2008/12/10 <glassfish_at_javadesktop.org>:
> source of this mapping? I tried ignoring my groups
> and pointing "group-table" at my user_role view,
> with activate-default-principal-to-role-mapping="true"
> but that didn't seem to work. I've seen a bunch of
> sun-web.xml examples where people are creating
The default-principal-to-role-mapping option is used only at
deployment time. When you change that value after the application is
deployed - it will not work.
There is glassfish specific xml descriptor which maps groups to roles,
this is something you cannot change without redeploying application,
and as far as I am concerned - it can be specified only in that
descriptor. The JDBCRealm, however can dynamically map users to groups
(but not group to roles).
For example:
role name -- group name
can read customer -- user
can append customer -- user
can modify own customer -- user
can modify any customer -- principal
can modify anything -- admin
The roles is something you have to 'design' (for example specified in
the code, in annotations of beans/methods, etc...). Once you agree on
the mapping between roles-groups (this is something you have to do
together with your customer, because he or she is unable to egsamine
your code and know what exactly the roles are and how are they
respected) and put that mapping inside xml descriptor. After
deployment, your customer can by his or her own alter the user/group
database tables, but will not be able to change that mapping without
altering that file and redeploying application...
Regards,
Witold Szczerba