users@glassfish.java.net

Re: secutiry roles set up using session variable

From: <glassfish_at_javadesktop.org>
Date: Mon, 26 Jan 2009 02:51:04 PST

You cannot restrict access to a URL unless there is a security constraint defined on the URL.

Why not use a proper java EE style application development model.

1. specify something like the following in your web.xml :

web.xml
<web-app ....>
  .....
    <security-constraint>
        <display-name>Constraint1</display-name>
        <web-resource-collection>
           <web-resource-name>admin-resources</web-resource-name>
            <description/>
            <!-- specify those URL patterns that can be accessed by admin only -->
            <url-pattern>/admin.jsp</url-pattern>
             ....
        </web-resource-collection>
        <auth-constraint>
            <description/>
            <role-name>admin</role-name>
            </auth-constraint>
       </security-constraint>
       <security-constraint>
        <display-name>Constraint2</display-name>
        <web-resource-collection>
           <web-resource-name>customer-resources</web-resource-name>
            <description/>
           <!-- specify those URL patterns that can be accessed by valid customers only -->
            <url-pattern>/xxxx</url-pattern>
             ....
        </web-resource-collection>
        <auth-constraint>
            <description/>
            <role-name>customer</role-name>
            </auth-constraint>
       </security-constraint>

    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>mycustomrealm</realm-name>
     </login-config>
    <security-role>
        <description/>
        <role-name>admin</role-name>
    </security-role>
 <security-role>
        <description/>
        <role-name>customer</role-name>
    </security-role>
    </web-app>

2. Now implement a custom realm named mycustomrealm :

http://blogs.sun.com/nithya/entry/groups_in_custom_realms where you can ensure that the proper group name is assigned authenticated user (customer Vs. admin)

3. Activate glassfish default principal to role mapping which would map the same named group to same named role.

 http://blogs.sun.com/monzillo/entry/principal_2_role_mapping_and


You could also explore the use a SAM to do the authentication and group assignment logic. Refer :
http://blogs.sun.com/monzillo/date/20080122
http://blogs.sun.com/enterprisetechtips/entry/adding_authentication_mechanisms_to_the
[Message sent by forum member 'kumarjayanti' (kumarjayanti)]

http://forums.java.net/jive/thread.jspa?messageID=328131
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.