geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jencks (JIRA)" <>
Subject [jira] Commented: (GERONIMO-4523) Security Realm based Group-Role Mapping
Date Sun, 01 Feb 2009 18:23:59 GMT


David Jencks commented on GERONIMO-4523:

So far it doesn't look completely possible to have a default realm, but I'll keep trying :-)
 It's would certainly make life easier for everyone.  I like your ideas about a UI for configuring
the principal-role mapping but I'm not going to be able to implement them in the forseeable

It looks like the changes needed for this feature are much more extensive than we can put
into 2.1.4 so I'm afraid it will have to wait for 2.2.

The problem I'm having is with where to put some flags about how to set up jacc.... 

                <xsd:attribute name="doas-current-caller" type="xsd:boolean" default="false">
                            Set this attribute to "true" if the work is to be performed
                            as the calling Subject.
                <xsd:attribute name="use-context-handler" type="xsd:boolean" default="false">
                            Set this attribute to "true" if the installed JACC policy
                            contexts will use PolicyContextHandlers.
                <xsd:attribute name="default-role" type="xsd:string">
                            Used by the the Deployer to assign method permissions for
                            all of the unspecified methods, either by assigning them
                            to security roles, or by marking them as unchecked. If
                            the value of default-role is empty, then the unspecified
                            methods are marked unchecked

I think these are used during deployment but maybe we can move them so they are used at runtime
and extracted from the principal-role mapper gbean.

> Security Realm based Group-Role Mapping
> ---------------------------------------
>                 Key: GERONIMO-4523
>                 URL:
>             Project: Geronimo
>          Issue Type: New Feature
>      Security Level: public(Regular issues) 
>          Components: security
>            Reporter: J├╝rgen Weber
>            Assignee: David Jencks
> For secured applications you currently need a Geronimo-specific deployment plan which
defines among others a mapping of realm groups onto JEE roles. This goes against the spirit
of EJB3 which replaces deployment descriptors with annotations.
> It would be desirable to be able to run a standard-conforming JEE application under container
security without the need for Geronimo-specific deployment plans.
> But this raises the need of another mean to specify Group-Role Mapping. I suggest that
this can be specified at the security-realm level. A realm should be linked to a mapping (n:1
mapping, several realms should potentially use the same mapping). There should be a default
identity mapping, if you have several thousands of users in LDAP.
> Mappings should be definable via console.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message