How do I programiccally map user roles
Hallo,
Is it possible to change prinicpal -> role mapping from java code (arbitrary ejb method)?
Small example:
Let's say my application doesfoo and have two kind of users: regular and premium.
Access to 'premium' resources is restricted using@RolesAllowed annotation on ejbs.@RolesAllowed("premium_user")
@Stateless
class PremiumServiceBeanimplements PremiumService{
...
}
In application there are two ejb that manage users and I'd like to change role mapping from them.
RegisterUser -- register new regular user. Add him to the database and generate line in file realm keystore.
ProcessPaymentMessage -- process information about payment and map "premium_user" role.
How do I map role in runtime preferably w/o locking self in glassfish?
Is there a way to 'hook' principal to role mapping?
Is it possible to change mapped principal class per application basis (see "Application Server > Configuration > Security" at asadmin console)?
[1220 byte] By [
a3cchana] at [2007-11-26 22:18:13]
# 1
When it comes to ejbs, they are mostly about declarative security and runtime mapping is not something you would want to try.
With ejbs you are limited to programmatic security, i.e context.getCallerPrincipal() and context.isCallerInRole() stuff.
The easiest solution to me is to store your users in a DB and make ejbs read all user info, i.e premium/standard etc from this DB.
# 2
> With ejbs you are limited to programmatic security,
> i.e context.getCallerPrincipal() and
> context.isCallerInRole() stuff.
If I had solved dynamic prinicpal->role mapping, I wolud exactly use context.isCallerInRole() to determine privileges. It seems like bea's weblogic have this feature: http://e-docs.bea.com/wls/docs81/dvspisec/rm.html :-(
> The easiest solution to me is to store your users in
> a DB and make ejbs read all user info, i.e
> premium/standard etc from this DB.
I keep my users definition, user->groups and user->role mapping in database already. So I've considered implementing principal to role mapping using my arbitrary code e.g. MyRoleManager.getPrincipalRole(principal). But it seems like reinventing wheel ;-)
With aditional research (read: googlin-round-web) i've found this thread on java.net forums http://forums.java.net/jive/message.jspa?messageID=151779
From discusion, I've learned this: roles are fixed, use groups, map them to roles on application deployment, than dynamicaly assign users to groups..
So I'll create mapping like this in my sun-ejb-jar.xml: <security-role-mapping>
<role-name>regular</role-name>
<group-name>regular</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>premium</role-name>
<group-name>premium</group-name>
</security-role-mapping>
Should do the trick. I'll inform you later on.
