Martin Borgman [
http://community.jboss.org/people/MartinBorgman] created the discussion
"Re: Mapping Application Roles to Declarative Role"
To view the discussion, visit:
http://community.jboss.org/message/571554#571554
--------------------------------------------------------------
Sohil Shah wrote:
Since it makes sense to associate this mapping at the security-domain level to be
utilized at different layers of the app (not just ejb and web)(I am thinking Portal,SEAM,
JBPM etc)
It makes absolutely no sense at all to do this at the security domain
level.
Let me give you an example.
I have 2 applications running on a JBoss instance.
Both applications use basic authentication using a single company wide active directory
configuration.
Both applications use a common user role called "user" and an application
administrator called "admin"
The role names "admin" and "user" are defined in the standard
deployment descriptors. This is as it should be right?
Now a user for application 1 may not have any rights to use application 2
Another user may have admin rights for application 1 and only user rights for application
two.
Since both applications use the same company wide authentication / authorization it make
sense to define a single security domain, but if I do that I cannot differentiate between
the rights for the two applications by using a domain level role mapper.
Sohil Shah wrote:
wouldn't it make sense to extend the configuration options in the login-config.xml so
that you can specify the role/identity mappings kind of like this:
<application-policy name="security-domain-name">
<login-module>blahblah</login-module>
<role-mapping>
<application-role>whatever role from login module</application-role>
<deployment-role>whatever deployment role it should map
to</deployment-role>
</role-mapping>
</application-policy>
Ofcourse this is just an example, and definitely needs better element names
This is a stupid idea. Think about PaaS. Applications move from application server
to application server. You don't want to change your login-config every time you move
your application to a different application server. While it is possible to deploy a login
config with the application or make it part of the deployment unit. This would still mean
you create a new security domain for every application you deploy and that would certainly
be a waste of resources and a security nightmare.
It would be much better to remap roles in the container specific deployment descriptors.
--------------------------------------------------------------
Reply to this message by going to Community
[
http://community.jboss.org/message/571554#571554]
Start a new discussion in PicketBox Development at Community
[
http://community.jboss.org/choose-container!input.jspa?contentType=1&...]