Dynamic Role mapping

[amergey <a_...@yahoo.fr>]

Hello,

Currently the way to secure a web application is quite static in Geronimo,
as Role mapping is defined during deployement of the application.
There are some valid use case where groups assigned to users can change. In
this case the only way I found in Geronimo is to change role mapping in
deployment plan and re-deploy the application, and Geronimo should probably
provide some way to change role mapping without having to redeploy the
application.
For example in JBoss, or weblogic server, role mapping can be changed
dynamically outside the application, without redeploying it.
I found this bug https://issues.apache.org/jira/browse/GERONIMO-454 that
could be an answer, but it has not been updated for a while, are there any
plan to implement this ?

On same topic another question, it seems that with programmatic secutity in
Servlet, even if a user has a role granted, isUserInRole(thisRole) only
return true if the role is declared. I do not know what the JEE
specification tell about this, but I have tested in tomcat, JBoss and
Weblogic server and isUserInRole return true if the user has the role
granted, whatever the role is declared or not. In Glassfish they also
support a way to have this behavior. Are there any way in Geronimo ? (it can
be useful when roles are dynamic, and we do not want to updaet web.xml then
redeploy the application, and this use case seems also to be valid as almost
all JEE application servers, provide a way to do this)

Thanks and Best regards,
Arnaud

--
View this message in context: http://apache-geronimo.328035.n3.nabble.com/Dynamic-Role-mapping-tp3535785p3535785.html
Sent from the Users mailing list archive at Nabble.com.

Re: Dynamic Role mapping

[Ivan <xh...@gmail.com>]

Yes, dynamic role mapping is really important and useful, while I doubt
anyone is working on this. From the implementation aspect, the mapping
information should be easy to update, it is hosted by
ApplicationPolicyConfigurationManager, but may need to consider more for
runtime updating.
For the isUserInRole,from my side, Geronimo's implementation is following
the spec,

2011/11/25 amergey <a_...@yahoo.fr>

> Hello,
>
> Currently the way to secure a web application is quite static in Geronimo,
> as Role mapping is defined during deployement of the application.
> There are some valid use case where groups assigned to users can change. In
> this case the only way I found in Geronimo is to change role mapping in
> deployment plan and re-deploy the application, and Geronimo should probably
> provide some way to change role mapping without having to redeploy the
> application.
> For example in JBoss, or weblogic server, role mapping can be changed
> dynamically outside the application, without redeploying it.
> I found this bug https://issues.apache.org/jira/browse/GERONIMO-454 that
> could be an answer, but it has not been updated for a while, are there any
> plan to implement this ?
>
> On same topic another question, it seems that with programmatic secutity in
> Servlet, even if a user has a role granted, isUserInRole(thisRole) only
> return true if the role is declared. I do not know what the JEE
> specification tell about this, but I have tested in tomcat, JBoss and
> Weblogic server and isUserInRole return true if the user has the role
> granted, whatever the role is declared or not. In Glassfish they also
> support a way to have this behavior. Are there any way in Geronimo ? (it
> can
> be useful when roles are dynamic, and we do not want to updaet web.xml then
> redeploy the application, and this use case seems also to be valid as
> almost
> all JEE application servers, provide a way to do this)
>
> Thanks and Best regards,
> Arnaud
>
> --
> View this message in context:
> http://apache-geronimo.328035.n3.nabble.com/Dynamic-Role-mapping-tp3535785p3535785.html
> Sent from the Users mailing list archive at Nabble.com.
>



-- 
Ivan