Java EE security roles setup confusion

0
votes

if we wanted to define security roles in the deployment descriptor, we do it this way right?

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Protected Area</web-resource-name>
        <url-pattern>/jsp/security/protected/*</url-pattern>
        <http-method>PUT</http-method>
        <http-method>DELETE</http-method>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>role1</role-name>
        <role-name>employee</role-name>
    </auth-constraint>
</security-constraint>

 <!-- Security roles referenced by this web application -->
<security-role>
    <role-name>role1</role-name>
</security-role>
<security-role>
    <role-name>employee</role-name>
</security-role>

Let's say my application has 50 users. Let's say User1 to User50 and are stored in my application's database.

question is, how to I connect a certain user to a security role defined in web.xml? let's say upon successful authentication of User1, I want him to have "employee" role. For User2, I want him to have "role1".

thanks.

2
securityjakarta-eeauthorizationjaas

2 Answers

0
votes

Mapping of application security roles to users or groups from your user registry is platform dependent. Each application server provides some mechanism, it can be during installation, via some xml file contained in the application or in server configuration. You could hard code that in your application also.

Some servers will also provide integration with existing user registries, like LDAP, so you don't have to write user management code by yourself.

So specify application server you are using or planning to use, then you will have more detailed answers ;)

0
votes
I don't know how you do it but I am doing it this way 

In the database i am storing both User information and its role information and in the security.xml i am doing both autherization and authentication by runing sql query you can do the same.

for eg.'<security:authentication-manager>
           <security:authentication-provider>
           <security:jdbc-user-service
            data-source-ref="dataSource"
            users-by-username-query="select username,password,enabled from users where username=?"
            authorities-by-username-query="select u1.username, u2.role from user_roles u1, user_roles u2 where u1.user_role_id = u2.user_role_id and u1.username =?" />
           </security:authentication-provider>     
        </security:authentication-manager>`

Search article like authentication in spring with databases you will get lots of useful information.It will work for you surely .

Thanks, Himanshu