Hi,
if you use Java EE 6 container managed security, you can configure security constraints for resources inside the web.xml deployment descriptor. Are there alternative ways to do this?
For example the container could fetch them out of a database, like it does with the user data.
Is something like this possible? I would like a way that doesn't need to redeploy the webapp.
Thanks in advance.
Actually, the standard approach is to use an LDAP where you declare users and assign them to LDAP groups which are then mapped to security constraints. Administration is done in the LDAP at the users level. And once security constraints are set, they almost never change in my experience (why would they?). Check the tutorial SecureJavaEE6App for more on this.
So, to clearly answer your question, pulling constraints from a database is IMO not possible, this is just not how Java EE security works. If you need more flexibility, maybe have a look at Spring Security but I don't think that it allows to set roles dynamically either.
To be honest, I don't really understand the use case. As I said, once defined, security-constraints don't change in general. And if you need to protect new resources, then you are very likely going to redeploy the application anyway. But I may be missing something