Adding Authorized Roles and Users
Adding Authorized Roles and Users
Adding Authorized Roles and Users
To authenticate a user and allow that user access to protected resources on the Application
Server, you must link the roles defined in the application to the users defined for the Application
Server.
A security role, which is defined at the application level, is a logical grouping of users,
classified by common traits such as customer profile or job title.
The Application Server has multiple realms, each of which generally includes a database of
authorized users, their passwords, and one or more logical groups to which the each user
belongs.
When an application is deployed, the application-specific security roles are mapped to security
identities in the runtime environment, such as principals (identities assigned to users as a result
of authentication) or groups. Based on this mapping, a user who has been assigned a certain
security role has associated access rights to a web application deployed onto a server.
As shown in the deployment descriptor for this example application, the security constraint
specifies that users assigned to the role of helloUser are authorized to access the URL pattern
/greeting
. In this example, when this resource (because it is constrained by a security
constraint) is accessed, the Application Server sends a default login dialog, receives the login
information, and checks to see if the user is in a group that has been mapped to the role of
helloUser
. If the user name and password are those of an authorized user, access to the
resource is granted to the requester.
To set up users for this example application, follow these steps:
1. If you have not already done so, create a user in the file realm of the Application Server and
assign that user to the group user. Make sure to note the user name and password that you
enter in this step so that you can use it for testing the application later. If you need help with
the steps required to accomplish this task, read
for more information.
2. Map the application security role of helloUser to the group of user that has been
configured on the Application Server. For more information on how to do this mapping,
read
Mapping Application Roles to Application Server Groups
Map the role of helloUser defined in the application to the group of user defined on the
Application Server by adding a security-role-mapping element to the sun-web.xml runtime
deployment descriptor file. The runtime deployment descriptor is an XML file that contains
information such as the context root of the web application and the mapping of the portable
names of an application's resources to the Application Server's resources.
The runtime deployment descriptor for this example,
tut-install/javaeetutorial5/examples/web/hello2_basicauth/web/WEB-INF/sun-web.xml,
looks like this:
Examples: Securing Web Applications
Chapter 30 · Securing Web Applications
881
