Sun Java System Web Server 6.1 SP12 Programmer's Guide to Web Applications

User Authorization by Servlets

Servlets can be configured to only permit access to users with the appropriate authorization level. This section covers the following topics:

Defining Roles

Security roles define an application function, made up of a number of users, groups, or both. The relationship between users and groups is determined by the specific realm implementation being used.

You define roles in the J2SE deployment descriptor file,web.xml, and the corresponding role mappings in the Sun Java System Web Server deployment descriptor file, sun-web.xml. For more information about sun-web.xml, see Chapter 7, Deploying Web Applications

Each security-role-mapping element in the sun-web.xml file maps a role name permitted by the web application to principals and groups. For example, a sun-web.xml file for a deployed web application might contain the following:


     <sun-web-app>
        <security-role-mapping>
           <role-name>manager</role-name>
           <principal-name>jgarcia</principal-name>
           <principal-name>mwebster</principal-name>
           <group-name>team-leads</group-name>
        </security-role-mapping>
        <security-role-mapping>
           <role-name>administrator</role-name>
           <principal-name>dsmith</principal-name>
        </security-role-mapping>
     </sun-web-app>

         

Note that the role-name in this example must match the role-name in the security-role element of the corresponding web.xml file.

For web applications, the roles are always specified in the sun-web.xml file. A role can be mapped to either specific principals or to groups (or both). The principal or group names used must be valid principals or groups in the current realm.

Defining Servlet Authorization Constraints

On the servlet level, you define access permissions using the auth-constraint element of the web.xml file.

The auth-constraint element on the resource collection must be used to indicate the user roles permitted to the resource collection. Refer to the Java Servlet specification for details on configuring servlet authorization constraints.