geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aaron Mulder <>
Subject Role Mapping Seems Incomplete
Date Thu, 18 Aug 2005 23:13:59 GMT
	So in the security settings, each login module has a login domain
name.  This is so that a single realm could distinguish between principles
(with the same name) from two login modules of the same class.  For
example, if you have two LDAP login modules pointing to different servers,
you could distinguish based on principal class and login domain name so
"administrator" from server A is different than "administrator" from
server B.

	However, in our role mapping, we let you specify a realm, 
principal class, and principal name, but not a login domain name.  In 
other words, all LDAP-group-administrator entries look the same, 
regardless of which server they originate from.

	I think the mapping should have a login-domain-name attribute on
the "principal" XML type.  I'd say it should be optional so you only have
to use it if you care to distinguish (it would be obnoxious to need to 
specify it every time).  We could also do this with another surrounding 
element like (but within) "realm" -- I guess I don't care all that much 
either way.

	What I don't have a handle on is the changes required to our 
security processing infrastructure to make this work.  I'm not sure 
whether or how the login domain name propogates on the principals we 
create, though I have a vague memory that the principal wrappers were 
going to hold the login domain names.

	Does this sound familiar to anyone?  David J?  Alan?


View raw message