You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@geronimo.apache.org by "Aaron Mulder (JIRA)" <de...@geronimo.apache.org> on 2005/08/19 01:05:55 UTC

[jira] Created: (GERONIMO-890) Role Mapping using Login Domain Name

Role Mapping using Login Domain Name
------------------------------------

         Key: GERONIMO-890
         URL: http://issues.apache.org/jira/browse/GERONIMO-890
     Project: Geronimo
        Type: Bug
  Components: security  
    Versions: 1.0-M4, 1.0-M3    
    Reporter: Aaron Mulder
     Fix For: 1.0-M5


In the security settings, each login module has a login domain name.  This is so that a single realm could distinguish between principles (with the same name) from two login modules of the same class.  For example, if you have two LDAP login modules pointing to different servers, you could distinguish based on principal class and login domain name so "administrator" from server A is different than "administrator" from server B.

However, in our role mapping, we let you specify a realm, principal class, and principal name, but not a login domain name.  In other words, all LDAP-group-administrator entries look the same, regardless of which server they originate from.

I think the mapping should have a login-domain-name attribute on the "principal" XML type.  I'd say it should be optional so you only have to use it if you care to distinguish (it would be obnoxious to need to specify it every time).  We could also do this with another surrounding element like (but within) "realm" -- I guess I don't care all that much either way.

What I don't have a handle on is the changes required to our security processing infrastructure to make this work.  I'm not sure whether or how the login domain name propogates on the principals we create, though I have a vague memory that the principal wrappers were going to hold the login domain names.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

[jira] Updated: (GERONIMO-890) Role Mapping using Login Domain Name

Posted by "David Blevins (JIRA)" <de...@geronimo.apache.org>.

     [ http://issues.apache.org/jira/browse/GERONIMO-890?page=all ]

David Blevins updated GERONIMO-890:
-----------------------------------

    Fix Version: 1.0
                     (was: 1.0-M5)

> Role Mapping using Login Domain Name
> ------------------------------------
>
>          Key: GERONIMO-890
>          URL: http://issues.apache.org/jira/browse/GERONIMO-890
>      Project: Geronimo
>         Type: Bug
>   Components: security
>     Versions: 1.0-M4, 1.0-M3
>     Reporter: Aaron Mulder
>     Assignee: Alan Cabrera
>      Fix For: 1.0

>
> In the security settings, each login module has a login domain name.  This is so that a single realm could distinguish between principles (with the same name) from two login modules of the same class.  For example, if you have two LDAP login modules pointing to different servers, you could distinguish based on principal class and login domain name so "administrator" from server A is different than "administrator" from server B.
> However, in our role mapping, we let you specify a realm, principal class, and principal name, but not a login domain name.  In other words, all LDAP-group-administrator entries look the same, regardless of which server they originate from.
> I think the mapping should have a login-domain-name attribute on the "principal" XML type.  I'd say it should be optional so you only have to use it if you care to distinguish (it would be obnoxious to need to specify it every time).  We could also do this with another surrounding element like (but within) "realm" -- I guess I don't care all that much either way.
> What I don't have a handle on is the changes required to our security processing infrastructure to make this work.  I'm not sure whether or how the login domain name propogates on the principals we create, though I have a vague memory that the principal wrappers were going to hold the login domain names.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

[jira] Assigned: (GERONIMO-890) Role Mapping using Login Domain Name

Posted by "Aaron Mulder (JIRA)" <de...@geronimo.apache.org>.

     [ http://issues.apache.org/jira/browse/GERONIMO-890?page=all ]

Aaron Mulder reassigned GERONIMO-890:
-------------------------------------

    Assign To: Aaron Mulder

> Role Mapping using Login Domain Name
> ------------------------------------
>
>          Key: GERONIMO-890
>          URL: http://issues.apache.org/jira/browse/GERONIMO-890
>      Project: Geronimo
>         Type: Bug
>   Components: security
>     Versions: 1.0-M3, 1.0-M4
>     Reporter: Aaron Mulder
>     Assignee: Aaron Mulder
>      Fix For: 1.0-M5

>
> In the security settings, each login module has a login domain name.  This is so that a single realm could distinguish between principles (with the same name) from two login modules of the same class.  For example, if you have two LDAP login modules pointing to different servers, you could distinguish based on principal class and login domain name so "administrator" from server A is different than "administrator" from server B.
> However, in our role mapping, we let you specify a realm, principal class, and principal name, but not a login domain name.  In other words, all LDAP-group-administrator entries look the same, regardless of which server they originate from.
> I think the mapping should have a login-domain-name attribute on the "principal" XML type.  I'd say it should be optional so you only have to use it if you care to distinguish (it would be obnoxious to need to specify it every time).  We could also do this with another surrounding element like (but within) "realm" -- I guess I don't care all that much either way.
> What I don't have a handle on is the changes required to our security processing infrastructure to make this work.  I'm not sure whether or how the login domain name propogates on the principals we create, though I have a vague memory that the principal wrappers were going to hold the login domain names.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

[jira] Commented: (GERONIMO-890) Role Mapping using Login Domain Name

Posted by "David Jencks (JIRA)" <de...@geronimo.apache.org>.

