You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by Aaron Mulder <am...@alumni.princeton.edu> on 2005/08/19 01:13:59 UTC
Role Mapping Seems Incomplete
So in the security settings, each login module has a login domain
name. This is so that a single realm could distinguish between principles
(with the same name) from two login modules of the same class. For
example, if you have two LDAP login modules pointing to different servers,
you could distinguish based on principal class and login domain name so
"administrator" from server A is different than "administrator" from
server B.
However, in our role mapping, we let you specify a realm,
principal class, and principal name, but not a login domain name. In
other words, all LDAP-group-administrator entries look the same,
regardless of which server they originate from.
I think the mapping should have a login-domain-name attribute on
the "principal" XML type. I'd say it should be optional so you only have
to use it if you care to distinguish (it would be obnoxious to need to
specify it every time). We could also do this with another surrounding
element like (but within) "realm" -- I guess I don't care all that much
either way.
What I don't have a handle on is the changes required to our
security processing infrastructure to make this work. I'm not sure
whether or how the login domain name propogates on the principals we
create, though I have a vague memory that the principal wrappers were
going to hold the login domain names.
Does this sound familiar to anyone? David J? Alan?
Thanks,
Aaron
Re: Role Mapping Seems Incomplete
Posted by "Alan D. Cabrera" <li...@toolazydogs.com>.
Aaron Mulder wrote, On 8/18/2005 4:13 PM:
> So in the security settings, each login module has a login domain
>name. This is so that a single realm could distinguish between principles
>(with the same name) from two login modules of the same class. For
>example, if you have two LDAP login modules pointing to different servers,
>you could distinguish based on principal class and login domain name so
>"administrator" from server A is different than "administrator" from
>server B.
>
> However, in our role mapping, we let you specify a realm,
>principal class, and principal name, but not a login domain name. In
>other words, all LDAP-group-administrator entries look the same,
>regardless of which server they originate from.
>
> I think the mapping should have a login-domain-name attribute on
>the "principal" XML type. I'd say it should be optional so you only have
>to use it if you care to distinguish (it would be obnoxious to need to
>specify it every time). We could also do this with another surrounding
>element like (but within) "realm" -- I guess I don't care all that much
>either way.
>
> What I don't have a handle on is the changes required to our
>security processing infrastructure to make this work. I'm not sure
>whether or how the login domain name propogates on the principals we
>create, though I have a vague memory that the principal wrappers were
>going to hold the login domain names.
>
> Does this sound familiar to anyone? David J? Alan?
>
>
The realm is a holdover from when login domains used to be called login
realms. I imagine that there was some confusion during one of the
updates and it ended up actually being a realm. From our discussions on
IRC, I believe that we need to allow scoping of the principal to
optionally include both the realm and login domain. The reason for
"adding" the realm is that login domains may be shared by security
realms; it would be nice to be able to keep the name of the login
domains the same to keep things tractable.
Regards,
Alan