[jboss-jira] [JBoss JIRA] (WFLY-1635) Ensure security realms assign users to groups and not roles by default.

[Darran Lofthouse (JIRA)]

Darran Lofthouse created WFLY-1635:
--------------------------------------

             Summary: Ensure security realms assign users to groups and not roles by default.
                 Key: WFLY-1635
                 URL: https://issues.jboss.org/browse/WFLY-1635
             Project: WildFly
          Issue Type: Task
          Components: Domain Management, Security
            Reporter: Darran Lofthouse
            Assignee: Darran Lofthouse
            Priority: Critical
             Fix For: 8.0.0.Alpha3


Currently we only use group/role assignment within the ApplicationRealm where there is an assumption of a 1:1 mapping between a group and a role.

Instead by default the <authorization /> section of a <security-realm /> should be used to load group membership information.

Within access control the group to role mapping will happen at a later point as it needs to take into account the address or an operation.

For situations where a 1:1 mapping can be assumed we will add a configuration option on the <authorization /> element - 'map-groups-to-roles' default will be false.

For backwards compatibility the ApplicationRealm we ship will have 'map-groups-to-roles' set to true.  Where an older schema is read we will assume this attribute was set to true for consistency.


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira