geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alan D. Cabrera" <>
Subject Re: Role Mapping Seems Incomplete
Date Sun, 21 Aug 2005 20:18:56 GMT
Aaron Mulder wrote, On 8/18/2005 4:13 PM:

>	So in the security settings, each login module has a login domain
>name.  This is so that a single realm could distinguish between principles
>(with the same name) from two login modules of the same class.  For
>example, if you have two LDAP login modules pointing to different servers,
>you could distinguish based on principal class and login domain name so
>"administrator" from server A is different than "administrator" from
>server B.
>	However, in our role mapping, we let you specify a realm, 
>principal class, and principal name, but not a login domain name.  In 
>other words, all LDAP-group-administrator entries look the same, 
>regardless of which server they originate from.
>	I think the mapping should have a login-domain-name attribute on
>the "principal" XML type.  I'd say it should be optional so you only have
>to use it if you care to distinguish (it would be obnoxious to need to 
>specify it every time).  We could also do this with another surrounding 
>element like (but within) "realm" -- I guess I don't care all that much 
>either way.
>	What I don't have a handle on is the changes required to our 
>security processing infrastructure to make this work.  I'm not sure 
>whether or how the login domain name propogates on the principals we 
>create, though I have a vague memory that the principal wrappers were 
>going to hold the login domain names.
>	Does this sound familiar to anyone?  David J?  Alan?
The realm is a holdover from when login domains used to be called login 
realms.  I imagine that there was some confusion during one of the 
updates and it ended up actually being a realm.  From our discussions on 
IRC, I believe that we need to allow scoping of the principal to 
optionally include both the realm and login domain.  The reason for 
"adding" the realm is that login domains may be shared by security 
realms; it would be nice to be able to keep the name of the login 
domains the same to keep things tractable.


View raw message