On Jul 14, 2009, at 11:29 PM, Rodger wrote:

Previously and in a common way, we do  principal-role mapping in a deployment plan (such as geronimo-web.xml,openejb-jar.xml),
like:
<role-mappings>
<role role-name="user">
<principal class="o.a.g.s.r.providers.GeronimoGroupPrincipal" name="UserGrp"/>
</role>

...
</role-mappings>
But in Geronimo2.2 , after a jira https://issues.apache.org/jira/browse/GERONIMO-4523
It seems that we can do the principal-role mapping without the need for Geronimo-specific deployment plans.
Has the feature been implemented? If so, how to do the mapping?

I'm not sure if there is an example of how to do this.

1. In a plan for a geronimo plugin, either a javaee app or service (gbean) plugin, include a <security> element following the http://geronimo.apache.org/xml/ns/security-2.0 schema.  Be sure it has a name attribute.

2. add a dependency on the plugin from (1) to your javaee app.

3. In the geronimo plan for your javaee app, include a <security-ref> element with a <name> element referring to the <security> element in (1).

You still need a geronimo plan for the javaee app, this just lets you share the principal-role mapping between several apps.

I think that's how it works.
david jencks

--
Best Regards,
Rodger.