users@glassfish.java.net

JDBCRealm: Can I map users/groups to roles using database?

From: <glassfish_at_javadesktop.org>
Date: Tue, 09 Dec 2008 19:33:27 PST

I'm trying to migrate a project from Tomcat 6 to Sun Application Server 9.1 U2. I can't figure out the JDBCRealm implementation. Here's the question: how do I map users (or groups) to roles using a database? This needs to work for <auth-constraints> in the web.xml and HttpServletRequest.isUserInRole().

The Catalina DataSourceRealm I've been extending expects 2 tables: one with usernames and passwords, the other mapping users to roles. Our users belong to groups, and roles are assigned to the groups, not directly to the users. We use a view to connect the user to roles for that group and use this in the Tomcat Realm as "userRoleTable".

The Glassfish version of JDBCRealm doesn't map users to roles, but it does map users to groups. From what I can tell, the groups are Principals like the user and need some other mapping to link them to roles. How can I use my database as the source of this mapping? I tried ignoring my groups and pointing "group-table" at my user_role view, with activate-default-principal-to-role-mapping="true" but that didn't seem to work. I've seen a bunch of sun-web.xml examples where people are creating groups named exactly the same as their roles and mapping them one-to-one ... I'm *really* hoping we've missed something here. This seems a little too redundant to be intentional.

Our application has very fine grained security roles, there are lots of them! The customers using our application create users and assign them to groups. They also have the ability to create/modify groups and assign roles to them (there are 8 roles associated with the screens I just mentioned). I have to continue supporting this and I'm stuck. I already need to extend AppsrvRealm, so I'm hoping there is some other abstract class and domain.xml entry I'm not aware of that will solve this problem.

Any help would be appreciated!

----------------------------------------------------------
Group Name: [Administrators ]

Users
[x] View [x] Create [x] Modify [x] Delete

Groups
[x] View [x] Create [x] Modify [x] Delete

[SAVE]
----------------------------------------------------------


Thank you!

------------
Paul Wardrip
Software Engineer
TANDBERG Television | Part of the Ericsson Group
[Message sent by forum member 'pwardrip' (pwardrip)]

http://forums.java.net/jive/thread.jspa?messageID=320895
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.