OK, I think I understand now. Here's why I was getting confused: I was
looking at the JAAS login module which uses the users.properties and
roles.properties files and I was sort of equating it to NT security
where users.properties represents the NT users and roles.properties
represents the NT groups. And looking at it that way led me to the
erroneous conclusion that the ejb-jar.xml entries were thus the
principles (note that by principle I mean either the user id OR a user
group from the underlying security system, and maybe that was another
source of confusion on my part). However, what you're saying is that
the right way to look at it is that users.properties is the users and
roles.properites maps the physical users to the logical roles. Gee,
it's obvious once you understand it. :) Theoretically, then, you could
have a JAAS login module that authenticated the user against an NT
domain, discovered the NT groups the user belonged to, and then mapped
those groups to the logical roles, correct?
Dale
================================
Dale V. Georg
Technical Manager
Indus Consultancy Services
[EMAIL PROTECTED]
(201) 261-3100 x229
================================
Scott M Stark wrote:
>
> The ejb-jar.xml roles are logical names. Where are you getting that they
> are the principal name? The tutorial demonstrates that they are not
> by securing the beans using a roles of Echo & Coder, to which the principal
> names are mapped via the JAAS login module. The ejb-jar.xml descriptor
> is completely portable to JBoss.
>
> The only difference is that JBoss does not do the mapping via the jboss.xml
> descriptor directly. Rather the <role-mapping-manager> element specifies
> the security manger instance that does this at runtime based on the authenticated
> principal name.
>
> ----- Original Message -----
> From: "Dale V. Georg" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, May 11, 2001 11:45 AM
> Subject: Re: [JBoss-user] Question on Security Role Mapping
>
> >
> > Yes, I did read through that; in fact, I used that as my guide for
> > converting our app from WebLogic to jBoss, and everything is working
> > great. I was just questioning whether the role-name in the ejb-jar.xml
> > mapping directly to the security principle was the only way jBoss
> > supported roles, or whether there was an additional mapping you could do
> > in the jboss.xml.
> >
> > The main reason I'm looking at this is we are trying to make our app
> > support multiple application servers. Up until now, ejb-jar.xml was
> > generic and didn't require changes between the different app servers,
> > since any app server specific stuff was in the appserver.xml. Further,
> > in the appserver.xml we are mapping all of our roles to guest by
> > default. But if jBoss assumes that the role-name from ejb-jar.xml is
> > the principle name, then we may need to have a special case for jBoss.
> >
> > Thanks,
> > Dale
> >
> >
>
> _______________________________________________
> JBoss-user mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/jboss-user
--
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user
