[
https://issues.apache.org/jira/browse/GERONIMO-4523?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12671251#action_12671251
]
David Jencks commented on GERONIMO-4523:
----------------------------------------
I don't think I have a complete solution for the flags but committed what I
have so far in rev 741679. This restructures the security a lot to make the
principal-role mapping much more independent of the application. I don't find
any problems with this change so far but it is pretty big so we should keep our
eyes open.
> Security Realm based Group-Role Mapping
> ---------------------------------------
>
> Key: GERONIMO-4523
> URL: https://issues.apache.org/jira/browse/GERONIMO-4523
> Project: Geronimo
> Issue Type: New Feature
> Security Level: public(Regular issues)
> Components: security
> Reporter: Jürgen Weber
> Assignee: David Jencks
>
> For secured applications you currently need a Geronimo-specific deployment
> plan which defines among others a mapping of realm groups onto JEE roles.
> This goes against the spirit of EJB3 which replaces deployment descriptors
> with annotations.
> It would be desirable to be able to run a standard-conforming JEE application
> under container security without the need for Geronimo-specific deployment
> plans.
> But this raises the need of another mean to specify Group-Role Mapping. I
> suggest that this can be specified at the security-realm level. A realm
> should be linked to a mapping (n:1 mapping, several realms should potentially
> use the same mapping). There should be a default identity mapping, if you
> have several thousands of users in LDAP.
> Mappings should be definable via console.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
