Appendix C
Sample Scenarios for Role-to-Principal Mapping
This appendix provides sample scenarios on creating role-to-principal mappings. Topics include:
WebLogic 6.1 SP2 Application Server
Declarative Security
Consider an Enterprise JavaBeans component that must have protected access for one of its methods. This can be enforced by adding a security-role and method-permission element in the assembly-descriptor element of the ejb-jar.xml deployment descriptor.
|
<?xml version="1.0"?>
|
|
<!DOCTYPE ejb-jar PUBLIC
|
'-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 2.0//EN'
|
'http://java.sun.com/dtd/ejb-jar_2_0.dtd'>
|
<ejb-jar>
|
...
|
<assembly-descriptor>
|
<security-role>
|
<role-name>FOO</role-name>
|
</security-role>
|
<method-permission>
|
<role-name>FOO</role-name>
|
<method>
|
<ejb-name>WebProxy</ejb-name>
|
<method-intf>Remote</method-intf>
|
<method-name>getWebPage</method-name>
|
<method-params>
|
<method-param>java.lang.String</method-param>
|
<method-param>java.lang.String</method-param>
|
</method-params>
|
</method>
|
</method-permission>
|
</assembly-descriptor>
|
</ejb-jar>
|
|
|
This security role FOO can be mapped to a real principal using the weblogic-ejb-jar.xml deployment descriptor.
|
<?xml version="1.0"?>
|
<!DOCTYPE weblogic-ejb-jar PUBLIC '-//BEA Systems, Inc.//DTD
WebLogic 6.0.0 EJB//EN'
'http://www.bea
|
.com/servers/wls6000/dtd/weblogic-ejb-jar.dtd'>
|
<weblogic-ejb-jar>
|
<weblogic-enterprise-bean>
|
<ejb-name>WebProxy</ejb-name>
|
<jndi-name>ejb.WebProxy</jndi-name>
|
</weblogic-enterprise-bean>
|
<security-role-assignment>
|
<role-name>FOO</role-name>
|
<principal-name>amAdmin</principal-name>
|
</security-role-assignment>
|
</weblogic-ejb-jar>
|
|
|
Programmatic Security
Consider a sample application in which one of the Servlets uses the programmatic security API such as HttpServletRequest.isUserInRole(String). Assuming that the role name used within the Servlet code is SAMPLE-ROLE, its deployment descriptor.
|
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web
Application 2.3//EN" "http://java.sun.c
|
om/dtd/web-app_2_3.dtd">
|
<web-app>
|
<display-name>Sample Security Aware application</display-name>
|
<filter>
|
<filter-name>Agent</filter-name>
|
<display-name>Agent</display-name>
|
<description>Identity Server Policy Agent for WebLogic
Server 6.1</description>
|
<filter-class>
|
com.iplanet.amagent.weblogic.filter.AgentFilter
|
</filter-class>
|
</filter>
|
<filter-mapping>
|
<filter-name>Agent</filter-name>
|
<url-pattern>/*</url-pattern>
|
</filter-mapping>
|
<servlet>
|
<servlet-name>SampleServlet</servlet-name>
|
<servlet-class>
|
com.iplanet.sample.SampleServlet
|
</servlet-class>
|
<security-role-ref>
|
<description>
|
This role is a sample test role for the
|
security aware servlet
|
</description>
|
<role-name>SAMPLE-ROLE</role-name>
|
<role-link>SAMPLE-ROLE-LINK</role-link>
|
</security-role-ref>
|
</servlet>
|
<servlet-mapping>
|
<servlet-name>SampleServlet</servlet-name>
|
<url-pattern>/Test</url-pattern>
|
</servlet-mapping>
|
<security-role>
|
<description>Some description</description>
|
<role-name>SAMPLE-ROLE-LINK</role-name>
|
</security-role>
|
</web-app>
|
|
|
The SAMPLE-ROLE-LINK is mapped to an actual principal using the weblogic.xml deployment descriptor.
|
|
<!DOCTYPE weblogic-web-app PUBLIC "-//BEA Systems, Inc.//DTD Web
Application 6.1//EN" "http://www.be
|
a.com/servers/wls610/dtd/weblogic-web-jar.dtd">
|
<weblogic-web-app>
|
<security-role-assignment>
|
<role-name>SAMPLE-ROLE-LINK</role-name>
|
<principal-name>Employee</principal-name>
|
</security-role-assignment>
|
</weblogic-web-app>
|
|
|
WebSphere 4.0.3 AE Application Server
Web Authorization
In web.xml, there is an element security-constraint which is used to define constraints placed on various parts of this web application.
|
?xml version="1.0" encoding="UTF-8"?>
|
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web
Application 2.2//EN"
|
"http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
|
<web-app id="WebApp_1">
|
<display-name>Test Application</display-name>
|
<description>A Web Application for Testing Various Test Cases
for WebSphere Agent</description>
|
..............
