Place all your policy definitions inside <policy> tags:
<!-- Define your policy entries inside the element -->
For each set of resources identified, you need to define a <security-constraint> that maps these resources to the roles you wish to allow access.
Resources that may be accessed by customers
You can define one or more security constraints, and they can map to multiple resources and roles.
Note: If you previously had defined security constraints in your deployment descriptor, you can copy these directly in the policy file.
You have two options for defining roles:
Either option can be used, however we recommend defining the roles directly in the policy file if you are using programmatic security. See Single Sign-on for Java authorization. This allows group membership to be resolved by querying Active Directory at load time rather than at run time.
If you are using the idm.access.groupsAsRoles option, we recommend defining Domain Local groups specific to your application in the same domain as the application server.
To define a role mapping to Active Directory groups using the role element, do the following:
<group name="My Application Customers"/>
Note: Group names are case-sensitive.
More examples are given for the role element on Examples.
Edit the deployment descriptor (web.xml) file using either a standard text editor, or a tool supplied by your application server vendor. Add the following parameters to your SSO Servlet/Filter configuration:
Where policy.xml is replaced with the name of your policy file.