You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "Jürgen Weber (JIRA)" <ji...@apache.org> on 2009/01/26 11:45:59 UTC
[jira] Created: (GERONIMO-4523) Security Realm based Group-Role
Mapping
Security Realm based Group-Role Mapping
---------------------------------------
Key: GERONIMO-4523
URL: https://issues.apache.org/jira/browse/GERONIMO-4523
Project: Geronimo
Issue Type: New Feature
Security Level: public (Regular issues)
Components: security
Reporter: Jürgen Weber
For secured applications you currently need a Geronimo-specific deployment plan which defines among others a mapping of realm groups onto JEE roles. This goes against the spirit of EJB3 which replaces deployment descriptors with annotations.
It would be desirable to be able to run a standard-conforming JEE application under container security without the need for Geronimo-specific deployment plans.
But this raises the need of another mean to specify Group-Role Mapping. I suggest that this can be specified at the security-realm level. A realm should be linked to a mapping (n:1 mapping, several realms should potentially use the same mapping). There should be a default identity mapping, if you have several thousands of users in LDAP.
Mappings should be definable via console.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-4523) Security Realm based Group-Role
Mapping
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4523?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12669417#action_12669417 ]
David Jencks commented on GERONIMO-4523:
----------------------------------------
So far it doesn't look completely possible to have a default realm, but I'll keep trying :-) It's would certainly make life easier for everyone. I like your ideas about a UI for configuring the principal-role mapping but I'm not going to be able to implement them in the forseeable future.
It looks like the changes needed for this feature are much more extensive than we can put into 2.1.4 so I'm afraid it will have to wait for 2.2.
The problem I'm having is with where to put some flags about how to set up jacc....
<xsd:attribute name="doas-current-caller" type="xsd:boolean" default="false">
<xsd:annotation>
<xsd:documentation>
Set this attribute to "true" if the work is to be performed
as the calling Subject.
</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
<xsd:attribute name="use-context-handler" type="xsd:boolean" default="false">
<xsd:annotation>
<xsd:documentation>
Set this attribute to "true" if the installed JACC policy
contexts will use PolicyContextHandlers.
</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
<xsd:attribute name="default-role" type="xsd:string">
<xsd:annotation>
<xsd:documentation>
Used by the the Deployer to assign method permissions for
all of the unspecified methods, either by assigning them
to security roles, or by marking them as unchecked. If
the value of default-role is empty, then the unspecified
methods are marked unchecked
</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
I think these are used during deployment but maybe we can move them so they are used at runtime and extracted from the principal-role mapper gbean.
> Security Realm based Group-Role Mapping
> ---------------------------------------
>
> Key: GERONIMO-4523
> URL: https://issues.apache.org/jira/browse/GERONIMO-4523
> Project: Geronimo
> Issue Type: New Feature
> Security Level: public(Regular issues)
> Components: security
> Reporter: Jürgen Weber
> Assignee: David Jencks
>
> For secured applications you currently need a Geronimo-specific deployment plan which defines among others a mapping of realm groups onto JEE roles. This goes against the spirit of EJB3 which replaces deployment descriptors with annotations.
> It would be desirable to be able to run a standard-conforming JEE application under container security without the need for Geronimo-specific deployment plans.
> But this raises the need of another mean to specify Group-Role Mapping. I suggest that this can be specified at the security-realm level. A realm should be linked to a mapping (n:1 mapping, several realms should potentially use the same mapping). There should be a default identity mapping, if you have several thousands of users in LDAP.
> Mappings should be definable via console.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-4523) Security Realm based Group-Role
Mapping
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4523?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12669159#action_12669159 ]
David Jencks commented on GERONIMO-4523:
----------------------------------------
There are several ideas here.
We can separate out the configuration of the role-principal Ior principal-role) mapping, the default subject, and the subjects for run-as roles, and make it so you can configure the gbean holding these in any plan. Then an app can refer to one of these.
I don't see how to specify which such PrincipalRoleMapper gbean you want without a geronimo plan. Traditionally we've searched in the ancestors of an app's classloader for matching gbeans, but there's no way to specify such a set of ancestors without a plan. A named security realm is only avaialble for web apps and in geronimo this is only a display name on basic auth, it has nothing to do with geronimo securiy internals. I don't like the idea of searching all gbeans in the server because that means deplooying additional apps (containing PrincipalRoleMappers) will break the previously working apps.
There's at least one jira for some kind of identity mapping for group name == role name but we have tended to avoid this idea due to the potential for changes in an external system such as ldap suddenly changing the authorization structure just because someone added a new group that matched a previously unused role. However, some such scheme should be failrly easy to implement.
Editing mappings in the console would be nice but needs a separate jira and someone who can actually write portlets.
> Security Realm based Group-Role Mapping
> ---------------------------------------
>
> Key: GERONIMO-4523
> URL: https://issues.apache.org/jira/browse/GERONIMO-4523
> Project: Geronimo
> Issue Type: New Feature
> Security Level: public(Regular issues)
> Components: security
> Reporter: Jürgen Weber
> Assignee: David Jencks
>
> For secured applications you currently need a Geronimo-specific deployment plan which defines among others a mapping of realm groups onto JEE roles. This goes against the spirit of EJB3 which replaces deployment descriptors with annotations.
> It would be desirable to be able to run a standard-conforming JEE application under container security without the need for Geronimo-specific deployment plans.
> But this raises the need of another mean to specify Group-Role Mapping. I suggest that this can be specified at the security-realm level. A realm should be linked to a mapping (n:1 mapping, several realms should potentially use the same mapping). There should be a default identity mapping, if you have several thousands of users in LDAP.
> Mappings should be definable via console.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (GERONIMO-4523) Security Realm based Group-Role
Mapping
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4523?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Jencks closed GERONIMO-4523.
----------------------------------
Resolution: Fixed
Fix Version/s: 2.2
I don't think anything more on this will get done.
> Security Realm based Group-Role Mapping
> ---------------------------------------
>
> Key: GERONIMO-4523
> URL: https://issues.apache.org/jira/browse/GERONIMO-4523
> Project: Geronimo
> Issue Type: New Feature
> Security Level: public(Regular issues)
> Components: security
> Reporter: Jürgen Weber
> Assignee: David Jencks
> Fix For: 2.2
>
>
> For secured applications you currently need a Geronimo-specific deployment plan which defines among others a mapping of realm groups onto JEE roles. This goes against the spirit of EJB3 which replaces deployment descriptors with annotations.
> It would be desirable to be able to run a standard-conforming JEE application under container security without the need for Geronimo-specific deployment plans.
> But this raises the need of another mean to specify Group-Role Mapping. I suggest that this can be specified at the security-realm level. A realm should be linked to a mapping (n:1 mapping, several realms should potentially use the same mapping). There should be a default identity mapping, if you have several thousands of users in LDAP.
> Mappings should be definable via console.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-4523) Security Realm based Group-Role
Mapping
Posted by "Jürgen Weber (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4523?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12669167#action_12669167 ]
Jürgen Weber commented on GERONIMO-4523:
----------------------------------------
What about introducing a default realm? One of the installed realms would be tagged as default realm. In a newly installed server this would of course be geronimo-admin.
(you could also call this security by convention ;-)
Then when you add a new realm there'd be a checkbox
-----
[] make this default realm (application plans may choose another)
-----
An application without Geronimo-plans then would use the default realm. I think this is also the most natural thing, you deploy an application and expect that it's secured by the default realm if there is no plan telling otherwise.
As for Group-Role mapping, again by default (or convention) roles would be equal to group names. Or you could specify a Group-Role Mapper.
-----
Group-Role mapping (application plans may override this!)
(o) map group names to roles
( ) use Group-Role Mapper [DropDown]
( ) no mapping, only use plans
-----
DropDown would contain:
GroupNameMapper
PlanBasedMapper
CustomMapper
with PlanBasedMapper taking a mapping from a plan and CustomMapper delegating to a GBean you'd have to program.
(o) map group names to roles would be the same as taking the second radio button and using GroupNameMapper, but I think it's easier for beginners with a separate radio button.
( ) no mapping, only use plans would be to kind of comment that there is no mapping
Of course, it should be possible to specify all this in the realm plan, too.
> Security Realm based Group-Role Mapping
> ---------------------------------------
>
> Key: GERONIMO-4523
> URL: https://issues.apache.org/jira/browse/GERONIMO-4523
> Project: Geronimo
> Issue Type: New Feature
> Security Level: public(Regular issues)
> Components: security
> Reporter: Jürgen Weber
> Assignee: David Jencks
>
> For secured applications you currently need a Geronimo-specific deployment plan which defines among others a mapping of realm groups onto JEE roles. This goes against the spirit of EJB3 which replaces deployment descriptors with annotations.
