I have a small web application that use jdbcRealm for authentification/authorisation. The authorisation works only if I put the user name in the glassfish-web.xml
<glassfish-web-app error-url="">
<class-loader delegate="true"/>
<jsp-config>
<property name="keepgenerated" value="true">
<description>Keep a copy of the generated servlet class' java code.</description>
</property>
</jsp-config>
<security-role-mapping>
<role-name>connexion</role-name>
<principal-name>test</principal-name>
<group-name>connexion</group-name>
</security-role-mapping>
</glassfish-web-app>
web.xml
<!--other stuff-->
<security-constraint>
<web-resource-collection>
<web-resource-name>secure</web-resource-name>
<url-pattern>/Downloader</url-pattern>
<url-pattern>/start.html</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>connexion</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>my_realm</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>connexion</role-name>
</security-role>
<!--other stuff-->
If I remove the principal from the glassfish-web I get a 403 error acces denied . Is there any solution to avoid adding principals in xml file ? Thanks.
Yes, there is. In your security realm (from the content of web.xml, that is my_realm) associate the username you are logging in with the appropriate group - in your case that is connexion. In other words, every user that belongs to the group connexion will have the access to the protected resource and therefore you don't have to enumerate the principals - that's the purpose of groups.
Reference & further reading: Java EE 6 tutorial