Appendix B      Sample Scenarios for Role-to-Principal Mapping

This appendix provides sample scenarios for creating role-to-principal mappings in the following application servers:

• WebLogic 6.1 SP2
• WebSphere 4.0.4 AE
• Sun ONE Application Server 7.0

WebLogic 6.1 SP2

---

Declarative Security

Consider an Enterprise JavaBeans component that must have protected access for one of its methods. This can be enforced by adding a security-role and method-permission element in the assembly-descriptor element of the ejb-jar.xml deployment descriptor.

---

<?xml version="1.0"?>

<!DOCTYPE ejb-jar PUBLIC

'-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 2.0//EN'

'http://java.sun.com/dtd/ejb-jar_2_0.dtd'>

<ejb-jar>

...

<assembly-descriptor>

<security-role>

<role-name>FOO</role-name>

</security-role>

<method-permission>

<role-name>FOO</role-name>

<method>

<ejb-name>WebProxy</ejb-name>

<method-intf>Remote</method-intf>

<method-name>getWebPage</method-name>

<method-params>

<method-param>java.lang.String</method-param>

<method-param>java.lang.String</method-param>

</method-params>

</method>

</method-permission>

</assembly-descriptor>

</ejb-jar>

This security role FOO can be mapped to a real principal using the weblogic-ejb-jar.xml deployment descriptor.

---

<?xml version="1.0"?>

<!DOCTYPE weblogic-ejb-jar PUBLIC '-//BEA Systems, Inc.//DTD WebLogic 6.0.0 EJB//EN'     'http://www.bea

.com/servers/wls6000/dtd/weblogic-ejb-jar.dtd'>

<weblogic-ejb-jar>

<weblogic-enterprise-bean>

<ejb-name>WebProxy</ejb-name>

<jndi-name>ejb.WebProxy</jndi-name>

</weblogic-enterprise-bean>

<security-role-assignment>

<role-name>FOO</role-name>

<principal-name>amAdmin</principal-name>

</security-role-assignment>

</weblogic-ejb-jar>

Programmatic Security

Consider a sample application in which one of the Servlets uses the programmatic security API such as HttpServletRequest.isUserInRole(String). Assuming that the role name used within the Servlet code is SAMPLE-ROLE, its deployment descriptor.

---

<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.c

om/dtd/web-app_2_3.dtd">

<web-app>

<display-name>Sample Security Aware application</display-name>

<filter>

<filter-name>Agent</filter-name>

<display-name>Agent</display-name>

<description>Identity Server Policy Agent for WebLogic Server 6.1</description>

<filter-class>

com.iplanet.amagent.weblogic.filter.AgentFilter

</filter-class>

</filter>

<filter-mapping>

<filter-name>Agent</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>

<servlet>

<servlet-name>SampleServlet</servlet-name>

<servlet-class>

com.iplanet.sample.SampleServlet

</servlet-class>

<security-role-ref>

<description>

This role is a sample test role for the

security aware servlet

</description>

<role-name>SAMPLE-ROLE</role-name>

<role-link>SAMPLE-ROLE-LINK</role-link>

</security-role-ref>

</servlet>

<servlet-mapping>

<servlet-name>SampleServlet</servlet-name>

<url-pattern>/Test</url-pattern>

</servlet-mapping>

<security-role>

<description>Some description</description>

<role-name>SAMPLE-ROLE-LINK</role-name>

</security-role>

</web-app>

The SAMPLE-ROLE-LINK is mapped to an actual principal using the weblogic.xml deployment descriptor.

<!DOCTYPE weblogic-web-app PUBLIC "-//BEA Systems, Inc.//DTD Web Application 6.1//EN" "http://www.be

a.com/servers/wls610/dtd/weblogic-web-jar.dtd">

<weblogic-web-app>

<security-role-assignment>

<role-name>SAMPLE-ROLE-LINK</role-name>

<principal-name>Employee</principal-name>

</security-role-assignment>

</weblogic-web-app>

WebSphere 4.0.4 AE

---

Web Authorization

1. In web.xml, there is an element security-constraint which is used to define constraints placed on various parts of this web application.

