geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alan D. Cabrera" <>
Subject RE: [jira] Commented: (GERONIMO-454) Support Group Name = Role Name Role Mapping
Date Thu, 06 Jan 2005 20:13:23 GMT
We can create a mapping server.  The DD has the configuration that
dictates the role mapping policy that the role mapping service is to
use.  The out of the box role mapping can be generate a role mapping and
freeze it at the first container startup.  The server would have a
run-time management interface that would allow us to inspect the
mappings.  We could also use the run-time interface to change the role
mapping while the app is running.


> -----Original Message-----
> From: Dain Sundstrom []
> Sent: Wednesday, January 05, 2005 8:05 PM
> To:
> Subject: Re: [jira] Commented: (GERONIMO-454) Support Group Name =
> Name Role Mapping
> On Jan 5, 2005, at 4:12 PM, Alan D. Cabrera wrote:
> > I am not arguing against automapping, I am arguing against
> > taking place at after the delivery of the DDs.  I am also not
> > for users writing our DDs directly.
> >
> > Your analogy to CMP mapping is not quite the same as automapping of
> > roles for a number of reasons.  DB schema is not as likely to change
> > and
> > when it does, the results are immediately known; role automapping
> > have unwanted results that may not be discovered for a long time, if
> > ever.  The CMP automapping always results in the exact same mapping,
> > the
> > role automapping does not.
> The last thing we want is for security to be difficult to use.  If it
> is, then no one will use it and we are worse off.  Is there some
> solution you are thinking of that is easy or automatic?  I'm not
> talking about complex security setups, but the simple ones.  The
> stuff should be simple and the complex stuff possible.
> -dain

View raw message