J2EE security role;s mapping to user registry role mapping
Gaurav Daga
I am struggling to find out a way to map my J2EE application roles to
roles in LDAP.. Say I have a role defined in my web.xml named 'My
Role' and I wanted to map it to say all users who are authenticated in
the system. For your information I am using J2EE security/container
managed authentication for this purpose... FORM BASED Login..
I do know that we can map this role by navigating to Installed App>My
Application> Security and role mapping.. in thr server;s admin
console..
But my application do have 20+ odd web modules.. (huh!! I know its
pretty large.. :-)).. I want to map these roles using some
automation.. say JACL script (as we are using JACL to deploy our
application)..
so my question is.. is it feasible... and how can we automate this ..?
Any help in this regards.. would be great to me.
Thanks
Gaurav Daga
Gaurav.Daga at in.ibm.com
cher...@fr.ibm.com
{code}
set configureRoleName monitor
if {!$v60} { set configureRoleName administrator }
set adminAuth [$AdminConfig getid /AuthorizationTableExt:admin-authz.xml/]
foreach auth [lindex [$AdminConfig showAttribute $adminAuth authorizations] 0] {
set roleName [$AdminConfig showAttribute [$AdminConfig showAttribute $auth role] roleName]
if {[string compare $roleName $configureRoleName] == 0} {
set subjects [lindex [$AdminConfig showAttribute $auth specialSubjects] 0]
if {! [string match "*#AllAuthenticatedUsersExt_*" $subjects]} {
$AdminConfig create AllAuthenticatedUsersExt $auth {} specialSubjects
}
if {! [string match "*#EveryoneExt_*" $subjects]} {
$AdminConfig create EveryoneExt $auth {} specialSubjects
}
}
}
{code}
cher...@fr.ibm.com
You will find below an example of giving the monitor or administrator role for all authenticated subject (but set in a global fashion, not for a particular J2EE application.
I think that a leaner way to do that is to specify your user/role mapping as part of your application WAS deployement descriptor (ibm-application-bnd.xmi). For example, the following ibm-application-bnd.xmi file, if added side to your application.xml, will grant ConsumerRole to AllAuthenticatedUsers for your application:
!--
Using a tool like Application Server Toolkit, you can configure all this through the UI (edit the deployment descriptor of an application), then export the EAR and see what gets generated.
I hope this helps.
JACL example:
==============
GauravDaga
For future reference for this problem, below here is the solution which I have got and may be implementing in my application.
While deploying war.. you can mention about mapping using following syntax.. (copying this content from Infocenter.. also giving the link of the same.)
http://publib.boulder.ibm.com/infocenter/wasinfo/v5r1//index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/rxml_adminapp.html
Hope this would help someone..
Cheers,
Gaurav Daga
MapRolesToUsers
Maps users to roles. You must map each role defined in the application or module to a user or group from the domain user registry. You can specify multiple users or groups for a single role by separating them with a |. Use this option to provide missing data or update to a task.
Example usage:
Using Jacl:
$AdminApp install c:/myapp.ear {-MapRolesToUsers {{"" No Yes "" ""}
{"Every Role" Yes No "" ""} {DenyAllRole No No user1 group1}}}
Using Jython:
AdminApp.install('c:/myapp.ear', '[-MapRolesToUsers [["All Role" No Yes "" ""]
["Every Role" Yes No "" ""] [DenyAllRole No No user1 group1]]]')
where {{"All Role" No Yes "" ""} corresponds to the following:
"All Role" is the role name
No indicates to allow access to everyone (yes/no)
Yes indicates to allow access to all authenticated users (yes/no)
"" indicates the mapped users
"" indicates the mapped groups
Use the taskInfo command of the AdminApp object to obtain information about the data needed for your application. You only need to provide data for rows or entries that are missing information, or those where you want to update the existing data.