   ?xml version="1.0" encoding="UTF-8"?>

   <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"

   "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">

   <web-app id="WebApp_1">

   <display-name>Test Application</display-name>

   <description>A Web Application for Testing Various Test Cases for WebSphere Agent</description>

   ..............

   ...........

   <servlet id="Servlet_10">

   <servlet-name>ProtectedServlet</servlet-name>

   <display-name>ProtectedServlet</display-name>

   <description>A Protected servlet that accesses an unprotected EJB</description>

   <servlet-class>com.agent.servlet.ProtectedServlet</ser vlet-class>

   </servlet>

   <servlet-mapping id="ServletMapping_10">

   <servlet-name>ProtectedServlet</servlet-name>

   <url-pattern>/ProtectedServlet</url-pattern>

   </servlet-mapping>

   <security-constraint id="SecurityConstraint_2">

   <web-resource-collection id="WebResourceCollection_2">

   <web-resource-name>Protected</web-resource-name>

   <url-pattern>/ProtectedServlet</url-pattern>

   <http-method>GET</http-method>

   <http-method>POST</http-method>

   </web-resource-collection>

   <auth-constraint id="AuthConstraint_2">

   <description>Protected-tc4:+:</description>

   <role-name>Protected-tc3</role-name>

   </auth-constraint>

   <user-data-constraint id="UserDataConstraint_2">

   <transport-guarantee>NONE</transport-guarantee>

   </user-data-constraint>

   </security-constraint>

   <security-role id="SecurityRole_5">

   <role-name>Protected-tc3</role-name>

   </security-role>

   ................

   ........

   </web-app>

2. In the ibm-application-bnd.xmi file, define role mappings for the role Protected-tc3 as:

   <applicationbnd:ApplicationBinding xmi:version="2.0" xmlns:xmi= "http://www.omg.org/XMI" xmlns:applicationbnd="applicationbnd.xmi"

   xmlns:application="application.xmi" xmlns:common="common.xmi"

   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmi:id= "Application_ID_Bnd">

   <appName xsi:nil="true"/>

   <application href="META-INF/application.xml#Application_ID"/>

   <authorizationTable xmi:id="AuthorizationTable_1">

   ............

   .........

   <authorizations xmi:id="RoleAssignment_4">

   <role href="META-INF/application.xml#SecurityRole_5"/>

   <users xmi:id="User_1" name="amAdmin"/>

   <groups xmi:id="Group_4" name="manager"/>

   </authorizations>

   ..........

   .........

   </authorizationTable>

   <runAsMap xmi:id="RunAsMap_1"/>

   </applicationbnd:ApplicationBinding>

EJB Authorization

Consider an Enterprise JavaBeans component that must have protected access for one of its methods. This can be enforced by adding a security-role and method-permission element in the assembly-descriptor element of the ejb-jar.xml deployment descriptor.

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE ejb-jar PUBLIC "-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 1.1//EN"

"http://java.sun.com/j2ee/dtds/ejb-jar_1_1.dtd">

<ejb-jar id="ejb-jar_ID">

<enterprise-beans>

.............

.........

<session id="Session_3">

<ejb-name>ProtectedEJB</ejb-name>

<home>com.agent.ejb.ProtectedEJBHome</home>

<remote>com.agent.ejb.ProtectedEJB</remote>

<ejb-class>com.agent.ejb.ProtectedEJBImpl</ejb-class >

<session-type>Stateless</session-type>

<transaction-type>Container</transaction-type>

</session>

............

........

</enterprise-beans>

<assembly-descriptor id="AssemblyDescriptor_ID">

...........

........

<security-role id="SecurityRole_4">

<role-name>Protected-tc2</role-name>

</security-role>

..........

.......

<method-permission id="MethodPermission_2">

<description>tc2:+:</description>

<role-name>Protected-tc2</role-name>

<method id="MethodElement_2">

<ejb-name>ProtectedEJB</ejb-name>

<method-intf>Remote</method-intf>

<method-name>protectedMethod</method-name>

<method-params></method-params>

</method>

</method-permission>

.........

....

