users@glassfish.java.net

Re: _at_RolesAllowed X Groups and Roles

From: Ron Monzillo <Ronald.Monzillo_at_Sun.COM>
Date: Tue, 19 Jan 2010 16:13:58 -0500

Felipe Gaścho wrote:
>> If you are using the default P2R concept then the roles declared is already
>> a groups mapping (same named group is mapped to same named role) not
>> otherwise.
>>
>
> ok, than I have just 1 role per group.. in case of using the
> annotation........... a bit weird but very handy in case of ordinary
> cases (at least it saves the developer from two xml files)
>
> thanks.. that is like I was feeling of... not flexible and not "pure"
> conceptually, but very easy to maintain ...
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>
Felipe,

(role-based) Annotations in code and (role-based) security-constraints
in web.xml are analogous.
In both cases, they are used to define the (portable) role-based
restrictions on access to the associated url-patterns.

Servlet 3.0 began by attempting to adopt the @RolesAllowed annotation
from jsr 250. In that process we learned
that the target and inheritence semantics of @RolesAllowed were a poor
fit for the Servlet programming model.
With that knowledge, Servlet 3.0 defined the new @ServletSecurity
annotation as its means to define
security constraints (including role-based constraints) in code.

Independent of whether role-based restrictions are defind by annotation
or via web.xml, the constraints are
enforced by determining if the caller is in a permitted role. That
determination is based on the principal-2-role mapping in
effect for the operational environment. In Glassfish the p2r mapping may
be defined by enumeration in sun-web.xml,
or by activating the default canonical mapping of same named group to role.

You are correct that when the the default p2r mapping is employed, group
x is mapped 1-to-1 to role x. In this
configuration, the security administrator would then be tasked with
ensuring that the system users are assigned
to the groups corresponding to the roles for which the user is to be
authorized.

Ron