[security-dev] Security Role Mappings

Anil Saldhana Anil.Saldhana at redhat.com
Fri Mar 15 14:34:35 EDT 2013

   <security-role> setting is present in jboss-web.xml, jboss-app.xml 
and jboss.xml historically.

 From the dtd definitions:  http://www.jboss.org/j2ee/dtd/

   The principal-name element is the name of the principal that is mapped
   to the assembly role-name.

   Used in: security-role

Basically, the original intent was to map the assembly security role 
(from security-role-ref from web.xml etc)  to deployment 
security-role/principal-name combination (vendor DD).

Something like: 


On 03/14/2013 06:43 AM, Darran Lofthouse wrote:
> I am looking for some clarification regarding the <security-role>
> element in the jboss-web.xml - trying to dig through some historic use
> of the element I am starting to think a mistake was made in AS7 and that
> the mapping logic is not what was originally intended by the element.
> Take the following definition: -
>       <security-role>
>         <role-name>Support</role-name>
>         <principal-name>Mark</principal-name>
>         <principal-name>Tom</principal-name>
>       </security-role>
> My interpretation of this is that originally this was used where we had
> a run-as-principal-define, this would mean if the run-as-principal is
> either 'Mark' or 'Tom' then assume that membership of the role 'Support'
> is also true.
> Where there is no run-as-principal I believe this also evolved to mean,
> if the authenticated user is 'Mark' or 'Tom' then assume that they are a
> member of the role 'Support'.
> However for some reason within AS7 we seem to now be matching the
> principal-name values against the users currently assigned roles and not
> matching it against the name of the Principal.
> To me this new behaviour is wrong and is confusing but I wanted to check
> if there were other opinions.  Where a role to role mapping is required
> there is already a login module to provide that capability and I think
> that has been confused with the principal to role mapping of the
> deployment descriptor.
> Regards,
> Darran Lofthouse.

More information about the security-dev mailing list