[jira] Updated: (AMQ-3065) Security: LDAPLoginModule: Support 'roleNameAlias' attribute for adding a GroupPrincipal to the Subject with the aliased role name

Wed, 01 Dec 2010 08:11:36 -0800 

     [ 
https://issues.apache.org/jira/browse/AMQ-3065?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Amit Kumar updated AMQ-3065:
----------------------------

    Attachment: LDAPLoginModule.java

Added support for roleNameAlias

> Security: LDAPLoginModule: Support 'roleNameAlias' attribute for adding a 
> GroupPrincipal to the Subject with the aliased role name
> ----------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: AMQ-3065
>                 URL: https://issues.apache.org/jira/browse/AMQ-3065
>             Project: ActiveMQ
>          Issue Type: New Feature
>    Affects Versions: 5.3.0
>            Reporter: Amit Kumar
>            Priority: Minor
>         Attachments: LDAPLoginModule.java
>
>
> Use Case: 
> A web application in the container requires authorization with the role name 
> 'Admin'. The application team decides the rule for authorization to be 'Any 
> authenticated user who is a member of AD group "AllAuthorizedUsers"'. There 
> is no AD group with the name "Admin" (as enforced by the WebApp in the 
> container). The requirement is to enforce this security constraint without 
> having to modify the WebApp web.xml (role-name from 'Admin' to 
> 'AllAuthorizedUsers').
> Enhancement Request:
> Support a roleNameAlias option for the LDAPLoginModule which does a lookup 
> for the aliased role name in the fetched roles for the user, and associated 
> another GroupPrincipal (with the new alias name) to the Subject.
> In the use case described above, an example roleNameAlias value can be 
> 'AllAuthorizedUsers=Admin'.
> Sample JAAS configuration :
> TestLogin {
>     org.apache.activemq.jaas.LDAPLoginModule required
>         debug=false
>         initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
>         connectionURL="ldap://somehost:389";
>         connectionUsername="uid=generic.gen,OU=Generics,O=something"
>         connectionPassword="generic123"
>         connectionProtocol=""
>         authentication=simple
>         userBase="OU=Users,O=something"
>         userSearchMatching="(uid={0})"
>         userSearchSubtree=true
>         userRoleName="memberOf"
>         roleName="CN"
>         roleBase="OU=Groups,O=something"
>         roleSearchMatching="member={0}"
>         roleSearchSubtree=true
>         roleNameAlias="somegroupname=admin,someothergroupname=manager"
>         ;
> };

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to