users@glassfish.java.net

Re: JDBCRealm: Can I map users/groups to roles using database?

From: pitchphork <jfriesen_at_pitchphork.com>
Date: Sun, 4 Jan 2009 16:20:26 -0800 (PST)

glassfish-2 wrote:
>
> Our application has very fine grained security roles, there are lots of
> them! The customers using our application create users and assign them to
> groups. They also have the ability to create/modify groups and assign
> roles to them (there are 8 roles associated with the screens I just
> mentioned).
>

I'd like to add a voice to the original author's quandry. This is an issue
especially for application developers who intend to sell a shrink-wrapped
application to customers (in the form of an EAR or WAR or whatever) and the
customers should be able to deploy the archive on their J2EE engine, whether
it is JBoss or Glassfish or whatever. To illustrate:

Supposed my shrink-wrapped application (let's say an application for
managing bank accounts) has two roles:

  Teller (provides the ability to process deposits and withdrawals up to
$10000)
  Manager (process any sized deposit/withdrawal plus create/delete accounts)

Each of my customers (banks) should be able to deploy the application and
manage their users using whatever groups they see fit:

First Bank Of Smallville's strategy
  Group Peons ---> gets Role Teller
  Group CustomerService ---> gets Role Manager

First Bank of BigCity's strategy
  Group BangaloreCallCenter --> gets Role Teller
  Group CallCenterManager --> gets Role Manager
  Group EastCoastTellers --> gets Role Teller
  Group WestCoastTellers --> gets Role Teller
  Group BoardOfDirectors --> gets Role Manager
  etc

As I understand it, the only way to achieve this with Glassfish is for each
customer to open the EAR file and modify the sun-web.xml file before
deploying (hardly an agreeable proposition for commercial software). Other
J2EE engines (I am thinking of SAP NetWeaver but I'm sure there are others)
provide the administrator with a GUI for mapping users to groups at runtime.
I am new to Glassfish and really like it, but I was surprised that its
(excellent) GUI did not have this feature. It seems almost mandatory in
order to give the J2EE administrator and the application vendor a natural
way of dividing the responsibility of authorizing groups of users. 



-- 
View this message in context: http://www.nabble.com/JDBCRealm%3A-Can-I-map-users-groups-to-roles-using-database--tp20928567p21283481.html
Sent from the java.net - glassfish users mailing list archive at Nabble.com.
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.