The System Authorization Facility (SAF) role mapper determines
how EJBROLE profile names are generated from application-defined role
names. The mapper is invoked whenever SAF authorization is performed
for an application role. The authorization check for the application
role is made against the underlying SAF security product using the
mapped profile name generated by the SAF role mapper.
The SAF role mapper can be configured via the
<safRoleMapper> configuration
element.
<safRoleMapper profilePattern="myprofile.%resource%.%role%" toUpperCase="true" />
Attributes
- profilePattern="<string>"
- The pattern used to map application roles to profile names.
- %role% is substituted at run time with the value of the application
role
- %resource% is substituted with the resource name. For example,
the application name.
For example, for profilePattern="myprofile.%resource%.%role%",
the profile generated for an access check to the resource "myapp"
for the "admin" role, is myprofile.myapp.admin.
- The list of supported substitution variables:
- %role%
- The application role name. For the administrator role, the value
is Administrator.
- %resource%
- The protected resource name. For security administration, the
resource name is com.ibm.ws.management.security.resource.
- %profilePrefix%
- The profilePrefix, defined by the profilePrefix attribute in the
<safCredentials> config element. The default
value is BBGZDFLT.
If not specified, the default is profilePattern=
"%profilePrefix%.%resource%.%role%"
- toUpperCase="true|false"
- Indicates whether the mapped profile name should be folded to
upper case.
- If not specified, the default is false.
Note: The SAF role mapper will automatically substitute
any wildcard characters (%&*) and whitespaces in the mapped profile
name with the '#' character.