Configuring Groups

This article describes what Groups are and how they are normally configured with the default UserManager.

1 Introduction

    This article describes what Groups are and how they are normally configured with the default UserManager in the Orion Application Server.

2 Overview

    Orion handles security identities through the notion of Groups and Users. A Group consists of a number of users as described here. Apart from containing a number of Users a Group can also be given permissions (see below).

    A J2EE application uses Roles to define access to resources within the application. These Roles are then mapped to the Groups and/or Users defined in the Orion Application Server. The J2EE specification defines Roles but do not define how these should be mapped to security identities in the Application Server. The notion of groups and Users are therefore Orion specific, as is the procedure of adding Groups and Users.

    Groups can consist of any number of Users as described here.

3 Configuring Groups

    In order to define available Groups these has to be made available to the Orion Application Server. This is done by adding the name of the Group together with an optional description to the applications principals.xml file (found in the deployment directory of the application).

    If the Group should be globally available it should be added to the principals.xml file of the global application (normally found at orion/config/principals.xml).

    A globally defined Group is known to all Applications deployed on the Server in question, while a locally defined Group is known to the specific Applicaion only.

    A locally defined Group with the same name as a globally defined Group will override the global Group.

    A sample Group definition can be found in listing 1 below.


        <principals>
            <groups>
                <group name="administrators">
                    <description>administrators</description>
                    <permission name="administration" />
                </group>
                <group name="guests">
                    <description>guests</description>
                </group>
                <group name="users">
                    <description>users</description>
                    <permission name="rmi:login" />
                </group>
            </groups>
        </principals>
    Listing 1, A sample Group definition.

    In the listing above, 3 groups are defined; "administrators" with the right to administrate the server, "guests" who are the default group for anonymous access and "users" with the right to login to the server over RMI.

    Each group node contains the tags to hold the groups name, a description and none or more permissions.

4 Configuring Groups using the console

    This section describes how to use the Orion Console to manage Groups. The topics covered are:

    4.1 Adding a Group

      This section describes how to use the Orion Console to add a new Group to an Application.

      1. Select the Application that a new Group should be added to.

      2. Select the "Users" node in the exploded list of nodes for the Application.

        This should open up a Users and Group view in the right part of the Console.

      3. Click the "Add Group" button.

        This should open a new window where a name and description can be entered.

      4. State the name and optional description for the new group in the designated fields.

      5. Press the 'OK' button

      The new Group should now be listed in the Groups section of the Users and Groups view.

    4.2 Changing a Group

      This section describes how to use the Orion Console to change a Group that already exists in a Application..

      1. Select the Application that holds the Group to be changed.

      2. Select the "Users" node in the exploded list of nodes for the Application.

        This should open up a Users and Group view in the right part of the Console.

      3. Select the Group that should be changed from the list of Groups that the Application contains.

        This should enable the 'Configure' button.

      4. Click the "Configure" button.

        This should open a new window where a name and description can be changed.

      5. Change the name and/or description for the group in the designated fields.

      6. Press the 'OK' button

      The Group should now be listed in its changed form in the Groups section of the Users and Groups view.

    4.3 Removing a Group

      This section describes how to use the Orion Console to remove an existing Group from a Application..

      1. Select the Application that holds the Group to be removed.

      2. Select the "Users" node in the exploded list of nodes for the Application.

        This should open up a Users and Group view in the right part of the Console.

      3. Select the Group that should be removed from the list of Groups that the Application contains.

        This should enable the 'Delete Selected' button.

      4. Click the "Delete Selected" button.

      The Group should now be removed from the list of available Groups in the Groups section of the Users and Groups view.

5 Permissions

    The Orion Application Server comes with two predefined permissions that can be given to groups:

      Administration (com.evermind.server.AdministrationPermission) - the user is allowed to administrate the server

      rmi:login (com.evermind.server.rmi.RMIPermission) - the user is allowed to login over RMI

    New permissions can be added by specifying the class-name of a class that extends java.security.Permission.

Copyright © 2005 IronFlare AB