geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cabrera, Alan" <>
Subject RE:*ModuleConfiguration broke Geronimo-Nova inte gration
Date Mon, 05 Jan 2004 20:17:05 GMT

> -----Original Message-----
> From: David Jencks [] 
> On Monday, January 5, 2004, at 04:20 AM, Alan D. Cabrera wrote:
> >> <snip>
> >> OK, this makes sense.  However, there are a lot of levels of 
> >> indirection (lets assume there is only one realm):
> >>
> >> user  --nXm-- principal --nxm--role --nxm-- method
> >>
> >> If there is only one realm and it is easy to specify the 
> principals 
> >> each  user gets in the login system, it might be worthwhile to 
> >> provide a shortcut security mapping that equated roles and 
> >> principals.  Does this make any sense?
> >
> > I'm not clear on what this shortcut security mapping is and 
> why it's 
> > needed.  It kind of sounds like the principal/role mapping 
> that is in 
> > the deployment descriptor.
> My suggestion is a way to set up a simple principal/role mapping 
> easily: principal == role.
> I'm worried that your scheme may be hard to set up for simple 
> scenarios.
> The entire declarative security scheme is logically equivalent, IIUC, 
> to a single map
> user --nxm-- method.
> Everything else is introduced to make administration and modification 
> easier.
> Since users come and go frequently, the ejb model suggests at least
> user --nxm-- roles --nxm-- methods
> Your model further decomposes user --nxm- roles to user --nxm-- 
> principals --nxm-- roles. 

I do this because LoginModules return principals and my implementation of
JACC works w/ principals.  Let me also state that the following is what is
stored in the security mapping:

principals --nxm-- roles --nxm-- methods

The mapping of user --nxm-- principals is virtually done by the LoginModule.

> I'm just suggesting that we 
> provide a way to 
> set up a trivial principal -- role mapping without explicitly listing 
> all the mapping elements.  This would purely be for 
> convenience in case 
> someone wanted to, logically, directly assign roles to users.

I think I understand now and agree that this is a useful case to support.
Let me state how I understand this. We're looking to support

trival principals --1x1-- roles --nxm-- methods

where we have LoginModules that stuff trival principals into subjects, i.e.
do the user --nxm-- trivial principals mapping.  Off the top of my head, I
think that the simplification should take place in the tool that creates the
security descriptor so that it looks like 

roles --nxm-- methods

to the deployer.  

What do you think?  Did I make sense?


      Visit our Internet site at 

Get closer to the financial markets with Reuters Messaging - for more
information and to register, visit <> 

Any views expressed in this message are those of  the  individual sender,
except  where  the sender specifically states them to be the views of The
Reuters Group.

View raw message