[jboss-jira] [JBoss JIRA] Closed: (JBAS-2079) Add the support for mapping application roles to security groups

Dominique Jean-Prost (JIRA) jira-events at lists.jboss.org
Mon May 3 05:32:05 EDT 2010 

     [ https://jira.jboss.org/jira/browse/JBAS-2079?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dominique Jean-Prost closed JBAS-2079.
--------------------------------------

    Resolution: Duplicate Issue


duplicate of JBAS-3323

> Add the support for mapping application roles to security groups
> ----------------------------------------------------------------
>
>                 Key: JBAS-2079
>                 URL: https://jira.jboss.org/jira/browse/JBAS-2079
>             Project: JBoss Application Server
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>          Components: Web (Tomcat) service
>    Affects Versions: JBossAS-4.0.2 Final
>            Reporter: Dominique Jean-Prost
>            Priority: Minor
>
> Actually, JBoss requires that <security-role> or <role-name> are exactly the groups you can find in your security realm. As a result, if you want your application to be available to the role "myApplicationRole", you have to setup a group in your realm with the name "myApplicationRole". 
> Now if you want to restraint a specific feature to role1, using request.isUserInRole("role1"), you have to setup a <security-role-link> to map role1 to a group of your realm. This works well if this feature maps to a single role. If this feature maps to let's say 2 different groups (gr1 and gr2) of your realm, you have to create a new group in your realm, let's say "myFeatureGroup", put gr1 and gr2 in myFeatureGroup in order to see it works. You now have a application specific group in your global realm. I think we should avoid this.
> I suggest to add the ability to map a role to 1-m group using jboss-web.xml (I thought it was aimed at it) so we could have :
> web.xml :
> <security-role>myRole</security-role>
> and in jboss-web.xml
> <security-role>
>       <role-name>myRole</role-name>
>       <principal-name>j2eegourp</principal-name>
>       <principal-name>joe</principal-name>
> </security-role>
> and joe is a user and j2eegroup are security groups. 
> Using this, we have the following advantages :
> - application only deals with roles, and not security groups
> - security groups only deals with global groups and not applications specific roles
> - there is a clear separation between roles and groups.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list