[jira] Assigned: (GERONIMO-890) Role Mapping using Login Domain Name

Fri, 19 Aug 2005 11:59:58 -0700 

     [ http://issues.apache.org/jira/browse/GERONIMO-890?page=all ]

Aaron Mulder reassigned GERONIMO-890:
-------------------------------------

    Assign To: Aaron Mulder

> Role Mapping using Login Domain Name
> ------------------------------------
>
>          Key: GERONIMO-890
>          URL: http://issues.apache.org/jira/browse/GERONIMO-890
>      Project: Geronimo
>         Type: Bug
>   Components: security
>     Versions: 1.0-M3, 1.0-M4
>     Reporter: Aaron Mulder
>     Assignee: Aaron Mulder
>      Fix For: 1.0-M5

>
> In the security settings, each login module has a login domain name.  This is 
> so that a single realm could distinguish between principles (with the same 
> name) from two login modules of the same class.  For example, if you have two 
> LDAP login modules pointing to different servers, you could distinguish based 
> on principal class and login domain name so "administrator" from server A is 
> different than "administrator" from server B.
> However, in our role mapping, we let you specify a realm, principal class, 
> and principal name, but not a login domain name.  In other words, all 
> LDAP-group-administrator entries look the same, regardless of which server 
> they originate from.
> I think the mapping should have a login-domain-name attribute on the 
> "principal" XML type.  I'd say it should be optional so you only have to use 
> it if you care to distinguish (it would be obnoxious to need to specify it 
> every time).  We could also do this with another surrounding element like 
> (but within) "realm" -- I guess I don't care all that much either way.
> What I don't have a handle on is the changes required to our security 
> processing infrastructure to make this work.  I'm not sure whether or how the 
> login domain name propogates on the principals we create, though I have a 
> vague memory that the principal wrappers were going to hold the login domain 
> names.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

Reply via email to