Security roles define an application function, made up of a number of users, groups, or both users and groups. The relationship between users and groups is determined by the specific realm implementation being used.
You can define roles in the Java EE deployment descriptor file, web.xml, and the corresponding role mappings in the Web Server deployment descriptor file, sun-web.xml. For more information about sun-web.xml, see Chapter 9, Deploying Web Applications.
Each security-role-mapping element in the sun-web.xml file maps a role name permitted by the web application to principals and groups. For example, a sun-web.xml file for a deployed web application might contain the following:
<sun-web-app> <security-role-mapping> <role-name>manager</role-name> <principal-name>jgarcia</principal-name> <principal-name>mwebster</principal-name> <group-name>team-leads</group-name> </security-role-mapping> <security-role-mapping> <role-name>administrator</role-name> <principal-name>dsmith</principal-name> </security-role-mapping> </sun-web-app>
For web applications, the roles are always specified in the sun-web.xml file. A role can be mapped to specific principals, to groups or both principals and groups. The principal or group names used must be valid principals or groups in the current realm.