Return-Path: Delivered-To: apmail-geronimo-dev-archive@www.apache.org Received: (qmail 74484 invoked from network); 4 Jan 2005 15:56:43 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 4 Jan 2005 15:56:43 -0000 Received: (qmail 74645 invoked by uid 500); 4 Jan 2005 15:54:42 -0000 Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org Received: (qmail 74555 invoked by uid 500); 4 Jan 2005 15:54:41 -0000 Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: list-post: Reply-To: dev@geronimo.apache.org Delivered-To: mailing list dev@geronimo.apache.org Received: (qmail 74521 invoked by uid 99); 4 Jan 2005 15:54:41 -0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received: from ajax-1.apache.org (HELO ajax.apache.org) (192.87.106.226) by apache.org (qpsmtpd/0.28) with ESMTP; Tue, 04 Jan 2005 07:54:23 -0800 Received: from ajax.apache.org (ajax.apache.org [127.0.0.1]) by ajax.apache.org (8.12.11/8.12.11) with ESMTP id j04FsDNh029738 for ; Tue, 4 Jan 2005 16:54:13 +0100 Message-ID: <1506992433.1104854053499.JavaMail.jira@ajax.apache.org> Date: Tue, 4 Jan 2005 16:54:13 +0100 (CET) From: "Alan Cabrera (JIRA)" To: dev@geronimo.apache.org Subject: [jira] Commented: (GERONIMO-454) Support Group Name = Role Name Role Mapping In-Reply-To: <1418901804.1099882172267.JavaMail.apache@nagoya> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N [ http://issues.apache.org/jira/browse/GERONIMO-454?page=comments#action_57267 ] Alan Cabrera commented on GERONIMO-454: --------------------------------------- Automapping at the "descriptor" level is a bad idea. This should be done in the deployment tool where the deployer can review the automapping. > Support Group Name = Role Name Role Mapping > ------------------------------------------- > > Key: GERONIMO-454 > URL: http://issues.apache.org/jira/browse/GERONIMO-454 > Project: Apache Geronimo > Type: Improvement > Components: deployment, security > Versions: 1.0-M2 > Reporter: Aaron Mulder > Assignee: Alan Cabrera > > Currently, you must manually map principals to roles in the security component of a deployment descriptor. In the common case where group names match role names, this seems like unnecessary overhead. > Alan and I talked and our plan is to make the role-mapping parts of the security elements look something like this: > > ... > ? > foo.GroupPrincipal* > > ? > ... > > > The automatic-role-mapping is the new bit. If you specify that element empty, it would map every principal type the security realm considers to be a group to roles. For example, if you configure the seucrity realm to consider the principal class "foo.GroupPrincipal" as a role, and use an empty automatic-role-mapping element, that's what you'd get. You can also manually specify one or more principal classes that should be automatically mapped to roles. In any of these cases, the "automatic" mapping is done based on the role name and group name matching. > If you specify automatic mapping *and* individual role mapping, then the user just needs to qualify for the role based on either one or the other (not both). So you could use a manual role mapping to add eligible users on top of the automatic role mapping, but not to subtract users from the automatic role mapping. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - If you want more information on JIRA, or have a bug to report see: http://www.atlassian.com/software/jira