geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dain Sundstrom <>
Subject Re: [jira] Commented: (GERONIMO-454) Support Group Name = Role Name Role Mapping
Date Thu, 06 Jan 2005 20:23:17 GMT


On Jan 6, 2005, at 12:13 PM, Alan D. Cabrera wrote:

> We can create a mapping server.  The DD has the configuration that
> dictates the role mapping policy that the role mapping service is to
> use.  The out of the box role mapping can be generate a role mapping 
> and
> freeze it at the first container startup.  The server would have a
> run-time management interface that would allow us to inspect the
> mappings.  We could also use the run-time interface to change the role
> mapping while the app is running.
> Regards,
> Alan
>> -----Original Message-----
>> From: Dain Sundstrom []
>> Sent: Wednesday, January 05, 2005 8:05 PM
>> To:
>> Subject: Re: [jira] Commented: (GERONIMO-454) Support Group Name =
> Role
>> Name Role Mapping
>> On Jan 5, 2005, at 4:12 PM, Alan D. Cabrera wrote:
>>> I am not arguing against automapping, I am arguing against
> automapping
>>> taking place at after the delivery of the DDs.  I am also not
> arguing
>>> for users writing our DDs directly.
>>> Your analogy to CMP mapping is not quite the same as automapping of
>>> roles for a number of reasons.  DB schema is not as likely to change
>>> and
>>> when it does, the results are immediately known; role automapping
> can
>>> have unwanted results that may not be discovered for a long time, if
>>> ever.  The CMP automapping always results in the exact same mapping,
>>> the
>>> role automapping does not.
>> The last thing we want is for security to be difficult to use.  If it
>> is, then no one will use it and we are worse off.  Is there some
>> solution you are thinking of that is easy or automatic?  I'm not
>> talking about complex security setups, but the simple ones.  The
> simple
>> stuff should be simple and the complex stuff possible.
>> -dain

View raw message