I'm working on a system where we provide an application-scoped group/role system that sits on top of JAAS groups/roles, and I need a way of mapping those application-scoped roles onto roles that JAAS knows about. For instance, I have a role that JAAS knows about called "everyone", and a role that the application knows about called "users" whose membership consists of all the users in the role "everyone". In Weblogic, I declare this mapping by adding a <security-role-assignment> entry in weblogic.xml:
<security-role-assignment> <role-name>users</role-name> <principal-name>everyone</principal> </security-role-assignment>
<security-constraint> <web-resource-collection> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>users</role-name> </auth-constraint> </security-constraint>
<security-role> <role-name>users</role-name> <principal-name>everyone</principal> </security-role>