    [ http://issues.apache.org/jira/browse/GERONIMO-890?page=comments#action_12319411 ] 

David Jencks commented on GERONIMO-890:
---------------------------------------

I don't think there is a problem with the functionality of the current code,  just with some of the names used in the xml.  IIRC this is an historical artifact due to some earlier confusion about realms names and login domain names.  In the security configuration, what is called a "realm-name" is actually put into a realm-principal as the login domain name.

IIUC what you can do with the current code is give different permissions based on the same principal class/ principal name from differently named login modules, but you cannot give different permissions for the same principal class/ name/ login domain name when included in different realms.

I propose we clear up what is happening by changing the xml element/attribute names from "realm" and "realm-name" to "login-domain" and "login-domain-name".  I guess we will have to do some transformations for backward compatibility.

> Role Mapping using Login Domain Name
> ------------------------------------
>
>          Key: GERONIMO-890
>          URL: http://issues.apache.org/jira/browse/GERONIMO-890
>      Project: Geronimo
>         Type: Bug
>   Components: security
>     Versions: 1.0-M3, 1.0-M4
>     Reporter: Aaron Mulder
>      Fix For: 1.0-M5

>
> In the security settings, each login module has a login domain name.  This is so that a single realm could distinguish between principles (with the same name) from two login modules of the same class.  For example, if you have two LDAP login modules pointing to different servers, you could distinguish based on principal class and login domain name so "administrator" from server A is different than "administrator" from server B.
> However, in our role mapping, we let you specify a realm, principal class, and principal name, but not a login domain name.  In other words, all LDAP-group-administrator entries look the same, regardless of which server they originate from.
> I think the mapping should have a login-domain-name attribute on the "principal" XML type.  I'd say it should be optional so you only have to use it if you care to distinguish (it would be obnoxious to need to specify it every time).  We could also do this with another surrounding element like (but within) "realm" -- I guess I don't care all that much either way.
> What I don't have a handle on is the changes required to our security processing infrastructure to make this work.  I'm not sure whether or how the login domain name propogates on the principals we create, though I have a vague memory that the principal wrappers were going to hold the login domain names.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

[jira] Commented: (GERONIMO-890) Role Mapping using Login Domain Name

Posted by "David Jencks (JIRA)" <de...@geronimo.apache.org>.

    [ http://issues.apache.org/jira/browse/GERONIMO-890?page=comments#action_12356164 ] 

David Jencks commented on GERONIMO-890:
---------------------------------------

I believe alan has completely fixed this problem.

Backward compatibility to the old schema implemented: (includes fix for GERONIMO-1114)

Adding         modules/j2ee-schema/src/java/org/apache/geronimo/schema/ElementConverter.java
Adding         modules/j2ee-schema/src/java/org/apache/geronimo/schema/GBeanElementConverter.java
Adding         modules/j2ee-schema/src/java/org/apache/geronimo/schema/NamespaceElementConverter.java
Sending        modules/j2ee-schema/src/java/org/apache/geronimo/schema/SchemaConversionUtils.java
Adding         modules/j2ee-schema/src/java/org/apache/geronimo/schema/SecurityElementConverter.java
Sending        modules/j2ee-schema/src/test/org/apache/geronimo/schema/SchemaConversionUtilsTest.java
Adding         modules/j2ee-schema/src/test-data/geronimo/gbean-post.xml
Adding         modules/j2ee-schema/src/test-data/geronimo/gbean-pre.xml
Adding         modules/j2ee-schema/src/test-data/geronimo/security-post.xml
Adding         modules/j2ee-schema/src/test-data/geronimo/security-pre.xml
Transmitting file data ..........
Committed revision 329071.

