In the Java EE environment, roles are logical privileges which convey/represent permission to operate on some particular set of resources in an application. The Sun Java System Application Server environment consists of several realms, which each contain a complete database of users and groups that identify valid users of an application. When the roles are mapped to users, the users are effectively granted the permissions conveyed/represented by the privilege.
In Sun One Application Server 7.0, you can assign a role to all authenticated users in all realms at the same time, and applications can define authorization for that role. This addresses the following common scenario in the LDAP environment:
- All authenticated users can access some subset of protected resources within the application. It doesn't matter who you are, only that your identity has been established.
- The set of user groups is large or dynamic, but not specific to the application.
We wanted an ability to grant permission based on authentication independent of identity, in other words, we wanted a way to grant all authenticated identities to a role, or to define a role that would be understood to be mapped to all authenticated identities, and not to unauthenticated entities.
In Sun Java System Application Server 8.x and GlassFish v1,
various RFEs and issues have been filed requesting support of the
above scenario. Therefore, this scenario has been addressed in
GlassFish v2.
In GlassFish v2, the assign-groups property in
CertificateRealm has been extended to FileRealm, LDAPRealm,
SolarisRealm, and JDBCRealm. With this change,
it is possible to configure all realms so that they assign one
or more common group principals as a result of successful
authentication, and such that every user is effectively made
a member of the common groups.
Given that this is the case, mapping one or more of the group
principals to a role, either explicitly or by default, will allow
the role to be used as an ANYONE role, a role that
conveys/represents permission to operate on all resources which
are accessible to any authenticated user. You can assign
additional groups to all authenticated users in a specific realm
without having to add those groups to all authenticated users
in all realms. This gives us a finer control and allows us to
resolve the issues with the above scenario as follows:
- Set the
assign-groupsproperty for a given realm. All authenticated users of the given realm will assign additional groups as specified by theassign-groupsproperty, for instance,assign-groups=agroup - Map additional groups to desired roles in Sun-specific
deployment descriptors. For instance, in
sun-applicaton.xml,
<sun-application>
<security-role-mapping>
<role-name>javaee</role-name>
<principal-name>javaee</principal-name>
</security-role-mapping>
<security-role-mapping>
<role-name>ANYONE</role-name>
<group-name>agroup</group-name>
</security-role-mapping>
</sun-application>
2) Why does the additional default groups needed role mapping (the last snippet sun-application.xml) mentioned ? This defeats the purpose of having the default role mapping without explict rolemmaping in the application. Thanks. -- Jagadesh
Posted by Jagadesh Munta on August 15, 2006 at 11:39 AM PDT #
Posted by 192.18.43.225 on February 12, 2007 at 11:37 AM PST #
can I put the role mapping in application.xml and not at all having the sun-application.xml
Posted by 114.143.215.194 on January 20, 2010 at 08:29 PM PST #
No, the role mapping must be in sun-application.xml.
Posted by Shing Wai Chan on January 21, 2010 at 10:04 AM PST #