geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jürgen Weber (JIRA) <>
Subject [jira] Commented: (GERONIMO-4523) Security Realm based Group-Role Mapping
Date Sat, 31 Jan 2009 09:42:59 GMT


Jürgen Weber commented on GERONIMO-4523:

What about introducing a default realm? One of the installed realms would be tagged as default
realm. In a newly installed server this would of course be geronimo-admin.
(you could also call this security by convention ;-)

Then when you add a new realm there'd be a checkbox 
[] make this default realm (application plans may choose another)

An application without Geronimo-plans then would use the default realm. I think this is also
the most natural thing, you deploy an application and expect that it's secured by the default
realm if there is no plan telling otherwise.

As for Group-Role mapping, again by default (or convention) roles would be equal to group
names. Or you could specify a Group-Role Mapper.

Group-Role mapping (application plans may override this!)

(o) map group names to roles
( ) use Group-Role Mapper [DropDown]
( ) no mapping, only use plans         

DropDown would contain:

with PlanBasedMapper taking a mapping from a plan and CustomMapper delegating to a GBean you'd
have to program.
(o) map group names to roles would be the same as taking the second radio button and using
GroupNameMapper, but I think it's easier for beginners with a separate radio button.
( ) no mapping, only use plans   would be to kind of comment that there is no mapping

Of course, it should be possible to specify all this in the realm plan, too.

> Security Realm based Group-Role Mapping
> ---------------------------------------
>                 Key: GERONIMO-4523
>                 URL:
>             Project: Geronimo
>          Issue Type: New Feature
>      Security Level: public(Regular issues) 
>          Components: security
>            Reporter: Jürgen Weber
>            Assignee: David Jencks
> For secured applications you currently need a Geronimo-specific deployment plan which
defines among others a mapping of realm groups onto JEE roles. This goes against the spirit
of EJB3 which replaces deployment descriptors with annotations.
> It would be desirable to be able to run a standard-conforming JEE application under container
security without the need for Geronimo-specific deployment plans.
> But this raises the need of another mean to specify Group-Role Mapping. I suggest that
this can be specified at the security-realm level. A realm should be linked to a mapping (n:1
mapping, several realms should potentially use the same mapping). There should be a default
identity mapping, if you have several thousands of users in LDAP.
> Mappings should be definable via console.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message