Once you have identified the resources to protect, you need to identify the roles that are to have access to these resources.
Roles are an abstraction for grouping users under one heading relating to the tasks or permissions you wish to allow. For example, you may wish to allow administrator access to an application, access by normal customers and access by premium customers. So you could define three roles:
These roles are then allocated to the resources they are allowed to access. When deciding to which resources a given role should be allowed access, you should adhere to the principle of least privilege.
Each role should be allowed to access only those resources that they need to complete their tasks, and no more.
Single Sign-on for Java will not work if there are existing constraints defined in your deployment descriptor. This is because these constraints apply before the Single Sign-on for Java Servlet/Filter is run, and prevent access. However, you can copy these constraints directly from the existing deployment descriptor to the policy XML file.
To setup the policy XML file
The following sections discuss each of these steps in more detail.
Create the file using a standard text editor. It should be saved with the extension .xml in the WEB-INF directory of the Web application.