> It would be desirable to be able to run a standard-conforming JEE application under container security without the need for Geronimo-specific deployment plans.
> But this raises the need of another mean to specify Group-Role Mapping. I suggest that this can be specified at the security-realm level. A realm should be linked to a mapping (n:1 mapping, several realms should potentially use the same mapping). There should be a default identity mapping, if you have several thousands of users in LDAP.
> Mappings should be definable via console.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-4523) Security Realm based Group-Role
Mapping
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4523?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12671251#action_12671251 ]
David Jencks commented on GERONIMO-4523:
----------------------------------------
I don't think I have a complete solution for the flags but committed what I have so far in rev 741679. This restructures the security a lot to make the principal-role mapping much more independent of the application. I don't find any problems with this change so far but it is pretty big so we should keep our eyes open.
> Security Realm based Group-Role Mapping
> ---------------------------------------
>
> Key: GERONIMO-4523
> URL: https://issues.apache.org/jira/browse/GERONIMO-4523
> Project: Geronimo
> Issue Type: New Feature
> Security Level: public(Regular issues)
> Components: security
> Reporter: Jürgen Weber
> Assignee: David Jencks
>
> For secured applications you currently need a Geronimo-specific deployment plan which defines among others a mapping of realm groups onto JEE roles. This goes against the spirit of EJB3 which replaces deployment descriptors with annotations.
> It would be desirable to be able to run a standard-conforming JEE application under container security without the need for Geronimo-specific deployment plans.
> But this raises the need of another mean to specify Group-Role Mapping. I suggest that this can be specified at the security-realm level. A realm should be linked to a mapping (n:1 mapping, several realms should potentially use the same mapping). There should be a default identity mapping, if you have several thousands of users in LDAP.
> Mappings should be definable via console.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (GERONIMO-4523) Security Realm based Group-Role
Mapping
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4523?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Jencks reassigned GERONIMO-4523:
--------------------------------------
Assignee: David Jencks
> Security Realm based Group-Role Mapping
> ---------------------------------------
>
> Key: GERONIMO-4523
> URL: https://issues.apache.org/jira/browse/GERONIMO-4523
> Project: Geronimo
> Issue Type: New Feature
> Security Level: public(Regular issues)
> Components: security
> Reporter: Jürgen Weber
> Assignee: David Jencks
>
> For secured applications you currently need a Geronimo-specific deployment plan which defines among others a mapping of realm groups onto JEE roles. This goes against the spirit of EJB3 which replaces deployment descriptors with annotations.
> It would be desirable to be able to run a standard-conforming JEE application under container security without the need for Geronimo-specific deployment plans.
> But this raises the need of another mean to specify Group-Role Mapping. I suggest that this can be specified at the security-realm level. A realm should be linked to a mapping (n:1 mapping, several realms should potentially use the same mapping). There should be a default identity mapping, if you have several thousands of users in LDAP.
> Mappings should be definable via console.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-4523) Security Realm based Group-Role
Mapping
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4523?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12671430#action_12671430 ]
David Jencks commented on GERONIMO-4523:
----------------------------------------
Something went wrong with my commt in rev 741679 and a lot of unintentional modifications got committed. This has been fixed in revs
741766,
741822
and
741858
I apologize for any problems this may have caused.
> Security Realm based Group-Role Mapping
> ---------------------------------------
>
> Key: GERONIMO-4523
> URL: https://issues.apache.org/jira/browse/GERONIMO-4523
> Project: Geronimo
> Issue Type: New Feature
> Security Level: public(Regular issues)
> Components: security
> Reporter: Jürgen Weber
> Assignee: David Jencks
>
> For secured applications you currently need a Geronimo-specific deployment plan which defines among others a mapping of realm groups onto JEE roles. This goes against the spirit of EJB3 which replaces deployment descriptors with annotations.
> It would be desirable to be able to run a standard-conforming JEE application under container security without the need for Geronimo-specific deployment plans.
> But this raises the need of another mean to specify Group-Role Mapping. I suggest that this can be specified at the security-realm level. A realm should be linked to a mapping (n:1 mapping, several realms should potentially use the same mapping). There should be a default identity mapping, if you have several thousands of users in LDAP.
> Mappings should be definable via console.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.