On 11/6/2013 9:30 AM, Marek Posolda wrote:
On 6.11.2013 14:25, Bill Burke wrote:
> I don't see how composite roles have anything to do with this. While
> populating the token, a role in a role mapping should be checked to see
> if it is composite, then expanded into the token.
>
> Again, Stian's implementation is just incorrect. How does one revoke a
> default role for a user if every token is populated with it? For
> example, lets say when a person registers they get a 30 day trial period
> to view premium content. They register, get the "premium" role, but in
> 30 days, this "premium" role is revoked.
I don't know the details TBH. Maybe it's just temporary impl until
composite roles will be properly implemented and supported in model.
Your use-case is valid and should be supported, on the other hand, let's
say you have default realm roles "foo", "bar" . Then you create 1000
users. Then you decide that role "foo" shouldn't be default realmRole
anymore. With mapping of default roles to users (and without composite
roles), you will need to revoke "foo" role from every of those 1000
users... It should be possible to handle this with composite roles, but
they are not actually supported AFAIK?
So, the way it is currently implemented:
* You can't revoke a default role for a specific user without revoking
it for all users
* You can't view all roles mapped to a specific user in one place.
The way I think it should be implemented:
* You can still change the default role by manually revoking it for each
user.
* When composites are available, it will be implemented the way I
suggest anyways...
We need to do a alpha/beta release next month. There's still a lot of
stuff to do before that can happen. IMO, composites can wait.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com