</assembly-descriptor>

</ejb-jar>

3. In the ibm-application-bnd.xmi file, define role mappings for the role Protected-tc2:

   <applicationbnd:ApplicationBinding xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:applicationbnd="applicationbnd.xmi"

   xmlns:application="application.xmi" xmlns:common="common.xmi"

   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmi:id="Application_ID_Bnd">

   <appName xsi:nil="true"/>

   <application href="META-INF/application.xml#Application_ID"/>

   <authorizationTable xmi:id="AuthorizationTable_1">

   ............

   .........

   <authorizations xmi:id="RoleAssignment_3">

   <role href="META-INF/application.xml#SecurityRole_4"/>

   <groups xmi:id="Group_2" name="manager"/>

   <groups xmi:id="Group_3" name="employee"/>

   </authorizations>

   ..........

   .........

   </authorizationTable>

   <runAsMap xmi:id="RunAsMap_1"/>

   </applicationbnd:ApplicationBinding>

Sun ONE Application Server 7.0

---

Declarative Security

Consider an Enterprise JavaBeans component that must have protected access for one of its methods. This can be enforced by adding a security-role and method-permission element in the assembly-descriptor element of the ejb-jar.xml deployment descriptor.

<?xml version="1.0"?>

<!DOCTYPE ejb-jar PUBLIC-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 2.0//EN'

'http://java.sun.com/dtd/ejb-jar_2_0.dtd'>

<ejb-jar>

...

<assembly-descriptor>

<security-role>

<role-name>staffRole</role-name>

</security-role>

<method-permission>

<role-name>staffRole</role-name>

<method>

<ejb-name>ConverterEJB</ejb-name>

<method-name>dollarToYen</method-name>

</method>

</method-permission>

</assembly-descriptor>

...

</ejb-jar>

This security role staffRole can then be mapped to a real principal in sun-application.xml.

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE sun-application PUBLIC '-//Sun Microsystems, Inc.//DTD Sun ONE Application Server 7.0 J2EE Application 1.3//EN'

'http://www.sun.com/software/sunone/appserver/dtds/sun-applicati on_1_3-0.dtd'>

<sun-application>

<security-role-mapping>

<role-name>staffRole</role-name>

<group-name>staff</group-name>

<principal-name>amAdmin</principal-name>

</security-role-mapping>

</sun-application>

---

Note	For stand-alone ejb modules there is no sun-application.xml, in that case this data goes into sun-ejb-jar.xml.

---

Programmatic Security

Consider a sample application in which one of the Servlets uses the programmatic security API such as HttpServletRequest.isUserInRole(String). Assuming that the role name used within the Servlet code is SAMPLE-ROLE, its deployment descriptor.

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN' 'http://java.sun.com/dtd/web-app_2_3.dtd'>

<web-app>

...

<servlet>

<servlet-name>ProtectedServlet</servlet-name>

<servlet-class>

com.sun.sample.ProtectedServlet

</servlet-class>

<security-role-ref>

<description>

This role is a sample test role for the

security aware servlet

</description>

<role-name>SAMPLE-ROLE</role-name>

<role-link>SAMPLE-ROLE-LINK</role-link>

</security-role-ref>

</servlet>

<servlet-mapping>

<servlet-name>ProtectedServlet</servlet-name>

<url-pattern>/ProtectedServlet</url-pattern>

</servlet-mapping>

...

<security-constraint>

<web-resource-collection>

<web-resource-name>basic secuity test</web-resource-name>

<url-pattern>/ProtectedServlet</url-pattern>

</web-resource-collection>

<auth-constraint>

<role-name>SAMPLE-ROLE-LINK</role-name>

</auth-constraint>

</security-constraint>

...

<security-role>

<description>Some description</description>

<role-name>SAMPLE-ROLE-LINK</role-name>

</security-role>

...

</web-app>

In the sun-application.xml file, define role mappings as:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE sun-application PUBLIC '-//Sun Microsystems, Inc.//DTD Sun ONE Application Server 7.0 J2EE Application 1.3//EN'

'http://www.sun.com/software/sunone/appserver/dtds/sun-applicati on_1_3-0.dtd'>

<sun-application>

<security-role-mapping>

<role-name>SAMPLE-ROLE-LINK</role-name>

<group-name>staff</group-name>

<principal-name>amAdmin</principal-name>

</security-role-mapping>

</sun-application>