> Role Mapping using Login Domain Name
> ------------------------------------
>
>          Key: GERONIMO-890
>          URL: http://issues.apache.org/jira/browse/GERONIMO-890
>      Project: Geronimo
>         Type: Bug
>   Components: security
>     Versions: 1.0-M4, 1.0-M3
>     Reporter: Aaron Mulder
>     Assignee: Alan Cabrera
>      Fix For: 1.0

>
> In the security settings, each login module has a login domain name.  This is so that a single realm could distinguish between principles (with the same name) from two login modules of the same class.  For example, if you have two LDAP login modules pointing to different servers, you could distinguish based on principal class and login domain name so "administrator" from server A is different than "administrator" from server B.
> However, in our role mapping, we let you specify a realm, principal class, and principal name, but not a login domain name.  In other words, all LDAP-group-administrator entries look the same, regardless of which server they originate from.
> I think the mapping should have a login-domain-name attribute on the "principal" XML type.  I'd say it should be optional so you only have to use it if you care to distinguish (it would be obnoxious to need to specify it every time).  We could also do this with another surrounding element like (but within) "realm" -- I guess I don't care all that much either way.
> What I don't have a handle on is the changes required to our security processing infrastructure to make this work.  I'm not sure whether or how the login domain name propogates on the principals we create, though I have a vague memory that the principal wrappers were going to hold the login domain names.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

[jira] Closed: (GERONIMO-890) Role Mapping using Login Domain Name

Posted by "Alan Cabrera (JIRA)" <de...@geronimo.apache.org>.

     [ http://issues.apache.org/jira/browse/GERONIMO-890?page=all ]
     
Alan Cabrera closed GERONIMO-890:
---------------------------------

    Resolution: Fixed

Done.  Realms can wrap domains which can wrap principals

> Role Mapping using Login Domain Name
> ------------------------------------
>
>          Key: GERONIMO-890
>          URL: http://issues.apache.org/jira/browse/GERONIMO-890
>      Project: Geronimo
>         Type: Bug
>   Components: security
>     Versions: 1.0-M4, 1.0-M3
>     Reporter: Aaron Mulder
>     Assignee: Alan Cabrera
>      Fix For: 1.0

>
> In the security settings, each login module has a login domain name.  This is so that a single realm could distinguish between principles (with the same name) from two login modules of the same class.  For example, if you have two LDAP login modules pointing to different servers, you could distinguish based on principal class and login domain name so "administrator" from server A is different than "administrator" from server B.
> However, in our role mapping, we let you specify a realm, principal class, and principal name, but not a login domain name.  In other words, all LDAP-group-administrator entries look the same, regardless of which server they originate from.
> I think the mapping should have a login-domain-name attribute on the "principal" XML type.  I'd say it should be optional so you only have to use it if you care to distinguish (it would be obnoxious to need to specify it every time).  We could also do this with another surrounding element like (but within) "realm" -- I guess I don't care all that much either way.
> What I don't have a handle on is the changes required to our security processing infrastructure to make this work.  I'm not sure whether or how the login domain name propogates on the principals we create, though I have a vague memory that the principal wrappers were going to hold the login domain names.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

[jira] Assigned: (GERONIMO-890) Role Mapping using Login Domain Name

Posted by "Alan Cabrera (JIRA)" <de...@geronimo.apache.org>.

     [ http://issues.apache.org/jira/browse/GERONIMO-890?page=all ]

Alan Cabrera reassigned GERONIMO-890:
-------------------------------------

    Assign To: Alan Cabrera  (was: Aaron Mulder)

> Role Mapping using Login Domain Name
> ------------------------------------
>
>          Key: GERONIMO-890
>          URL: http://issues.apache.org/jira/browse/GERONIMO-890
>      Project: Geronimo
>         Type: Bug
>   Components: security
>     Versions: 1.0-M3, 1.0-M4
>     Reporter: Aaron Mulder
>     Assignee: Alan Cabrera
>      Fix For: 1.0-M5

>
> In the security settings, each login module has a login domain name.  This is so that a single realm could distinguish between principles (with the same name) from two login modules of the same class.  For example, if you have two LDAP login modules pointing to different servers, you could distinguish based on principal class and login domain name so "administrator" from server A is different than "administrator" from server B.
> However, in our role mapping, we let you specify a realm, principal class, and principal name, but not a login domain name.  In other words, all LDAP-group-administrator entries look the same, regardless of which server they originate from.
> I think the mapping should have a login-domain-name attribute on the "principal" XML type.  I'd say it should be optional so you only have to use it if you care to distinguish (it would be obnoxious to need to specify it every time).  We could also do this with another surrounding element like (but within) "realm" -- I guess I don't care all that much either way.
> What I don't have a handle on is the changes required to our security processing infrastructure to make this work.  I'm not sure whether or how the login domain name propogates on the principals we create, though I have a vague memory that the principal wrappers were going to hold the login domain names.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira