geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aaron Mulder <ammul...@alumni.princeton.edu>
Subject Re: Default Security Principal & Role Mapping
Date Mon, 06 Feb 2006 17:38:13 GMT
Great.

So my next question is CORBA.  If a CORBA client calls in to an EJB,
and we have it configured to accept principals the caller provides
(see below) then does role mapping (as configured in openejb-jar.xml)
apply to the principals we grant the CORBA caller?  If so, do they
need qualifying roles for the EJB they're actually invoking, or just
for calls out to other EJBs from there?

Thanks,
   Aaron

<tss:compoundSecMechTypeList>
  <tss:compoundSecMech>
    <tss:sasMech>
      <tss:identityTokenTypes>
        <tss:ITTPrincipalNameGSSUP
principal-class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"/>
        <tss:ITTDistinguishedName/>
      </tss:identityTokenTypes>
    </tss:sasMech>
  </tss:compoundSecMech>
</tss:compoundSecMechTypeList>


On 2/6/06, David Jencks <david_jencks@yahoo.com> wrote:
> Assuming the principal classes are the same, the unauthenticated user
> if given the admin role.
>
> IIUC Simon wants to make the default subjects generated by actual
> login, which might make this point a bit clearer.
>
>
> thanks
> david jencks
>
> On Feb 6, 2006, at 7:41 AM, Aaron Mulder wrote:
>
> > If I have a security configuration block like this, is an
> > unauthenticated user given the Admin role?  Or does role mapping
> > ignore the default principal?
> >
> > Thanks,
> >     Aaron
> >
> > <security>
> >   <default-principal>
> >     <principal class="..." name="bob" />
> >   </default-principal>
> >   <role-mappings>
> >     <role name="Admin">
> >       <principal class="..." name="bob" />
> >     </role>
> >   </role-mappings>
> > </security>
>
>

Mime
View raw message