You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "David Jencks (JIRA)" <ji...@apache.org> on 2009/01/31 09:19:02 UTC
[jira] Commented: (GERONIMO-4523) Security Realm based Group-Role
Mapping
[ https://issues.apache.org/jira/browse/GERONIMO-4523?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12669159#action_12669159 ]
David Jencks commented on GERONIMO-4523:
----------------------------------------
There are several ideas here.
We can separate out the configuration of the role-principal Ior principal-role) mapping, the default subject, and the subjects for run-as roles, and make it so you can configure the gbean holding these in any plan. Then an app can refer to one of these.
I don't see how to specify which such PrincipalRoleMapper gbean you want without a geronimo plan. Traditionally we've searched in the ancestors of an app's classloader for matching gbeans, but there's no way to specify such a set of ancestors without a plan. A named security realm is only avaialble for web apps and in geronimo this is only a display name on basic auth, it has nothing to do with geronimo securiy internals. I don't like the idea of searching all gbeans in the server because that means deplooying additional apps (containing PrincipalRoleMappers) will break the previously working apps.
There's at least one jira for some kind of identity mapping for group name == role name but we have tended to avoid this idea due to the potential for changes in an external system such as ldap suddenly changing the authorization structure just because someone added a new group that matched a previously unused role. However, some such scheme should be failrly easy to implement.
Editing mappings in the console would be nice but needs a separate jira and someone who can actually write portlets.
> Security Realm based Group-Role Mapping
> ---------------------------------------
>
> Key: GERONIMO-4523
> URL: https://issues.apache.org/jira/browse/GERONIMO-4523
> Project: Geronimo
> Issue Type: New Feature
> Security Level: public(Regular issues)
> Components: security
> Reporter: Jürgen Weber
> Assignee: David Jencks
>
> For secured applications you currently need a Geronimo-specific deployment plan which defines among others a mapping of realm groups onto JEE roles. This goes against the spirit of EJB3 which replaces deployment descriptors with annotations.
> It would be desirable to be able to run a standard-conforming JEE application under container security without the need for Geronimo-specific deployment plans.
> But this raises the need of another mean to specify Group-Role Mapping. I suggest that this can be specified at the security-realm level. A realm should be linked to a mapping (n:1 mapping, several realms should potentially use the same mapping). There should be a default identity mapping, if you have several thousands of users in LDAP.
> Mappings should be definable via console.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.