[
https://issues.apache.org/jira/browse/GERONIMO-4523?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12669159#action_12669159
]
David Jencks commented on GERONIMO-4523:
----------------------------------------
There are several ideas here.
We can separate out the configuration of the role-principal Ior principal-role)
mapping, the default subject, and the subjects for run-as roles, and make it so
you can configure the gbean holding these in any plan. Then an app can refer
to one of these.
I don't see how to specify which such PrincipalRoleMapper gbean you want
without a geronimo plan. Traditionally we've searched in the ancestors of an
app's classloader for matching gbeans, but there's no way to specify such a set
of ancestors without a plan. A named security realm is only avaialble for web
apps and in geronimo this is only a display name on basic auth, it has nothing
to do with geronimo securiy internals. I don't like the idea of searching all
gbeans in the server because that means deplooying additional apps (containing
PrincipalRoleMappers) will break the previously working apps.
There's at least one jira for some kind of identity mapping for group name ==
role name but we have tended to avoid this idea due to the potential for
changes in an external system such as ldap suddenly changing the authorization
structure just because someone added a new group that matched a previously
unused role. However, some such scheme should be failrly easy to implement.
Editing mappings in the console would be nice but needs a separate jira and
someone who can actually write portlets.
> Security Realm based Group-Role Mapping
> ---------------------------------------
>
> Key: GERONIMO-4523
> URL: https://issues.apache.org/jira/browse/GERONIMO-4523
> Project: Geronimo
> Issue Type: New Feature
> Security Level: public(Regular issues)
> Components: security
> Reporter: Jürgen Weber
> Assignee: David Jencks
>
> For secured applications you currently need a Geronimo-specific deployment
> plan which defines among others a mapping of realm groups onto JEE roles.
> This goes against the spirit of EJB3 which replaces deployment descriptors
> with annotations.
> It would be desirable to be able to run a standard-conforming JEE application
> under container security without the need for Geronimo-specific deployment
> plans.
> But this raises the need of another mean to specify Group-Role Mapping. I
> suggest that this can be specified at the security-realm level. A realm
> should be linked to a mapping (n:1 mapping, several realms should potentially
> use the same mapping). There should be a default identity mapping, if you
> have several thousands of users in LDAP.
> Mappings should be definable via console.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
