[security-dev] Security Role Mappings
Anil Saldhana
Anil.Saldhana at redhat.com
Fri Mar 15 14:34:35 EDT 2013
Darran,
<security-role> setting is present in jboss-web.xml, jboss-app.xml
and jboss.xml historically.
From the dtd definitions: http://www.jboss.org/j2ee/dtd/
<!--
The principal-name element is the name of the principal that is mapped
to the assembly role-name.
Used in: security-role
-->
Basically, the original intent was to map the assembly security role
(from security-role-ref from web.xml etc) to deployment
security-role/principal-name combination (vendor DD).
Something like:
http://docs.oracle.com/javaee/5/tutorial/doc/bncav.html#bncay
Regards,
Anil
On 03/14/2013 06:43 AM, Darran Lofthouse wrote:
> I am looking for some clarification regarding the <security-role>
> element in the jboss-web.xml - trying to dig through some historic use
> of the element I am starting to think a mistake was made in AS7 and that
> the mapping logic is not what was originally intended by the element.
>
> Take the following definition: -
>
> <security-role>
> <role-name>Support</role-name>
> <principal-name>Mark</principal-name>
> <principal-name>Tom</principal-name>
> </security-role>
>
> My interpretation of this is that originally this was used where we had
> a run-as-principal-define, this would mean if the run-as-principal is
> either 'Mark' or 'Tom' then assume that membership of the role 'Support'
> is also true.
>
> Where there is no run-as-principal I believe this also evolved to mean,
> if the authenticated user is 'Mark' or 'Tom' then assume that they are a
> member of the role 'Support'.
>
> However for some reason within AS7 we seem to now be matching the
> principal-name values against the users currently assigned roles and not
> matching it against the name of the Principal.
>
> To me this new behaviour is wrong and is confusing but I wanted to check
> if there were other opinions. Where a role to role mapping is required
> there is already a login module to provide that capability and I think
> that has been confused with the principal to role mapping of the
> deployment descriptor.
>
> Regards,
> Darran Lofthouse.
More information about the security-dev
mailing list