Reputation:
how does @Rolesallowed works
I am working on a project that has services that are annotated with @RolesAllowed. I know this annotation defines roles that can access the method. But I am not sure where these roles are defined and how user will be added for different roles. I am using weblogic as application server.
Upvotes: 1
Views: 1145
Answers (1)
Reputation: 69
There are many ways to set roles, for example if you are using Shiro JDBC realm you can specify the query that get roles from username.
this example from the Application class
@Bean
public Realm realm() {
JdbcRealm realm = new JdbcRealm();
realm.setDataSource(dataSource);
realm.setAuthenticationQuery("SELECT password FROM user_login WHERE username = ?");
realm.setUserRolesQuery("SELECT role FROM user_role WHERE username = ?");
realm.setPermissionsQuery("SELECT permission FROM role_permission WHERE role = ?");
realm.setCredentialsMatcher(new HashedCredentialsMatcher(Sha512Hash.ALGORITHM_NAME));
realm.setPermissionsLookupEnabled(true);
return realm;
}
The short answer is the role is generally found by the realm using the login credential.
must of the time
JDBC Realms have a default query like select role_name from user_roles where username = ?"
LDAP Realms will assign LDAP groups to Roles
...
Upvotes: -1
Related Questions
- How do I get the @RolesAllowed annotation to work for my Web application?
- @RolesAllowed doesn't work
- How does an application server know what role a user has?
- @RolesAllowed has no effect on my RESTful Service
- How can I use roles in Spring?
- Difference between @Secured vs @RolesAllowed in Spring? And the concept of Role Based Security?
- How do hasRole() and hasPermission() web security expressions work?
- @RolesAllowed etc. without web.xml
- How does @Secured know what role a user is from database?
- How @DeclareRoles define users within a particular role?