Role-Based Security

The authentication mechanism in the servlet specification uses a technique called role-based security. The idea is that rather than restricting resources at the user level, you create roles and restrict the resources by role. A single user can have more than one role. For example, a company might have employees and contractors, so you can have an application that permits different operations, depending on whether you are an employee or a contractor. You might also have a manager role. If a contractor happens to be a manager, he would have two roles: contractor and manager.

There are no predefined roles. You can come up with role names as you see fit. As far as creating users and roles, each servlet engine has its own method for defining users and roles. In Tomcat, roles are defined in the file tomcat-users.xml, which is located off of Tomcat's home directory in conf. An example of this file is shown in Listing 23.1.

Listing 23.1 An example tomcat-users.xml

<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <role rolename="manager"/>
  <role rolename="admin"/>
  <user username="tomcat" password="tomcat" roles="tomcat"/>
  <user username="role1" password="tomcat" roles="role1"/>
  <user username="both" password="tomcat" roles="tomcat,role1"/>
  <user username="admin" password="secret" roles="admin,manager"/>
</tomcat-users>

The Tomcat documentation briefly mentions this file in connection with the Manager application. You may recall that you must add an admin and manager role and a user in those roles to be able to use the Administration tool and Web application manager. As you can see, you add roles and users by adding <role> and <user> elements.