The authorization model of the portal is based on the association between the following actors: groups, memberships, users, and any content inside the portal (pages, categories, or portlets).
In this recipe, we will assign the admin role against a set of pages under a specific URL of the portal. This configuration can be found in the default portal provided with GateIn so you can take the complete code from there.
We need to configure the web.xml file assigning the admin role to the following pages under the URL http://localhost:8080/portal/admin/* in the following way:
<security-constraint>
<web-resource-collection>
<web-resource-name>
admin authentication
</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>The role must be declared in a different section under the security-constraint tag through the security-role tag. The role-name tag defines the id of the role:
<security-role>
<description>the admin role</description>
<role-name>admin</role-name>
</security-role>GateIn allows you to add different roles for every sections of the portal simply by adding a path expression that can include a set of sub-pages using wildcard notation (/*).
This is done by first defining all the needed roles using the security-role element, and then defining a
security-constraint element for each set of pages that you want to involve.
This role definition in GateIn is the group seen in the previous chapter. PicketLink is also for users and memberships, and can manage the organization of the groups.
GateIn uses JAAS (Java Authentication Authorization Service) as the security model.
Note
JAAS (Java Authentication Authorization Service) is the most common framework used in the Java world to manage authentication and authorization. The goal of this framework is to separate the responsibility of users' permissions from the Java application. In this way, you can have a bridge for permissions management between your application and the security provider.
For more information about JAAS, please see the following URL:
http://docs.oracle.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html
Java EE Application servers and JSP/servlet containers, such as JBoss and Tomcat, also support JAAS with specific deployment descriptors.
The default JAAS module implemented in GateIn synchronizes the users and roles from the database. In order to add your portal to a specific realm, add the following snippet in web.xml:
<login-config>
. . .
<realm-name>gatein-domain</realm-name>
. . .
</login-config>Notice that a realm can be managed by JAAS or another authorization framework—it is not important which is used for the Java Enterprise Edition.
gatein-domain is the ID of the default GateIn domain that we will use as the default reference for the following recipes.