My question is how do i avoid mentioning authorization parameters in deployment descriptors, eg how do i perform authorization checks without mentioning security role, security constraints? is there any way in which i can extract the security configurations done in web.xml and configure the same in some tool?
The reason i want to do that are:
1. in a typical application there may be close to 200 url patterns, and multiple security roles. It becomes a very difficult task to rely only on the web.xml parameters.
2. i would also like the capability to alter role access mappings without making any changes in the applications. eg. customer role has access to /Buy.jsp , i also want to grant access to dealer role to /buy.jsp or may be even prevent customer role from accessing /buy.jsp
3. i also do not want to rely heavily on programmatic security because it may end up causing code changes eg: isUserInRole('CUSTOMER') may be required to change to isUserInRole('CUSTOMER')||isUserInRole('DEALER')
Are there any tools available in the market which can meet my needs?
Any help in this matter will be greatly appreciated.