You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@activemq.apache.org by "Amit Kumar (JIRA)" <ji...@apache.org> on 2010/12/01 17:05:12 UTC

[jira] Created: (AMQ-3065) Security: LDAPLoginModule: Support 'roleNameAlias' attribute for adding a GroupPrincipal to the Subject with the aliased role name

Security: LDAPLoginModule: Support 'roleNameAlias' attribute for adding a GroupPrincipal to the Subject with the aliased role name
----------------------------------------------------------------------------------------------------------------------------------

                 Key: AMQ-3065
                 URL: https://issues.apache.org/jira/browse/AMQ-3065
             Project: ActiveMQ
          Issue Type: New Feature
            Reporter: Amit Kumar
            Priority: Minor


Use Case: 

A web application in the container requires authorization with the role name 'Admin'. The application team decides the rule for authorization to be 'Any authenticated user who is a member of AD group "AllAuthorizedUsers"'. There is no AD group with the name "Admin" (as enforced by the WebApp in the container). The requirement is to enforce this security constraint without having to modify the WebApp web.xml (role-name from 'Admin' to 'AllAuthorizedUsers').

Enhancement Request:

Support a roleNameAlias option for the LDAPLoginModule which does a lookup for the aliased role name in the fetched roles for the user, and associated another GroupPrincipal (with the new alias name) to the Subject.
In the use case described above, an example roleNameAlias value can be 'AllAuthorizedUsers=Admin'.

Sample JAAS configuration :

TestLogin {
    org.apache.activemq.jaas.LDAPLoginModule required
        debug=false
        initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
        connectionURL="ldap://somehost:389"
        connectionUsername="uid=generic.gen,OU=Generics,O=something"
        connectionPassword="generic123"
        connectionProtocol=""
        authentication=simple
        userBase="OU=Users,O=something"
        userSearchMatching="(uid={0})"
        userSearchSubtree=true
        userRoleName="memberOf"
        roleName="CN"
        roleBase="OU=Groups,O=something"
        roleSearchMatching="member={0}"
        roleSearchSubtree=true
        roleNameAlias="somegroupname=admin,someothergroupname=manager"
        ;
};



-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (AMQ-3065) Security: LDAPLoginModule: Support 'roleNameAlias' attribute for adding a GroupPrincipal to the Subject with the aliased role name

Posted by "Amit Kumar (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/AMQ-3065?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Amit Kumar updated AMQ-3065:
----------------------------

    Attachment: LDAPLoginModule.java

Added support for roleNameAlias

> Security: LDAPLoginModule: Support 'roleNameAlias' attribute for adding a GroupPrincipal to the Subject with the aliased role name
> ----------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: AMQ-3065
>                 URL: https://issues.apache.org/jira/browse/AMQ-3065
>             Project: ActiveMQ
>          Issue Type: New Feature
>    Affects Versions: 5.3.0
>            Reporter: Amit Kumar
>            Priority: Minor
>         Attachments: LDAPLoginModule.java
>
>
> Use Case: 
> A web application in the container requires authorization with the role name 'Admin'. The application team decides the rule for authorization to be 'Any authenticated user who is a member of AD group "AllAuthorizedUsers"'. There is no AD group with the name "Admin" (as enforced by the WebApp in the container). The requirement is to enforce this security constraint without having to modify the WebApp web.xml (role-name from 'Admin' to 'AllAuthorizedUsers').
> Enhancement Request:
> Support a roleNameAlias option for the LDAPLoginModule which does a lookup for the aliased role name in the fetched roles for the user, and associated another GroupPrincipal (with the new alias name) to the Subject.
> In the use case described above, an example roleNameAlias value can be 'AllAuthorizedUsers=Admin'.
> Sample JAAS configuration :
> TestLogin {
>     org.apache.activemq.jaas.LDAPLoginModule required
>         debug=false
>         initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
>         connectionURL="ldap://somehost:389"
>         connectionUsername="uid=generic.gen,OU=Generics,O=something"
>         connectionPassword="generic123"
>         connectionProtocol=""
>         authentication=simple
>         userBase="OU=Users,O=something"
>         userSearchMatching="(uid={0})"
>         userSearchSubtree=true
>         userRoleName="memberOf"
>         roleName="CN"
>         roleBase="OU=Groups,O=something"
>         roleSearchMatching="member={0}"
>         roleSearchSubtree=true
>         roleNameAlias="somegroupname=admin,someothergroupname=manager"
>         ;
> };

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (AMQ-3065) Security: LDAPLoginModule: Support 'roleNameAlias' attribute for adding a GroupPrincipal to the Subject with the aliased role name

Posted by "Amit Kumar (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/AMQ-3065?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Amit Kumar updated AMQ-3065:
----------------------------

    Affects Version/s: 5.3.0

> Security: LDAPLoginModule: Support 'roleNameAlias' attribute for adding a GroupPrincipal to the Subject with the aliased role name
> ----------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: AMQ-3065
>                 URL: https://issues.apache.org/jira/browse/AMQ-3065
>             Project: ActiveMQ
>          Issue Type: New Feature
>    Affects Versions: 5.3.0
>            Reporter: Amit Kumar
>            Priority: Minor
>
> Use Case: 
> A web application in the container requires authorization with the role name 'Admin'. The application team decides the rule for authorization to be 'Any authenticated user who is a member of AD group "AllAuthorizedUsers"'. There is no AD group with the name "Admin" (as enforced by the WebApp in the container). The requirement is to enforce this security constraint without having to modify the WebApp web.xml (role-name from 'Admin' to 'AllAuthorizedUsers').
> Enhancement Request:
> Support a roleNameAlias option for the LDAPLoginModule which does a lookup for the aliased role name in the fetched roles for the user, and associated another GroupPrincipal (with the new alias name) to the Subject.
> In the use case described above, an example roleNameAlias value can be 'AllAuthorizedUsers=Admin'.
> Sample JAAS configuration :
> TestLogin {
>     org.apache.activemq.jaas.LDAPLoginModule required
>         debug=false
>         initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
>         connectionURL="ldap://somehost:389"
>         connectionUsername="uid=generic.gen,OU=Generics,O=something"
>         connectionPassword="generic123"
>         connectionProtocol=""
>         authentication=simple
>         userBase="OU=Users,O=something"
>         userSearchMatching="(uid={0})"
>         userSearchSubtree=true
>         userRoleName="memberOf"
>         roleName="CN"
>         roleBase="OU=Groups,O=something"
>         roleSearchMatching="member={0}"
>         roleSearchSubtree=true
>         roleNameAlias="somegroupname=admin,someothergroupname=manager"
>         ;
> };

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.