assign-groups in GlassFish Security realm
By Shing Wai Chan on Aug 11, 2006
In the Java EE environment, roles are logical privileges which convey/represent permission to operate on some particular set of resources in an application. The Sun Java System Application Server environment consists of several realms, which each contain a complete database of users and groups that identify valid users of an application. When the roles are mapped to users, the users are effectively granted the permissions conveyed/represented by the privilege.
In Sun One Application Server 7.0, you can assign a role to all authenticated users in all realms at the same time, and applications can define authorization for that role. This addresses the following common scenario in the LDAP environment:
- All authenticated users can access some subset of protected resources within the application. It doesn't matter who you are, only that your identity has been established.
- The set of user groups is large or dynamic, but not specific to the application.
We wanted an ability to grant permission based on authentication independent of identity, in other words, we wanted a way to grant all authenticated identities to a role, or to define a role that would be understood to be mapped to all authenticated identities, and not to unauthenticated entities.
In Sun Java System Application Server 8.x and GlassFish v1,
various RFEs and issues have been filed requesting support of the
above scenario. Therefore, this scenario has been addressed in
In GlassFish v2, the
assign-groups property in
CertificateRealm has been extended to FileRealm, LDAPRealm,
SolarisRealm, and JDBCRealm. With this change,
it is possible to configure all realms so that they assign one
or more common group principals as a result of successful
authentication, and such that every user is effectively made
a member of the common groups.
Given that this is the case, mapping one or more of the group
principals to a role, either explicitly or by default, will allow
the role to be used as an ANYONE role, a role that
conveys/represents permission to operate on all resources which
are accessible to any authenticated user. You can assign
additional groups to all authenticated users in a specific realm
without having to add those groups to all authenticated users
in all realms. This gives us a finer control and allows us to
resolve the issues with the above scenario as follows:
- Set the
assign-groupsproperty for a given realm. All authenticated users of the given realm will assign additional groups as specified by the
assign-groupsproperty, for instance,
- Map additional groups to desired roles in Sun-specific
deployment descriptors. For instance, in