users@glassfish.java.net

Server role mapping to web application

From: Adam Briffett <adam.briffett_at_gmail.com>
Date: Thu, 5 Nov 2009 11:41:38 +0000

Hi,

I have a question around mapping of server groups to a web application.

Our web application uses server groups for access control within
itself, we're using a simple file realm (AJB) to store our
authentication information. We would like to be able to create new
groups.

Creating the group is simple enough, simply add the group to the end
of the group listing for the users in question within the AJB file
realm in the admin console. However, in order for the web application
to be able to verify membership of that group (for example, a servlet
using request.isUserInRole()), am I correct in thinking that a mapping
for that group needs to be created in both web.xml and sun-web.xml?
Or, is there any way around this - we'd like to be able to create
these new groups programatically, and if this is the case then
modifying the web.xml and sun-web.xml then redeploying is not really
an option.

I know in Tomcat you can just add a group to tomcat-users.xml, is
there any way of adding wildcards to the web.xml or sun-web.xml to
allow it to pick up anything added to the relevant realm
automatically?

Our web.xml for my sample web app (AuthTest) is below:

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
   <description>cc</description>
   <display-name>AuthTest</display-name>
   <session-config>
       <session-timeout>
           30
       </session-timeout>
   </session-config>
   <welcome-file-list>
       <welcome-file>index.html</welcome-file>
       </welcome-file-list>
   <security-constraint>
       <display-name>AJBUser</display-name>
       <web-resource-collection>
           <web-resource-name>AJBUser</web-resource-name>
           <description>AJB Pages</description>
           <url-pattern>/index.html</url-pattern>
           <http-method>GET</http-method>
           <http-method>POST</http-method>
           <http-method>HEAD</http-method>
           <http-method>PUT</http-method>
           <http-method>OPTIONS</http-method>
           <http-method>TRACE</http-method>
           <http-method>DELETE</http-method>
       </web-resource-collection>
       <auth-constraint>
           <description></description>
           <role-name>AJBUser</role-name>
           </auth-constraint>
       </security-constraint>
   <login-config>
       <auth-method>BASIC</auth-method>
       <realm-name>AJB</realm-name>
       </login-config>
   <security-role>
       <description/>
       <role-name>AJBUser</role-name>
   </security-role>
   </web-app>

Any help would be much appreciated.

Many thanks,

Adam