users@glassfish.java.net

Re: How are Principals, Groups and Roles related?

From: <glassfish_at_javadesktop.org>
Date: Tue, 03 Mar 2009 18:00:54 PST

Simply put, the JEE Security model is quite simple. You have Users(Principals) and Roles.

In the web.xml, you specify access via Roles.

In sun-web.xml, you map realm Groups and Principals to Roles.

Users are mapped to Groups using your back end Realm implementation (for the file realm, you simply have a list of groups the User is in).

For example, you may have a CanAccessPayroll Role. Anyone in the Payroll Role can see the Payroll pages in your app.

So, you place all of your Payroll Department users in the Payroll Group, and tie the Payroll Group to the CanAccessPayroll Role.

When determining if someone can see a Payroll page, you would make a query to the proper context (in this cast the SecurityContext) using isUserInRole("CanAccessPayroll").

Now, Top Management wants to be able to access the Payroll data as well. So, you have two options. You can add all of the Top Management people to the Payroll Group, or you can add the Top Management group to the CanAccessPayroll role in the sun-web.xml.

Finally, you're a developer trying fix a problem with the payroll code. Not wanted to really play with all of the groups and what not, you tweak the sun-web.xml to add your login id (as a principal) to the CanAccessPayroll Role. Now for the duration you can access the payroll pages in your development app. (Likely there will be repercussions if you leave that little hole in the security on the production deployment.)

As a developer, you can't get a list of folks in a Role, nor a list of Roles for a user. You can simply make the query via isUserInRole. (You could always iterate across a list of roles, etc. if you had to).

The reason is simply because the isUserInRole assertion is adequate for the task but doesn't define implementation. While most systems use a list of roles or groups, or whatever associated with a user, not all do. There can be some exceptions (like a time window for example, you can only access Payroll between 9am and 5pm, say). That's up to the actual implementation, which isn't exposed to you as a developer beyond isUserInRole.
[Message sent by forum member 'whartung' (whartung)]

http://forums.java.net/jive/thread.jspa?messageID=334958
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.