[
https://issues.apache.org/jira/browse/GERONIMO-4523?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12669417#action_12669417
]
David Jencks commented on GERONIMO-4523:
----------------------------------------
So far it doesn't look completely possible to have a default realm, but I'll
keep trying :-) It's would certainly make life easier for everyone. I like
your ideas about a UI for configuring the principal-role mapping but I'm not
going to be able to implement them in the forseeable future.
It looks like the changes needed for this feature are much more extensive than
we can put into 2.1.4 so I'm afraid it will have to wait for 2.2.
The problem I'm having is with where to put some flags about how to set up
jacc....
<xsd:attribute name="doas-current-caller" type="xsd:boolean"
default="false">
<xsd:annotation>
<xsd:documentation>
Set this attribute to "true" if the work is to be
performed
as the calling Subject.
</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
<xsd:attribute name="use-context-handler" type="xsd:boolean"
default="false">
<xsd:annotation>
<xsd:documentation>
Set this attribute to "true" if the installed JACC
policy
contexts will use PolicyContextHandlers.
</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
<xsd:attribute name="default-role" type="xsd:string">
<xsd:annotation>
<xsd:documentation>
Used by the the Deployer to assign method
permissions for
all of the unspecified methods, either by assigning
them
to security roles, or by marking them as unchecked.
If
the value of default-role is empty, then the
unspecified
methods are marked unchecked
</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
I think these are used during deployment but maybe we can move them so they are
used at runtime and extracted from the principal-role mapper gbean.
> Security Realm based Group-Role Mapping
> ---------------------------------------
>
> Key: GERONIMO-4523
> URL: https://issues.apache.org/jira/browse/GERONIMO-4523
> Project: Geronimo
> Issue Type: New Feature
> Security Level: public(Regular issues)
> Components: security
> Reporter: Jürgen Weber
> Assignee: David Jencks
>
> For secured applications you currently need a Geronimo-specific deployment
> plan which defines among others a mapping of realm groups onto JEE roles.
> This goes against the spirit of EJB3 which replaces deployment descriptors
> with annotations.
> It would be desirable to be able to run a standard-conforming JEE application
> under container security without the need for Geronimo-specific deployment
> plans.
> But this raises the need of another mean to specify Group-Role Mapping. I
> suggest that this can be specified at the security-realm level. A realm
> should be linked to a mapping (n:1 mapping, several realms should potentially
> use the same mapping). There should be a default identity mapping, if you
> have several thousands of users in LDAP.
> Mappings should be definable via console.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
