Show Table of Contents
1.3. Security Roles
The security role name referenced by either the <security-role-ref> or <security-identity> element must map to one of the application's declared roles. An application assembler defines logical security roles by declaring <security-role> elements. The role-name attribute value is a logical application role name, such as Administrator, Architect, or Sales_Manager.
The Java EE specifications note that it is important to keep in mind that the security roles in the deployment descriptor are used to define the logical security view of an application. Roles defined in the Java EE deployment descriptors should not be confused with the user groups, users, principals, and other concepts that exist in the target enterprise's operational environment. The deployment descriptor roles are application constructs with application domain-specific names. For example, a banking application might use role names such as Bank_Manager, Teller, or Customer.
Figure 1.3. <security-role> element
In JBoss, a <security-role> element is only used to map <security-role-ref> or <role-name> values to the logical role that the component role references. The user's assigned roles are a dynamic function of the application's security manager, as you will see when we discuss the JBossSX implementation details.
JBoss does not require the definition of <security-role> elements in order to declare method permissions. However, the specification of <security-role> elements is still a recommended practice to ensure portability across application servers and for deployment descriptor maintenance. Example 1.3, “ejb-jar.xml descriptor fragment” describes the usage of the <security-role> in an
ejb-jar.xml file.
Example 1.3. ejb-jar.xml descriptor fragment
<!-- A sample ejb-jar.xml fragment -->
<ejb-jar>
<!-- ... -->
<assembly-descriptor>
<security-role>
<description>The single application role</description>
<role-name>TheApplicationRole</role-name>
</security-role>
</assembly-descriptor>
</ejb-jar>
Example 1.4, “example web.xml descriptor fragment” shows the usage of the <security-role> in an
web.xml file.
Example 1.4. example web.xml descriptor fragment
<!-- A sample web.xml fragment -->
<web-app>
<!-- ... -->
<security-role>
<description>The single application role</description>
<role-name>TheApplicationRole</role-name>
</security-role>
</web-app>
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.