Working with Security Roles

<< Overviewof Web Application Security | Specifying Security Roles Using Annotations >>

Working with Security Roles

Working with Security Roles

If you read

"Working with Realms, Users, Groups, and Roles" on page 777

, you will remember

the following definitions:

In applications, roles are defined using annotations or in application deployment
descriptors such as web.xml, ejb-jar.xml, and application.xml.

A role is an abstract name for the permission to access a particular set of resources in an
application. For more information, read

"What Is a Role?" on page 780

For more information on defining roles, see

"Declaring Security Roles" on page 841

On the Application Server, the following options are configured using the Admin Console:

A realm is a complete database of users and groups that identify valid users of a web
application (or a set of web applications) and are controlled by the same authentication
policy. For more information, read

"What Is a Realm?" on page 779

A user is an individual (or application program) identity that has been defined in the
Application Server. On the Application Server, a user generally has a user name, a
password, and, optionally, a list of groups to which this user has been assigned. For more
information, read

"What Is a User?" on page 780

A group is a set of authenticated users, classified by common traits, defined in the
Application Server. For more information, read

"What Is a Group?" on page 780

A principal is an entity that can be authenticated by an authentication protocol in a
security service that is deployed in an enterprise.

For more information on configuring users on the Application Server, read

"Managing

Users and Groups on the Application Server" on page 781

During deployment, the deployer takes the information provided in the application
deployment descriptor and maps the roles specified for the application to users and groups
defined on the server using the Application Server deployment descriptors sun-web.xml,
sun-ejb-jar.xml

, or sun-application.xml.

For more information, read

"Mapping Security Roles to Application Server Groups" on

page 844

Declaring Security Roles

You can declare security role names used in web applications using either the @DeclareRoles
annotation (preferred) or the security-role-ref elements of the deployment descriptor.
Declaring security role names in this way enables you to link the security role names used in the
code to the security roles defined for an assembled application. In the absence of this linking
step, any security role name used in the code will be assumed to correspond to a security role of
the same name in the assembled application.

Working with Security Roles

Chapter 30 · Securing Web Applications

841