|
...........
|
<servlet id="Servlet_10">
|
<servlet-name>ProtectedServlet</servlet-name>
|
<display-name>ProtectedServlet</display-name>
|
<description>A Protected servlet that accesses an
unprotected EJB</description>
|
<servlet-class>com.agent.servlet.ProtectedServlet</ser
vlet-class>
|
</servlet>
|
|
<servlet-mapping id="ServletMapping_10">
|
<servlet-name>ProtectedServlet</servlet-name>
|
<url-pattern>/ProtectedServlet</url-pattern>
|
</servlet-mapping>
|
|
<security-constraint id="SecurityConstraint_2">
|
<web-resource-collection id="WebResourceCollection_2">
|
<web-resource-name>Protected</web-resource-name>
|
<url-pattern>/ProtectedServlet</url-pattern>
|
<http-method>GET</http-method>
|
<http-method>POST</http-method>
|
</web-resource-collection>
|
<auth-constraint id="AuthConstraint_2">
|
<description>Protected-tc4:+:</description>
|
<role-name>Protected-tc3</role-name>
|
</auth-constraint>
|
<user-data-constraint id="UserDataConstraint_2">
|
<transport-guarantee>NONE</transport-guarantee>
|
</user-data-constraint>
|
</security-constraint>
|
|
<security-role id="SecurityRole_5">
|
<role-name>Protected-tc3</role-name>
|
</security-role>
|
................
|
........
|
</web-app>
|
|
|
In the ibm-application-bnd.xmi file, define role mappings for the role Protected-tc3 as:
|
<applicationbnd:ApplicationBinding xmi:version="2.0"
xmlns:xmi="http://www.omg.org/XMI"
xmlns:applicationbnd="applicationbnd.xmi"
|
xmlns:application="application.xmi" xmlns:common="common.xmi"
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmi:id="Application_ID_Bnd">
|
|
<appName xsi:nil="true"/>
|
<application href="META-INF/application.xml#Application_ID"/>
|
<authorizationTable xmi:id="AuthorizationTable_1">
|
............
|
.........
|
<authorizations xmi:id="RoleAssignment_4">
|
<role href="META-INF/application.xml#SecurityRole_5"/>
|
<users xmi:id="User_1" name="amAdmin"/>
|
<groups xmi:id="Group_4" name="manager"/>
|
</authorizations>
|
..........
|
.........
|
</authorizationTable>
|
<runAsMap xmi:id="RunAsMap_1"/>
|
</applicationbnd:ApplicationBinding>
|
|
|
EJB Authorization
Consider an Enterprise JavaBeans component that must have protected access for one of its methods. This can be enforced by adding a security-role and method-permission element in the assembly-descriptor element of the ejb-jar.xml deployment descriptor.
|
<?xml version="1.0" encoding="UTF-8"?>
|
<!DOCTYPE ejb-jar PUBLIC "-//Sun Microsystems, Inc.//DTD
Enterprise JavaBeans 1.1//EN"
|
"http://java.sun.com/j2ee/dtds/ejb-jar_1_1.dtd">
|
<ejb-jar id="ejb-jar_ID">
|
<enterprise-beans>
|
.............
|
.........
|
<session id="Session_3">
|
<ejb-name>ProtectedEJB</ejb-name>
|
<home>com.agent.ejb.ProtectedEJBHome</home>
|
<remote>com.agent.ejb.ProtectedEJB</remote>
|
<ejb-class>com.agent.ejb.ProtectedEJBImpl</ejb-class
>
|
<session-type>Stateless</session-type>
|
<transaction-type>Container</transaction-type>
|
</session>
|
............
|
........
|
</enterprise-beans>
|
|
<assembly-descriptor id="AssemblyDescriptor_ID">
|
...........
|
........
|
<security-role id="SecurityRole_4">
|
<role-name>Protected-tc2</role-name>
|
</security-role>
|
..........
|
.......
|
<method-permission id="MethodPermission_2">
|
<description>tc2:+:</description>
|
<role-name>Protected-tc2</role-name>
|
<method id="MethodElement_2">
|
<ejb-name>ProtectedEJB</ejb-name>
|
<method-intf>Remote</method-intf>
|
<method-name>protectedMethod</method-name>
|
<method-params></method-params>
|
</method>
|
</method-permission>
|
|
.........
|
....
|
</assembly-descriptor>
|
</ejb-jar>
|
|
|
In the ibm-application-bnd.xmi file, define role mappings for the role Protected-tc2:
|
<applicationbnd:ApplicationBinding xmi:version="2.0"
xmlns:xmi="http://www.omg.org/XMI"
xmlns:applicationbnd="applicationbnd.xmi"
|
xmlns:application="application.xmi" xmlns:common="common.xmi"
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmi:id="Application_ID_Bnd">
|
|
<appName xsi:nil="true"/>
|
<application href="META-INF/application.xml#Application_ID"/>
|
<authorizationTable xmi:id="AuthorizationTable_1">
|
............
