[security-dev] Security Role Mappings

Darran Lofthouse darran.lofthouse at jboss.com
Thu Mar 14 07:43:42 EDT 2013

I am looking for some clarification regarding the <security-role> 
element in the jboss-web.xml - trying to dig through some historic use 
of the element I am starting to think a mistake was made in AS7 and that 
the mapping logic is not what was originally intended by the element.

Take the following definition: -


My interpretation of this is that originally this was used where we had 
a run-as-principal-define, this would mean if the run-as-principal is 
either 'Mark' or 'Tom' then assume that membership of the role 'Support' 
is also true.

Where there is no run-as-principal I believe this also evolved to mean, 
if the authenticated user is 'Mark' or 'Tom' then assume that they are a 
member of the role 'Support'.

However for some reason within AS7 we seem to now be matching the 
principal-name values against the users currently assigned roles and not 
matching it against the name of the Principal.

To me this new behaviour is wrong and is confusing but I wanted to check 
if there were other opinions.  Where a role to role mapping is required 
there is already a login module to provide that capability and I think 
that has been confused with the principal to role mapping of the 
deployment descriptor.

Darran Lofthouse.

More information about the security-dev mailing list