[jboss-jira] [JBoss JIRA] (WFCORE-3666) Provide Elytron alternative to RoleMappingLoginModule

Martin Choma (JIRA) issues at jboss.org
Mon Jun 18 05:56:00 EDT 2018 

    [ https://issues.jboss.org/browse/WFCORE-3666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13592532#comment-13592532 ] 

Martin Choma commented on WFCORE-3666:
--------------------------------------

[~mmazanek] thank you for PR, can I ask you please to notify Tester once PR is ready next time. I noticed just accidently.
Looking in model description
{code}
            "role-map" => {
                "type" => OBJECT,
                "description" => "A string to string list map for mapping roles.",
                "expressions-allowed" => true,
                "required" => true,
                "nillable" => false,
                "value-type" => LIST
            }
{code}

I would expect this role-map object have named attributes from and to. So its meaning can be described in model properly. In this way user does not know if first is delegatedRole or applicationRole (I assume first is delegatedRole, but there is also this reverse map in implementaion - so I am not sure) Description on model level will make it clear.

Also this is first time in elytron model model we introduce OBJECT of LIST

> Provide Elytron alternative to RoleMappingLoginModule
> -----------------------------------------------------
>
>                 Key: WFCORE-3666
>                 URL: https://issues.jboss.org/browse/WFCORE-3666
>             Project: WildFly Core
>          Issue Type: Feature Request
>          Components: Security
>    Affects Versions: 4.0.0.Final
>            Reporter: Martin Choma
>            Assignee: Martin Mazanek
>
> In picketbox there is RoleMappingLoginModule [1], which takes role as returned from authorization process and maps to different role. I thought something similar should be configurable with some of Elytron role-mappers. But looking into model/code, it is not obvious to me which of them can be used. I know custom role mapper can be still used, but I wonder if we really do not provide this common funcionality out of the box with Elytron.
> Another workaround is to use direct roles from realm (e.g. LDAP ) in target (e.g. web.xml). But seems users tend to map IDM Roles  to applicaiton roles.
> [1] https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1/html-single/login_module_reference/#rolemapping_login_module



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list