How to get roles with JSR 196 authentification in GlassFish?

Question

I want to use a custom authentication module conforming to JSR 196 in GlassFish 3. The interface javax.security.auth.message.ServerAuth has the method:

AuthStatus validateRequest(
  MessageInfo messageInfo,
  javax.security.auth.Subject clientSubject,
  javax.security.auth.Subject serviceSubject
)

AuthStatus can be one of several constants like FAILURE or SUCCESS.

The question is: How can I get the roles from a "role datebase" with JSR 196?

Example: The server receives a request with a SSO token (CAS token for example), checks whether the token is valid, populates the remote user object with roles fetches from a database via JDBC or from REST service via http.

Is the role fetching in the scope of JSR 196? How could that be implemented?

Do I have to use JSR 196 together with JSR 115 to use custom authentication and a custom role source?

Answer 1

Here's how I map users to roles:

I have 3 roles in my web.xml and also I have 3 role-to-group mappings in my sun-web.xml which map those roles several groups. Then I have a database with table Users that has a column called "group". That group corresponds to the group that is mapped to a role. I also use JSR 196-based custom auth module with OpenID. So basically whenever a user is logged in their group is read from the db and then my app assigns them the corresponding role. This is all done using the standard declarative security model of J2EE.

For my custom auth module I use a library called AuthenticRoast which makes things quite a bit simpler.

Here's also a related post...

Hope this helps.