Security group and name mapping has been edited by Ying Tang (May 19, 2009).

(View changes)

Content:

Security group and name mapping

When the <security> element is present, Web applications and EJB modules must make appropriate access checks as outlined in the JACC specification.

<security:security 
  doas-current-caller="choice1"
  use-context-handler="choice2"
  default-role="role">

  <!-- Optional default-subject element -->
  <!--
  <default-subject>
    <realm>realm</realm>
    <id>name</id>
  </default-subject>
  -->
  
  <!-- Optional role-mappings element -->
  <!--
  <role-mappings>
    <!-- Repeat the role element for each role that must be mapped. -->
    <role role-name="role">
      <!-- Optional run-as-subject element>
      <!--
      <run-as-subject>
        <realm>realm</realm>
        <id>name</id>
      </run-as-subject>
      -->
      <!-- Repeat for each principal that should be mapped to the role -->
      <!--
      <principal class="class" name="name">
      -->
      <!-- Not shown: Advanced principal specification options -->
    </role>
  </role-mappings>
  -->

</security>
.
.
.

where

  • The attributes of the <security> tag are optional.
    • doas_current_caller chooses whether or not work done by the module will be performed as the calling user or as the server. When specified, choice1 can be true or false.
      • true specifies that work should be done as the caller.
      • false (the default) specifies that work should be done as the server.
    • use-context_handler chooses whether or not JACC policy contexts will use PolicyContextHandlers. When specified, choice2 can be true or false.
      • true specifies that context handlers should be enabled.
      • false (the default) specifies that context handlers should be disabled.
    • default-role specifies how to configure EJB methods with unspecified security.
      • If empty or unspecified, the methods are configured as unchecked.
      • If role is specified, the methods are assigned to the specified role.
  • The <default-subject> element is required when a subject is to be used whenever an unauthenticated user accesses an unsecured page. Typically, this is used so that an unsecured page can access a secured resource, a secured EJB for example. In this case,
    • realm is the realm name of the default subject
    • name is the default subject's name within that realm.
  • The <role-mappings> element is required whenever a role expected by the module must be mapped to groups or subjects in the realm being used. In this case
    • The role specified in the role-name attribute is the name of the role expected by the module.
    • The <run-as-subject> element is required, when the module is to continue as if run by the specified subject, when constrained to the specified role. In this case
      • realm is the realm name of the default subject
      • name is the default subject's name within that realm.
    • The <principal> tag is required when the role is to be mapped to any subject or group in the realm being used. The tag is repeated for each user or group that is to be mapped to the specified role. In this case
      • class is the class name the realm uses for the specified user or group. The value must match the class name returned by the realm. For example, if you are using the default realm initially configured in a server, the class would be
        • org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal for users
        • org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal for groups.
      • name is the name of the principal (either a user name or a group name, depending on whether the specified class is a user or a group class).

Powered by Atlassian Confluence (Version: 2.2.9 Build:#527 Sep 07, 2006) - Bug/feature request

Unsubscribe or edit your notifications preferences