Hi Thank you for reading my post. can you please tell me how an LDAP could be used for authorization? I know about authentication, we can use userid and password stored in LDAP for authentication but authorization means to check a user right for accessing a resource.
My question is : Authorization require to define roles and then we should define which roles has access to which resources.
how this could be done in a j2ee application and LDAP ?
Security in J2EE is done declaratively in the deployment descriptor. Be it J2EE's EJB or Servlet container, both containers give you a way through their respective deployment descriptors to do authorization. The definition of roles is also done there.
From the point of EJB and Servlet, there is nothing said about LDAP in both specs. LDAP is more for authentication than authorization. Hence the authentication in J2EE is vendor specific.
So each J2EE application server vendor has its own implementation for security. They may have a security in place which runs over LDAP.
LDAP becomes interesting when you write your own application's user managemet where you want to create users, groups and roles and assign them to each other. You could use LDAP to retrieve all users, groups and roles from an external LDAP enabled directory service.
In case you really want to dive into that matter, see my recommendations for J2EE Security and LDAP :
Authorization is all about what a user/subject can and cannot do and this comes in the form of roles.You can stoere logical roles in LDAP and then can use JAAS for both authrntication and authorization.After authentication you can populate the subject with roles that the user has and this information you can store in LDAP.