|
.........
|
<authorizations xmi:id="RoleAssignment_3">
|
<role href="META-INF/application.xml#SecurityRole_4"/>
|
<groups xmi:id="Group_2" name="manager"/>
|
<groups xmi:id="Group_3" name="employee"/>
|
</authorizations>
|
..........
|
.........
|
</authorizationTable>
|
<runAsMap xmi:id="RunAsMap_1"/>
|
</applicationbnd:ApplicationBinding>
|
|
|
Sun ONE Application Server 7.0
Declarative Security
Consider an Enterprise JavaBeans component that must have protected access for one of its methods. This can be enforced by adding a security-role and method-permission element in the assembly-descriptor element of the ejb-jar.xml deployment descriptor.
|
|
<?xml version="1.0"?>
|
|
<!DOCTYPE ejb-jar PUBLIC-//Sun Microsystems, Inc.//DTD Enterprise
JavaBeans 2.0//EN'
|
'http://java.sun.com/dtd/ejb-jar_2_0.dtd'>
|
<ejb-jar>
|
...
|
<assembly-descriptor>
|
<security-role>
|
<role-name>staffRole</role-name>
|
</security-role>
|
<method-permission>
|
<role-name>staffRole</role-name>
|
<method>
|
<ejb-name>ConverterEJB</ejb-name>
|
<method-name>dollarToYen</method-name>
|
</method>
|
</method-permission>
|
</assembly-descriptor>
|
...
|
</ejb-jar>
|
|
|
This security role staffRole can then be mapped to a real principal in sun-application.xml.
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE sun-application PUBLIC '-//Sun Microsystems, Inc.//DTD
Sun ONE Application Server 7.0 J2EE Application 1.3//EN'
|
'http://www.sun.com/software/sunone/appserver/dtds/sun-applicati
on_1_3-0.dtd'>
|
|
<sun-application>
|
|
<security-role-mapping>
|
<role-name>staffRole</role-name>
|
<group-name>cn=staff,o=sun.com,o=isp</group-name>
|
<principal-name>amAdmin</principal-name>
|
</security-role-mapping>
|
|
</sun-application>
|
|
|
Note
|
For stand-alone ejb modules there is no sun-application.xml, in that case this data goes into sun-ejb-jar.xml.
|
Programmatic Security
Consider a sample application in which one of the Servlets uses the programmatic security API such as HttpServletRequest.isUserInRole(String). Assuming that the role name used within the Servlet code is SAMPLE-ROLE, its deployment descriptor.
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Web
Application 2.3//EN' 'http://java.sun.com/dtd/web-app_2_3.dtd'>
|
<web-app>
|
...
|
<servlet>
|
<servlet-name>ProtectedServlet</servlet-name>
|
<servlet-class>
|
com.sun.sample.ProtectedServlet
|
</servlet-class>
|
<security-role-ref>
|
<description>
|
This role is a sample test role for the
|
security aware servlet
|
</description>
|
<role-name>SAMPLE-ROLE</role-name>
|
<role-link>SAMPLE-ROLE-LINK</role-link>
|
</security-role-ref>
|
</servlet>
|
<servlet-mapping>
|
<servlet-name>ProtectedServlet</servlet-name>
|
<url-pattern>/ProtectedServlet</url-pattern>
|
</servlet-mapping>
|
...
|
<security-constraint>
|
<web-resource-collection>
|
<web-resource-name>basic secuity test</web-resource-name>
|
<url-pattern>/ProtectedServlet</url-pattern>
|
</web-resource-collection>
|
<auth-constraint>
|
<role-name>SAMPLE-ROLE-LINK</role-name>
|
</auth-constraint>
|
</security-constraint>
|
...
|
<security-role>
|
<description>Some description</description>
|
<role-name>SAMPLE-ROLE-LINK</role-name>
|
</security-role>
|
...
|
</web-app>
|
|
|
In the sun-application.xml file, define role mappings as:
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE sun-application PUBLIC '-//Sun Microsystems, Inc.//DTD
Sun ONE Application Server 7.0 J2EE Application 1.3//EN'
|
'http://www.sun.com/software/sunone/appserver/dtds/sun-applicati
on_1_3-0.dtd'>
|
|
<sun-application>
|
|
<security-role-mapping>
|
<role-name>SAMPLE-ROLE-LINK</role-name>
|
<group-name>cn=staff,o=sun.com,o=isp</group-name>
|
<principal-name>amAdmin</principal-name>
|
</security-role-mapping>
|
|
</sun-application>
|
|
|