It seems from what I have read so far, the J2EE specification does not include a standard for how users are authenticated and assigned their role. Is this container specific? For example, if I have a table of users in a database how do I configure my web application to use those to determine the users role?
There is another layer of indirection between users in the 'authentication mechanism' and the roles in the J2EE container. Users are entered into the authentication mechanism (LDAP, database, whatever), then they are associated with roles that also exist within the authentication mechanism (I'm just going to say LDAP from now on). On the container side, you define a list of functions, then assign those functions to roles that still exist only in the container. Now you can provide a many to many mapping between the container and LDAP roles. Idealy they would exist as one-to-one, but this isn't necessary. You can still associate container roles directly to LDAP users, but the advantage of the other way is that it provides a distinction between the roles that the container is interested in and needs to maintain (ie you only have to worry about how roles map to functions) versus the roles that LDAP maintains (ie user to role mappings) At least this is the way I've always done it and find quite useful. Dave
Joined: Mar 09, 2001
I just do not seem to be able to wrap my mind around this, so let's try a concrete example. On one end, I have a database with a list of users. On the other end, I have a web application with each web resource associated with a role in the deployment descriptor. As the developer I want to make sure that a form based login can be tied to the database to authenticate the user logging in and assign the user to one of the roles defined in my deployment descriptor. Is this something that the container handles or do I need to handle it in my code? [ March 05, 2003: Message edited by: Matthew Phillips ]
Originally posted by Calina Cazangiu: You need to configure the server. Tomcat, for example, has a config file tomcat-users.xml where you associate a user with a role: <user name="user1" password="pw1" roles="role1, role2" />
Actually, that's just one of several Security Realms that Tomcat supports. I use the jdbc realm, where the server.xml file points to a jdbc datasource and table info that is used to lookup userids and passwords for verification and returns the user's security role. As David mentioned, there can be a one-to-many mapping on roles, just as there is at the JavaRanch (where the roles are "greenhorn", "ranch hand", "bartender", "sherrif"). So given a role, you can't unconditionally map back to a user. Now of course, if the app KNOWS that a role is (allegedly) uniquely related to a user, it can be written to manually do a reverse lookup using the security database, but that's not something that you can do univerally.
An IDE is no substitute for an Intelligent Developer.