tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Re: authorization providers (was More on JAAS)
Date Wed, 19 Apr 2000 02:10:28 GMT
On 17 Apr 00, at 22:01, Assaf Arkin wrote:

> > 3) we should be able to populate the Roles object
> > While I can authorize a user per role (e.g. LDAP group), I cannot
> > set the Roles value for when someone wants that information from
> > request.getRoles().
> Out of curiosity how do you map a user into roles?
For my current example I'm using groups (either groupOfnames or 
groupOfUniquenames).  I map the role name to the group's 
common name. 

For 'real' I'd add in support for groups to be members of other 
groups and also support for Netscape/iPlanet Dynamic groups. 

If I could figure out how to declare it in Tomcat, I'd also throw in 
support for using LDAP URL queries.

For a better idea of what I'm talking about you can glance at my 
Apache modules at

I also have an article in the May issue of Web Techniques, though I 
did the article in Perl, but the ideas apply to LDAP in general.

> In our case we have a role entry in a given DN space
> (uid=...,ou=Roles,...) which lists the users under that role (by DN). 
This is essentially what an LDAP group is.

> pre-load the roles into memory (doesn't take that much space) and we
> determine the roles for a user when the user authenticates. To deal with
> mass quantity of users we use mapping of roles to directories of users
> and default roles.
I prefer the dynamic group to this route. A dynamic group is a 
groupOfUrls object which stores its members as LDAP queries in 
the form of LDAP URLs.

A user is a member of the group if their entry would satisify one of 
the LDAP queries. This allows you to have infinitely large groups. 
People also come and go out of the groups as their inividual entries 
are updated, you don't have to update one or more secondary 
group objects.

You just can't load everything into memory because that could be 
quite large. I easily have over 6000 groups with over a total of 
25,000+ users (I use groups to manage class roles at our 
university). I'd rather just query the LDAP server when necessary 
and not use memory unecessarily.

> > The only item I really lacked was the ability to populate the roles
> > as I said before. This could be fixed in the Security Interceptor by
> > populating a hashtable or map that was updated on each call to
> > userInRole and then passed onto the Request object.
> JAAS would probably define that as a RoleCredential which you can ask
> isInRole(). The RoleCredential is placed in the Subject (the security
> context) by the login module, so the login module can place a
> fully-loaded object, or a lazy-loading object.

Probably true, but I still think JAAS is a future thing not a current 
thing. We can document how people should do this but I don't think 
we can make it a requirement.


View raw message