Resolving Security Roles | Oracle Application Server 10g: J2EE Deployment and Administration

If OC4J can map every application role referenced in ejb-jar.xml directly to a physical group with the same name , then the security elements in the following example aren't necessary. However, for portability, backward compatibility, future security, and other considerations, it's usually more appropriate to explicitly map application roles to actual users and groups using a <security-role-mapping> .

For example, if the ejb-jar.xml contains the following assembly-descriptor :

 <assembly-descriptor>     <security-role>         <description>Allowed to check inventory</description>         <role-name>inventory</role-name>     </security-role>     <method-permission>         <role-name>inventory</role-name>         <method>             <ejb-name>ProductManager</ejb-name>             <method-name>checkInventory</method-name> </method>     </method-permission> </assembly-descriptor>

Now you can map the Inventory role to one or more specific groups and users within orion-ejb-jar .xml , as follows :

 <assembly-descriptor>     <security-role-mapping name="inventory">         <group name="InventoryManagers" />         <group name="Pickers" />     </security-role-mapping> </assembly-descriptor>

The <assembly-descriptor> element may contain the following elements listed in Table 11-21.

Table 11-21: security-role-mapping Elements
Parameter	Description	Default Value
security-role-mapping	Maps a J2EE application role to one or more users and groups known to the UserManager .
security-role-mapping: impliesAll	If true, all users are assumed to have this role. If false, individual users and groups should be specified using the < user > and <group> elements.	false
security-role-mapping:name	The name of the role as specified in ejb-jar.xml .
Group	Allows the assignment of a role to a group of users.
group:name	Name of the group that should be given this role.
User	Allows the assignment of a role to an individual user.
user:name
default-method-access	The security settings for methods that aren't included in a method-permission in the ejb-jar.xml . This element contains a security-role-mapping with an impliesAll attribute. If impliesAll is set to true, then all users will be assumed to have that role and thus any methods without security settings will be accessible by all. If set to false, then callers must have the default role specified.