geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Blevins (JIRA)" <...@geronimo.apache.org>
Subject [jira] Updated: (GERONIMO-890) Role Mapping using Login Domain Name
Date Mon, 26 Sep 2005 22:12:35 GMT
     [ http://issues.apache.org/jira/browse/GERONIMO-890?page=all ]

David Blevins updated GERONIMO-890:
-----------------------------------

    Fix Version: 1.0
                     (was: 1.0-M5)

> Role Mapping using Login Domain Name
> ------------------------------------
>
>          Key: GERONIMO-890
>          URL: http://issues.apache.org/jira/browse/GERONIMO-890
>      Project: Geronimo
>         Type: Bug
>   Components: security
>     Versions: 1.0-M4, 1.0-M3
>     Reporter: Aaron Mulder
>     Assignee: Alan Cabrera
>      Fix For: 1.0

>
> In the security settings, each login module has a login domain name.  This is so that
a single realm could distinguish between principles (with the same name) from two login modules
of the same class.  For example, if you have two LDAP login modules pointing to different
servers, you could distinguish based on principal class and login domain name so "administrator"
from server A is different than "administrator" from server B.
> However, in our role mapping, we let you specify a realm, principal class, and principal
name, but not a login domain name.  In other words, all LDAP-group-administrator entries look
the same, regardless of which server they originate from.
> I think the mapping should have a login-domain-name attribute on the "principal" XML
type.  I'd say it should be optional so you only have to use it if you care to distinguish
(it would be obnoxious to need to specify it every time).  We could also do this with another
surrounding element like (but within) "realm" -- I guess I don't care all that much either
way.
> What I don't have a handle on is the changes required to our security processing infrastructure
to make this work.  I'm not sure whether or how the login domain name propogates on the principals
we create, though I have a vague memory that the principal wrappers were going to hold the
login domain names.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message