*
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Don't understand defining roles in HFJS book Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "Don Watch "Don New topic
Author

Don't understand defining roles in HFJS book

Jaaouane Aymen
Greenhorn

Joined: Sep 22, 2009
Posts: 29
Hello,

i don't understand defining roles in page 664 in HFJS, exactly I don't understand how the container maps the roles defined in
tomcatusers.xml to those defines in the DD.

The example showa a tag <role rolename="Admin"> under <tomcat-users> and a securityrole
<security-role><role-name> Admin<role-name></security-role>, if the application call the admin as 'Manager',
How to map the admin role defined in the tomcat-users to the role Manager which will be defined in the DD,
in other words, the deployer want to define the manager role as the administrator of the application ?

Another question, I want the users and their roles stored in a database and kepp the container doing its constraints security.
how to configure the container with a list of users and roles stored in a DB? it is not flexible to store the users of the application and their roles in the tomcatusers file, what if i want to change passwords or to add or remove a user, should i add a new tag in the tomcatusers file?
i want for example to add a constraint for a specific servlet, for example only manager role can access to this servlet,
but the users and their roles are stored in a database, not in the tomcatusers file as shown in the example.
How i can do that?
Ankit Garg
Sheriff

Joined: Aug 03, 2008
Posts: 9302
    
  17

You can use security-role-ref tag to mat user roles and groups. See this page.

For the second answer, you can create a database realm in tomcat which tomcat will then use to authenticate users. I've never created a database realm in tomcat (I did that on glassfish once), but this might help, or search for a tutorial on how to setup database realm in tomcat...


SCJP 6 | SCWCD 5 | Javaranch SCJP FAQ | SCWCD Links
Jaaouane Aymen
Greenhorn

Joined: Sep 22, 2009
Posts: 29
hello, thank you for your help,
I think that security-role-ref is for mapping roles used in servlet code to those defined in the DD,
not to map the roles defined in tomcatusers.xml to those defines in the DD. If i'm wrong, tell me. so i think that i still don't have a response for my question.
I have another question,
From what i read, i understood that all my users from all applications will be stored in the realm. if i have user1
for webapplication1 and user2 for webapplication2, both users will be in the realm like they are users for the same webapplication.
why the scope of user is in the application server, why not in the web application? why they design it in this manner?
Chinmaya Chowdary
Ranch Hand

Joined: Apr 21, 2008
Posts: 432
Hi Jaaouane.
why the scope of user is in the application server, why not in the web application? why they design it in this manner?


I think, if the 'user1', who is authenticated in 'webapplication1' and authorized to access a resource say test.jsp and if the test.jsp wants to access the resource i.e present in 'webapplication2', then test.jsp will redirect it to the 'webapplication2'. Now 'webapplication2' will authenticate and authorize the resource to the 'user1'.

If we scope the user in the web application, we have to add duplicate entries, one for 'webapplication1' and one for 'webapplication2'. I think to avoid this, the scope of user is in the application server.
Ankit Garg
Sheriff

Joined: Aug 03, 2008
Posts: 9302
    
  17

Jaaouane Aymen wrote:I think that security-role-ref is for mapping roles used in servlet code to those defined in the DD, not to map the roles defined in tomcatusers.xml to those defines in the DD.


So you want to map tomcat roles to your web app roles. What for?? There's a user named Jaaouane in the programmer group in tomcat, the programmer group is mapped to admin role in the tomcatusers.xml. Now you want your application to recognize me in role manager instead of admin. But what's the use?? The only use that I can think of is to be used in the isUserInRole method. And I already provided the solution to that. What's the other use of mapping admin role to manager role??
Jaaouane Aymen
Greenhorn

Joined: Sep 22, 2009
Posts: 29
Hello, graet thanks for your help,

In the begining, i understand the <security-role> which we declare in the DD tag wrongly, i think that the purpose of this tag is to map
tomcat roles to my web app roles, so i will change my question. my question becomes what is the purpose of this tag <security-role>?
i think that all informations needed to know the roles of a user are stored in the realm, in page 664 cathy says 'the deployer crates<role-name>
elements , so that the container can map roles to user',but the roles are mapped to users from the realm, i don't understand what she means by
so that the container can map roles to user?
An other issue about the scope of user, until now i don't understand if the scope of user is webapplication or applicationserver, i see in totorials that we can declare realm tag under context tag, so the realm is valid only for the web application under it we decalred the realm, so the users defined in this realm are only valid to this web application. I don't undersatnd the scope of users defined in a realm, are there users for all webapplications deployed in the applicationserver or for an only webapplication?
Assumig that users defined in a realm are users for all webapplications deployed in the applicationserver, how to do if i want to define some users as admin for a webapplication1 and same users as guests for webapplication2?
Best regards,
Ankit Garg
Sheriff

Joined: Aug 03, 2008
Posts: 9302
    
  17

I couldn't understand your question properly, but the use of the <security-role> is to define a subset of roles in the realm that you want to use in your application. Suppose there are 30 roles in my tomcat realm. Only 20 of them are actually related to my application. Now I create a constrained resource like this

So as there is no auth-constraint, all roles are allowed to access the resource. Now using the <security-role> tag, I can limit that only 20 roles can access this resource (as there are only 20 roles that I want to use, rest 10 are for other applications). If there were no <security-role> tag for me to use (i.e. if it was removed from the spec) then all 30 roles would have access to my application which I don't want...
Ankit Garg
Sheriff

Joined: Aug 03, 2008
Posts: 9302
    
  17

Moreover, if you use glassfish's file realm, then you'll see that there is no way of defining roles in the realm itself (see the attached image). There are groups instead of roles in the realm. The roles (in the DD) are mapped to groups (in the realm) either if the name in <role-name> is same as the group name, or by using custom mapping in the sun-web.xml like


[Thumbnail for file realm.jpg]

Jaaouane Aymen
Greenhorn

Joined: Sep 22, 2009
Posts: 29
Hello Ankit and great thanks for your help,
You don't have answers for my other question about the scope of user?
Best regards,
Chinmaya Chowdary
Ranch Hand

Joined: Apr 21, 2008
Posts: 432
Hi Jaaouane.
I don't undersatnd the scope of users defined in a realm, are there users for all webapplications deployed in the applicationserver or for an only webapplication?


We define user roles in the tomcat-users.xml file. That is present in /Tomcat 5.5/conf/ directory. It is for all applications present in the container.
Jaaouane Aymen
Greenhorn

Joined: Sep 22, 2009
Posts: 29
Hello, thank you Chinmaya,
From your response i can understand that we can define realms for all applications such as we do with tomcatusers.xml or for an only web application.
If the realm is a database, the realm is for the webapplication under it we declare the realm tag.
(i see this in a tutorial which explains how to install a database realm with tomcat).
Is it true?
Ankit Garg
Sheriff

Joined: Aug 03, 2008
Posts: 9302
    
  17

If the realm is a database, the realm is for the webapplication under it we declare the realm tag.

Realms are shared by all the applications that are deployed on a server. Any application that uses a realm (whether file or database) using the <realm-name> tag will share the same users that are defined in that realm. So if the realm defines 2 users, abc and xyz, then all the applications that use that realm will have those 2 users. Look at this or this to see how to create a database realm in tomcat...
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Don't understand defining roles in HFJS book