Security: LDAPLoginModule: Support 'roleNameAlias' attribute for adding a
GroupPrincipal to the Subject with the aliased role name
----------------------------------------------------------------------------------------------------------------------------------
Key: AMQ-3065
URL: https://issues.apache.org/jira/browse/AMQ-3065
Project: ActiveMQ
Issue Type: New Feature
Reporter: Amit Kumar
Priority: Minor
Use Case:
A web application in the container requires authorization with the role name
'Admin'. The application team decides the rule for authorization to be 'Any
authenticated user who is a member of AD group "AllAuthorizedUsers"'. There is
no AD group with the name "Admin" (as enforced by the WebApp in the container).
The requirement is to enforce this security constraint without having to modify
the WebApp web.xml (role-name from 'Admin' to 'AllAuthorizedUsers').
Enhancement Request:
Support a roleNameAlias option for the LDAPLoginModule which does a lookup for
the aliased role name in the fetched roles for the user, and associated another
GroupPrincipal (with the new alias name) to the Subject.
In the use case described above, an example roleNameAlias value can be
'AllAuthorizedUsers=Admin'.
Sample JAAS configuration :
TestLogin {
org.apache.activemq.jaas.LDAPLoginModule required
debug=false
initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
connectionURL="ldap://somehost:389";
connectionUsername="uid=generic.gen,OU=Generics,O=something"
connectionPassword="generic123"
connectionProtocol=""
authentication=simple
userBase="OU=Users,O=something"
userSearchMatching="(uid={0})"
userSearchSubtree=true
userRoleName="memberOf"
roleName="CN"
roleBase="OU=Groups,O=something"
roleSearchMatching="member={0}"
roleSearchSubtree=true
roleNameAlias="somegroupname=admin,someothergroupname=manager"
;
};
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
