[
https://issues.apache.org/jira/browse/GERONIMO-4523?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12669167#action_12669167
]
Jürgen Weber commented on GERONIMO-4523:
----------------------------------------
What about introducing a default realm? One of the installed realms would be
tagged as default realm. In a newly installed server this would of course be
geronimo-admin.
(you could also call this security by convention ;-)
Then when you add a new realm there'd be a checkbox
-----
[] make this default realm (application plans may choose another)
-----
An application without Geronimo-plans then would use the default realm. I think
this is also the most natural thing, you deploy an application and expect that
it's secured by the default realm if there is no plan telling otherwise.
As for Group-Role mapping, again by default (or convention) roles would be
equal to group names. Or you could specify a Group-Role Mapper.
-----
Group-Role mapping (application plans may override this!)
(o) map group names to roles
( ) use Group-Role Mapper [DropDown]
( ) no mapping, only use plans
-----
DropDown would contain:
GroupNameMapper
PlanBasedMapper
CustomMapper
with PlanBasedMapper taking a mapping from a plan and CustomMapper delegating
to a GBean you'd have to program.
(o) map group names to roles would be the same as taking the second radio
button and using GroupNameMapper, but I think it's easier for beginners with a
separate radio button.
( ) no mapping, only use plans would be to kind of comment that there is no
mapping
Of course, it should be possible to specify all this in the realm plan, too.
> Security Realm based Group-Role Mapping
> ---------------------------------------
>
> Key: GERONIMO-4523
> URL: https://issues.apache.org/jira/browse/GERONIMO-4523
> Project: Geronimo
> Issue Type: New Feature
> Security Level: public(Regular issues)
> Components: security
> Reporter: Jürgen Weber
> Assignee: David Jencks
>
> For secured applications you currently need a Geronimo-specific deployment
> plan which defines among others a mapping of realm groups onto JEE roles.
> This goes against the spirit of EJB3 which replaces deployment descriptors
> with annotations.
> It would be desirable to be able to run a standard-conforming JEE application
> under container security without the need for Geronimo-specific deployment
> plans.
> But this raises the need of another mean to specify Group-Role Mapping. I
> suggest that this can be specified at the security-realm level. A realm
> should be linked to a mapping (n:1 mapping, several realms should potentially
> use the same mapping). There should be a default identity mapping, if you
> have several thousands of users in LDAP.
> Mappings should be definable via console.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
