I am developing a Java Servlets webapp which will use container based security to authenticate users in. Now my question is that can a User be mapped to more than one security role ?
For example in my case-:
A User can be a
Now obviously the Admin will have privileges to access more functionality than the teacher. So how is that possible with just container based security for a container like Tomcat ?
I am also not using any framework like Spring Security or Apache Shiro.
In short - user or even better a group - can be mapped to many security roles. The easiest is to define security roles in web.xml, like this:
<security-role>
<role-name>teacher</role-name>
</security-role>
....
and then use it in <security-constraint> where you specify which role has access to given set of resources.
Finally you need to map these roles to users, which is server specific.
You can find some basic information regarding security roles and constraints in WebSphere Application Server V7.0 Security Guide in Securing web application chapter.
Instead of using Tomcat, I'd suggest using WebSphere Liberty and Eclipse with WebSphere Developer Tools. It has nice graphical interface for editing web.xml, so you will be able to easily define these roles and constraints. It has also server configuration editor where you can configure basic registry with users and groups and create that mapping between roles and users.
If you will need more info how to set it up in Liberty you can check WebSphere Liberty Profile Guide for Developers