Folks,
I'd like to discuss the architecture of BZ 55477 [0], this shall apply
to Tomcat 8.5+ only.
The feature has been requested several times over time years, being able
to map some technical role from a specific store to an application role.
E.g., A group SID from AD
'S-1-5-21-126432666-1270913926-3679153413-372575' to role 'User'.
What do we have now?
* org.apache.catalina.Context.addRoleMapping(String, String) can be
called to establish such a link
* org.apache.catalina.Context.findRoleMapping(String) queries for such a
link
My recent changes to the codebase make RealmBase and Wrapper fully
support Context#findRoleMapping(). So, it will work automatically.
What do we need?
* Something which must not be tied to the realm as described in [1] and [2]
* Some extension point to inject/call Context#addRoleMapping()
I have solved this problem for us at work years ago with a listener [3].
Design questions:
* Shall this remain a listener or do we want to introduce a new
interface for that? If yes, how should it look like?
* Where can this element be placed? Only in context.xml? Also in
server.xml? If yes, at which level are contexts available to be
modified? Can this be placed in server.xml at all?
If it remains as a listener, I would be willing to donate my listener to
the Tomcat codebase and add support for file:// or other stuff required.
From my understanding, the mapping source can be arbitrary: inline,
database, file, etc.
[0] https://bz.apache.org/bugzilla/show_bug.cgi?id=55477
[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=55477#c14
[2] https://bz.apache.org/bugzilla/show_bug.cgi?id=55477#c15
[3]
http://mo-tomcat-ext.sourceforge.net/xref/net/sf/michaelo/tomcat/extras/listeners/PropertiesRoleMappingListener.html
Please bear with me since I am a slow responder.
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
