Hello, Currently the way to secure a web application is quite static in Geronimo, as Role mapping is defined during deployement of the application. There are some valid use case where groups assigned to users can change. In this case the only way I found in Geronimo is to change role mapping in deployment plan and re-deploy the application, and Geronimo should probably provide some way to change role mapping without having to redeploy the application. For example in JBoss, or weblogic server, role mapping can be changed dynamically outside the application, without redeploying it. I found this bug https://issues.apache.org/jira/browse/GERONIMO-454 that could be an answer, but it has not been updated for a while, are there any plan to implement this ?
On same topic another question, it seems that with programmatic secutity in Servlet, even if a user has a role granted, isUserInRole(thisRole) only return true if the role is declared. I do not know what the JEE specification tell about this, but I have tested in tomcat, JBoss and Weblogic server and isUserInRole return true if the user has the role granted, whatever the role is declared or not. In Glassfish they also support a way to have this behavior. Are there any way in Geronimo ? (it can be useful when roles are dynamic, and we do not want to updaet web.xml then redeploy the application, and this use case seems also to be valid as almost all JEE application servers, provide a way to do this) Thanks and Best regards, Arnaud -- View this message in context: http://apache-geronimo.328035.n3.nabble.com/Dynamic-Role-mapping-tp3535785p3535785.html Sent from the Users mailing list archive at Nabble.com.
