Converged Application Server Role Mapping Features
When you deploy a SIP Servlet, security-role
definitions that were created for declarative and programmatic security must be assigned to actual principals and/or roles available in the Servlet container. Converged Application Server uses the security-role-assignment
element in weblogic.xml to help you map security-role
definitions to actual principals and roles. security-role-assignment
provides two different ways to map security roles, depending on how much flexibility you require for changing role assignment at a later time:
-
The
security-role-assignment
element can define the complete list of principal names and roles that map to roles defined in. This method defines the role assignment at deployment time, but at the cost of flexibility; to add or remove principals from the role, you must edit the sip.xml and weblogic.xml deployment descriptors, and redeploy the SIP Servlet. -
The
externally-defined
element insecurity-role-assignment
enables you to assign principal names and roles to a sip.xml role at any time using the Administration Console. When using theexternally-defined
element, you can add or remove principals and roles to a sip.xml role without having to redeploy the SIP Servlet.
Two additional XML elements can be used for assigning roles to the sip.xml deployment descriptor's run-as
element: run-as-principal-name
and run-as-role-assignment
. These role assignment elements take precedence over security-role-assignment
elements if they are used, as described in "Assigning run-as Roles".
Optionally, you can choose to specify no role mapping elements in weblogic.xml to use implicit role mapping, as described in "Using Implicit Role Assignment".
The sections that follow describe Converged Application Server role assignment in more detail.