aspose file tools*
The moose likes Servlets and the fly likes mapping roles to users in declarative security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "mapping roles to users in declarative security" Watch "mapping roles to users in declarative security" New topic
Author

mapping roles to users in declarative security

Matthew Phillips
Ranch Hand

Joined: Mar 09, 2001
Posts: 2676
It seems from what I have read so far, the J2EE specification does not include a standard for how users are authenticated and assigned their role. Is this container specific? For example, if I have a table of users in a database how do I configure my web application to use those to determine the users role?


Matthew Phillips
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

There is another layer of indirection between users in the 'authentication mechanism' and the roles in the J2EE container.
Users are entered into the authentication mechanism (LDAP, database, whatever), then they are associated with roles that also exist within the authentication mechanism (I'm just going to say LDAP from now on).
On the container side, you define a list of functions, then assign those functions to roles that still exist only in the container.
Now you can provide a many to many mapping between the container and LDAP roles. Idealy they would exist as one-to-one, but this isn't necessary.
You can still associate container roles directly to LDAP users, but the advantage of the other way is that it provides a distinction between the roles that the container is interested in and needs to maintain (ie you only have to worry about how roles map to functions) versus the roles that LDAP maintains (ie user to role mappings)
At least this is the way I've always done it and find quite useful.
Dave
Matthew Phillips
Ranch Hand

Joined: Mar 09, 2001
Posts: 2676
I just do not seem to be able to wrap my mind around this, so let's try a concrete example. On one end, I have a database with a list of users. On the other end, I have a web application with each web resource associated with a role in the deployment descriptor. As the developer I want to make sure that a form based login can be tied to the database to authenticate the user logging in and assign the user to one of the roles defined in my deployment descriptor. Is this something that the container handles or do I need to handle it in my code?
[ March 05, 2003: Message edited by: Matthew Phillips ]
Calina Cazangiu
Ranch Hand

Joined: Feb 27, 2003
Posts: 30
You need to configure the server. Tomcat, for example, has a config file tomcat-users.xml where you associate a user with a role:
<user name="user1" password="pw1" roles="role1, role2" />
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16305
    
  21

Originally posted by Calina Cazangiu:
You need to configure the server. Tomcat, for example, has a config file tomcat-users.xml where you associate a user with a role:
<user name="user1" password="pw1" roles="role1, role2" />

Actually, that's just one of several Security Realms that Tomcat supports. I use the jdbc realm, where the server.xml file points to a jdbc datasource and table info that is used to lookup userids and passwords for verification and returns the user's security role.
As David mentioned, there can be a one-to-many mapping on roles, just as there is at the JavaRanch (where the roles are "greenhorn", "ranch hand", "bartender", "sherrif"). So given a role, you can't unconditionally map back to a user.
Now of course, if the app KNOWS that a role is (allegedly) uniquely related to a user, it can be written to manually do a reverse lookup using the security database, but that's not something that you can do univerally.


Customer surveys are for companies who didn't pay proper attention to begin with.
Calina Cazangiu
Ranch Hand

Joined: Feb 27, 2003
Posts: 30
Cool!
Are other ways to assign a role to a user?
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: mapping roles to users in declarative security