The J2EETM Tutorial

Security Roles

When you design an enterprise bean or Web component, you should always think about the kinds of users who will access the component. For example, an Account enterprise bean might be accessed by customers, bank tellers, and branch managers. Each of these user categories is called a security role, an abstract logical grouping of users that is defined by the person who assembles the application. When an application is deployed, the deployer will map the roles to security identities in the operational environment.

A J2EE group also represents a category of users, but it has a different scope from a role. A J2EE group is designated for the entire J2EE server, whereas a role covers only a specific application in a J2EE server.

To create a role for a J2EE application, you declare it for the EJB JAR file or for the WAR file that is contained in the application. For example, you could use the following procedure to create a role in deploytool.

  1. Select the enterprise bean's EJB JAR file or the Web component's WAR file.
  2. In the Roles tabbed pane, click Add.
  3. In the table, enter values for the Name and Description fields.

Declaring and Linking Role References

A security role reference allows an enterprise bean or Web component to reference an existing security role. A security role is an application-specific logical grouping of users, classified by common traits such as customer profile or job title. When an application is deployed, roles are mapped to security identities, such as principals (identities assigned to users as a result of authentication) or groups, in the operational environment. Based on this, a user with a certain security role has associated access rights to a J2EE application. The link is the actual name of the security role that is being referenced.

During application assembly, the assembler creates security roles for the application and associates these roles with available security mechanisms. The assembler then resolves the security role references in individual servlets and JSPs by linking them to roles defined for the application.

The security role reference defines a mapping between the name of a role that is called from a Web component using isUserInRole(String name) (see Using Programmatic Security in the Web Tier) or from an enterprise bean using isCallerInRole(String name) (see Using Programmatic Security in the EJB Tier) and the name of a security role that has been defined for the application. For example, to map the security role reference cust to the security role with role name bankCustomer, you would do the following:

  1. Select the Web component or enterprise bean.
  2. Select the Security tab.
  3. If the cust entry does not appear in the Role Names Referenced In Code pane, click the Add button.
  4. Enter the name of the security role reference cust in the Coded Name column.
  5. From the drop-down menu in the Role Name column, select the security role name bankCustomer that maps to the coded name.
    If the security role name to which you want to map the security role reference is not listed in the Role Name column, click Edit Roles and add the role (see Security Roles).
  6. Click on the folded paper icon to add a description for the cust role reference.
  7. In the Description dialog box, enter a description.
  8. Click OK to accept the description, or Cancel to cancel it.

In this example, isUserInRole("bankCustomer") and isUserInRole("cust") will both return true for the methods indicated in the Method Permissions pane.

Because a coded name is linked to a role name, you can change the role name at a later time without having to change the coded name. For example, if you were to change the role name from bankCustomer to something else, you wouldn't need to change the cust name in the code. However, you would need to relink the cust coded name to the new role name.

Mapping Roles to J2EE Users and Groups

When you are developing a J2EE application, you should know the roles of your users, but you probably won't know exactly who the users will be. That's taken care of in the J2EE security architecture, because after your component has been deployed, the administrator of the J2EE server will map the roles to the J2EE users (or groups) of the default realm. In the Account bean example, the administrator might assign the user Sally to the Manager role, and the users Bob, Ted, and Clara to the Teller role.

An administrator can map roles to J2EE users and groups by using the following procedure in deploytool:

  1. Select the J2EE application.
  2. In the Security tab, select the appropriate role from the Role Name list.
  3. Click Add.
  4. In the Users dialog box, select the users and groups that should belong to the role. (See Managing J2EE Users and Groups for information about creating users and groups with deploytool.)