[security-dev] Security Role Mappings
Darran Lofthouse
darran.lofthouse at jboss.com
Thu Mar 14 07:43:42 EDT 2013
I am looking for some clarification regarding the <security-role>
element in the jboss-web.xml - trying to dig through some historic use
of the element I am starting to think a mistake was made in AS7 and that
the mapping logic is not what was originally intended by the element.
Take the following definition: -
<security-role>
<role-name>Support</role-name>
<principal-name>Mark</principal-name>
<principal-name>Tom</principal-name>
</security-role>
My interpretation of this is that originally this was used where we had
a run-as-principal-define, this would mean if the run-as-principal is
either 'Mark' or 'Tom' then assume that membership of the role 'Support'
is also true.
Where there is no run-as-principal I believe this also evolved to mean,
if the authenticated user is 'Mark' or 'Tom' then assume that they are a
member of the role 'Support'.
However for some reason within AS7 we seem to now be matching the
principal-name values against the users currently assigned roles and not
matching it against the name of the Principal.
To me this new behaviour is wrong and is confusing but I wanted to check
if there were other opinions. Where a role to role mapping is required
there is already a login module to provide that capability and I think
that has been confused with the principal to role mapping of the
deployment descriptor.
Regards,
Darran Lofthouse.
More information about the security-dev
mailing list