Configuring Roles

This article describes what Roles are and how they are normally configured and referenced in a J2EE Application module.

1 Introduction

    This article describes what Roles are and how they are normally configured and referenced in a J2EE Application module.

2 Overview

    When you develop J2EE applications you normally only concern yourself with what security roles that are to have or not have access to a certain resource. Thinking in terms of security roles make it easy for you to think of how users will use your application without actually specifying whose these users are.

    When a J2EE application is deployed, the deployer maps these roles to security identities (users and groups in Orion Application Server).

3 Role-based Access-control

    As a developer, you can use both declarative and programmatic security to limit access to certain resources.

    Declarative security means that you are using the deployment descriptor to define security settings.


    <method-permission>
        <description>Restricted</description>
        <role-name>users</role-name>
        <method>
            <ejb-name>accountManager</ejb-name>
            <method-name>*</method-name>
        </method>
        <method>
            <ejb-name>account</ejb-name>
            <method-name>*</method-name>
        </method>
    </method-permission>
    Listing 1, A example of using declarative security for a certain method of an EJB.

    Programmatic security means that you are using methods available in the Containers API to define security settings.


    if(context.isCallerInRole("users"){
        doSomeStuff();
    }else{
        doSomeOtherStuff();
    }
    Listing 2, A example of using programmatic security in a arbitrary J2EE Application module.

4 Configuring Roles

    In order to set up access restrictions your J2EE module needs to know the security roles that is has to handle. This is done through a list like the one shown in listing 3 below.


    <assembly-descriptor>
    <security-role>
    <description>My users</description>
    <role-name>users</role-name>
    </security-role>
    <security-role>
    <description>My special users</description>
    <role-name>specials</role-name>
    </security-role>
    </assembly-descriptor>
    Listing 3, Security role entries for a EJB-module.

    These declarations look the same in a Web-module as in a EJB-module, as shown in listing 4 below.


        <security-role>
        <description>My users</description>
        <role-name>users</role-name>
        </security-role>
        <security-role>
        <description>My special users</description>
        <role-name>specials</role-name>
        </security-role>
    Listing 4, Security role entries for a Web-module.

    By adding an entry like the ones seen above to the application.xml of a Application, the Server will recognize the Roles that this Application uses. These Roles does not need to be defined in each single module as long as the modules does not define any module specific behaviour for the Role. Such behaviour could for instance be a "run-as" directive in a ejb-jar.xml file or an "auth-constraint" of an Web-module.

    For more information about Roles, please see Sun's J2EE tutorial.

Copyright © 2005 IronFlare AB