spocp-j2ee is a set of tools for integrating SPOCP in JBoss and Tomcat.
Using spocp-j2ee JBoss and Tomcat can use SPOCP for authorization using on the container-based declarative j2ee security model. This makes it possible to declare roles in your deployment-descriptors (eg web.xml) and map those roles to SPOCP rules.
The generated documentation contains detailed installation instructions for the embedded tomcat in JBoss4 which allows you to use SPOCP to make authorization calls for both web applications and web services.
Begin by either building spocp-j2ee from source or download it from the SU maven2 repository. Install the jar-file in the $JBOSS_HOME/server/default/deploy/jbossweb-tomcat55.sar.
Edit $JBOSS_HOME/server/default/deploy/jbossweb-tomcat55.sar/server.xml. First replace the JaacAuthorizationRealm with the following entry:
< Realm className="org.spocp.jboss.jb4.SPOCPCatalinaRealm"
server="spocp.example.com" / >
The server and port argument should reference your spocp server. The defaultRealmName is used to augment principals which lack a realm-part in their names. The SPOCPCatalinaRealm assumes that all principals have string-representations of the form locapart @ domainpart. If the domainpart is missing (eg 'local' principals) the defaultRealmName is used to create 'fully qualified' principals.
Next include the following Valve-entry above any authentication-realms in the valve-stack in the Host element like so:
< Valve className="org.spocp.jboss.jb4.SPOCPCatalinaPrincipalValve" / >
This Valve adds a SPOCPPrincipal to the Subject and uses this in the SPOCPCatalinaRealm to provide caching of authorization requests.
The SPOCPCatalinaRealm only deals with authorization. Authorization in J2EE is based on string-based role-names. Membership in a role is used by application implementors to declaratively or programmatically make authorization decisions. The basic process of checking if a principal (localpart@domainpart in this version of the SPOCPCatalinaRealm) is translated into a SPOCP query of the form
(j2ee-role (identity (uid)(realm)) (role))
For instance - checking if email@example.com has the role foo-admin translates into the following query beeing sent to the SPOCP server:
(j2ee-role (identity (uid test)(realm example.org)) (role foo-admin))
Applications can use spcop-j2ee (and the SPOCPCatalinaRealm) in two ways: either programmatically through the HttpServletRequest#isUserInRole API call (which causes the described query to be sent to the SPOCP server) or by using declarative security in accordance with the J2EE specification.