Authorization for Web Application Users on the J2EE Engine

Authorization on the J2EE Engine is based on the notion of security roles. Security roles can be thought of as a logical grouping of users (or groups of users) that have the same security privileges. J2EE Web applications define security roles references in their web.xml deployment descriptor. Based on that information, the Web Container creates the corresponding roles (if they do not already exist) at deployment time. The application deployer maps those references to existing server users (or groups of users) using the SAP proprietary deployment descriptor - the web-j2ee-engine.xml. For detailed description of the procedure of defining security roles references and mapping them to existing users on the J2EE Engine, see Defining Web Application Security Roles .

Authentication and Authorization

Authorization based on security roles concept is possible when used in combination with the authentication process. Throughout the login process, the user proves his or her identity. Given the identity, it is easy to determine whether or not the user is part of a security role.

Using Servlet APIs for Checking J2EE Engine Security Roles

You can use the standard Servlet 2.3 APIs in your servlet or JSP code to make security-related decisions when using J2EE Engine security roles. There are the following methods of the HttpServletRequest object:

• isUserInRole(String role) - to determine whether the user that sent the request is part of a specific security role. The parameter of this method is the name of the security role reference that you have defined in the web.xml descriptor of your Web application.
• getUserPrincipal() - to get a Principal object that represents the user that made the request.
• getRemoteUser() - to get the username with which the user is authenticated.