geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ivan <>
Subject Re: Dynamic Role mapping
Date Sun, 27 Nov 2011 06:54:01 GMT
Yes, dynamic role mapping is really important and useful, while I doubt
anyone is working on this. From the implementation aspect, the mapping
information should be easy to update, it is hosted by
ApplicationPolicyConfigurationManager, but may need to consider more for
runtime updating.
For the isUserInRole,from my side, Geronimo's implementation is following
the spec,

2011/11/25 amergey <>

> Hello,
> Currently the way to secure a web application is quite static in Geronimo,
> as Role mapping is defined during deployement of the application.
> There are some valid use case where groups assigned to users can change. In
> this case the only way I found in Geronimo is to change role mapping in
> deployment plan and re-deploy the application, and Geronimo should probably
> provide some way to change role mapping without having to redeploy the
> application.
> For example in JBoss, or weblogic server, role mapping can be changed
> dynamically outside the application, without redeploying it.
> I found this bug that
> could be an answer, but it has not been updated for a while, are there any
> plan to implement this ?
> On same topic another question, it seems that with programmatic secutity in
> Servlet, even if a user has a role granted, isUserInRole(thisRole) only
> return true if the role is declared. I do not know what the JEE
> specification tell about this, but I have tested in tomcat, JBoss and
> Weblogic server and isUserInRole return true if the user has the role
> granted, whatever the role is declared or not. In Glassfish they also
> support a way to have this behavior. Are there any way in Geronimo ? (it
> can
> be useful when roles are dynamic, and we do not want to updaet web.xml then
> redeploy the application, and this use case seems also to be valid as
> almost
> all JEE application servers, provide a way to do this)
> Thanks and Best regards,
> Arnaud
> --
> View this message in context:
> Sent from the Users mailing list archive at


View raw message