background image

Mapping Security Roles

<< Using Deployment Descriptor Elements | Checking Caller Identity Programmatically >>
<< Using Deployment Descriptor Elements | Checking Caller Identity Programmatically >>

Mapping Security Roles

element must be the String used as the parameter to the
HttpServletRequest.isUserInRole(String role)
method. The role-link must contain the
name of one of the security roles defined in the security-role elements. The container uses
the mapping of security-role-ref to security-role when determining the return value of
the call.
Mapping Security Roles to Application Server Groups
To map security roles to application server principals and groups, use the
security-role-mapping
element in the runtime deployment descriptor (DD). The runtime
deployment descriptor is an XML file that contains information such as the context root of the
web application and the mapping of the portable names of an application's resources to the
Application Server's resources. The Application Server web application runtime DD is located
in /WEB-INF/ along with the web application DD. Runtime deployment descriptors are named
sun-web.xml
, sun-application.xml, or sun-ejb-jar.xml.
The following example demonstrates how to do this mapping:
<sun-web-app>
<security-role-mapping>
<role-name>CEO</role-name>
<principal-name>smcneely</principal-name>
</security-role-mapping>
<security-role-mapping>
<role-name>Admin</role-name>
<group-name>director</group-name>
</security-role-mapping>
...
</sun-web-app>
A role can be mapped to specific principals, specific groups, or both. The principal or group
names must be valid principals or groups in the current default realm. The role-name element
must match the role-name in the security-role element of the corresponding application
deployment descriptor (web.xml, ejb-jar.xml) or the role name defined in the @DeclareRoles
annotation.
Sometimes the role names used in the application are the same as the group names defined on
the Application Server. Under these circumstances, you can use the Admin Console to define a
default principal to role mapping that apply to the entire Application Server instance. From the
Admin Console, select Configuration, then Security, then check the enable box beside Default
Principal to Role Mapping. For more information, read the Sun Java System Application
Server 9.1 Developer's Guide or Sun Java System Application Server 9.1 Administration Guide.
Working with Security Roles
The Java EE 5 Tutorial · September 2007
844