Skip to main content

@RolesAllowed X Groups and Roles

3 replies [Last post]
Anonymous

question: if I use @RolesAllowed instead of the old fashion groups and
roles declared in web-xml and wun-web.xml files, I still have the
"group concept" ?

or just enumerating the roles in the annotating is already a groups mapping ?

I am asking tat because I am using the old style xml files to
configure the security of my application, and every time I edit one of
those files I get myself thinking if I still need that ....

--
------------------------------------------
Felipe Gaúcho
10+ Java Programmer
CEJUG Senior Advisor

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Kumar Jayanti

Felipe Gaúcho wrote:
> question: if I use @RolesAllowed instead of the old fashion groups and
> roles declared in web-xml and wun-web.xml files, I still have the
> "group concept" ?
>
>
RolesAllowed is not supported on Servlets. Instead there are new
ServletSecurity Annotation. :
http://www.java.net/blog/kumarjayanti/archive/2009/12/24/using-servletse....

> or just enumerating the roles in the annotating is already a groups mapping ?
>
>
If you are using the default P2R concept then the roles declared is
already a groups mapping (same named group is mapped to same named role)
not otherwise.

regards,
kumar

> I am asking tat because I am using the old style xml files to
> configure the security of my application, and every time I edit one of
> those files I get myself thinking if I still need that ....
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net

Felipe Gaúcho

> If you are using the default P2R concept then the roles declared is already
> a groups mapping (same named group is mapped to same named role) not
> otherwise.

ok, than I have just 1 role per group.. in case of using the
annotation........... a bit weird but very handy in case of ordinary
cases (at least it saves the developer from two xml files)

thanks.. that is like I was feeling of... not flexible and not "pure"
conceptually, but very easy to maintain ...

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net

Ron Monzillo

Felipe Gaúcho wrote:
>> If you are using the default P2R concept then the roles declared is already
>> a groups mapping (same named group is mapped to same named role) not
>> otherwise.
>>
>
> ok, than I have just 1 role per group.. in case of using the
> annotation........... a bit weird but very handy in case of ordinary
> cases (at least it saves the developer from two xml files)
>
> thanks.. that is like I was feeling of... not flexible and not "pure"
> conceptually, but very easy to maintain ...
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
> For additional commands, e-mail: users-help@glassfish.dev.java.net
>
>
Felipe,

(role-based) Annotations in code and (role-based) security-constraints
in web.xml are analogous.
In both cases, they are used to define the (portable) role-based
restrictions on access to the associated url-patterns.

Servlet 3.0 began by attempting to adopt the @RolesAllowed annotation
from jsr 250. In that process we learned
that the target and inheritence semantics of @RolesAllowed were a poor
fit for the Servlet programming model.
With that knowledge, Servlet 3.0 defined the new @ServletSecurity
annotation as its means to define
security constraints (including role-based constraints) in code.

Independent of whether role-based restrictions are defind by annotation
or via web.xml, the constraints are
enforced by determining if the caller is in a permitted role. That
determination is based on the principal-2-role mapping in
effect for the operational environment. In Glassfish the p2r mapping may
be defined by enumeration in sun-web.xml,
or by activating the default canonical mapping of same named group to role.

You are correct that when the the default p2r mapping is employed, group
x is mapped 1-to-1 to role x. In this
configuration, the security administrator would then be tasked with
ensuring that the system users are assigned
to the groups corresponding to the roles for which the user is to be
authorized.

Ron

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net