
Intermediate
Target
Application Client
or Web Client
EJB
or Web Container
EJB Container
Java EE Security
Identity
Propagated
Security Identity
(Java EE)
FIGURE 292
Security Identity Propagation
Securing Enterprise Beans
The Java EE 5 Tutorial · September 2007
812
