9 Replies Latest reply on Sep 3, 2002 9:52 AM by tool

roles and rolegroups in DatabaseServerLoginModule

illerd Aug 29, 2002 8:23 PM

I'm using the DatabaseServerLogin module (in login-config.xml) to authenticate users of the web application i'm deploying in jboss. I've done some preliminary testing with the UsersRolesLogin module and everything seems to be fairly straightforward. There is one thing I can't seem to wrap my head around, though. I can't figure out how the Roles and RoleGroups fit together. I know what a role is and how to use it but I don't know how it relates to a RoleGroup. The example in the JBoss 3.0X book is a bit confusing. Here's the example:

the Roles table fields are (Principal_ID text, Role text, RoleGroup text)

INSERT INTO Principals VALUES('java', 'echoman')
INSERT INTO Roles VALUES('java', 'Echo', 'Roles')
INSERT INTO Roles VALUES('java', 'caller_java', 'CallerPrincipal')

What exactly is a rolegroup and how does it relate to roles? Is it a set of roles? Is a rolegroup arbitrary or does it have to be some defined value like the CallPrincipal rolegroup in the example. Also, the example shows a record that associates a user with a rolegroup called 'Roles'. Is this arbitrary or defined somewhere? If it's arbitrary it's a really confusing choice for an example. Does anyone have a good webpage I can check out for a more thorough explaination?

Thanks,
Scott

1. Re: roles and rolegroups in DatabaseServerLoginModule

tool Aug 30, 2002 11:41 AM (in response to illerd)

RoleGroups are sets (actually java.security.acl.Group objects) of Roles. JBoss supports only RoleGroups called "Roles" or "CallerPrincipal".
**These two values are hard coded into the JaasSecurityManager class. (JBoss 3.0.x Book Pg. 271 under the DatabaseServerLoginModule section and Page 275 under the Writing Custom Login Modules section)
**These can be modified, if you mess around with the JBoss source code a bit. You just have to make the necessary change(s) to the JaasSecurityManager and recompile that jar its in (jbosssx.jar) and replace that jar in the /lib directory and restart the server.
If you want to use your own RoleGroups in JBoss then check out the JaasSecurityManager.java in the JBoss source code. The change(s) you have to make are actually pretty small.
Good luck!
Brian
Actions
2. Re: roles and rolegroups in DatabaseServerLoginModule

illerd Aug 30, 2002 1:51 PM (in response to illerd)

So, what is the distinction between Roles and CallerPrincipal? Do I have to put in two entries for each account, as in the example, or can I just have one record for each account and put everyone in the 'Roles' RoleGroup?
Actions
3. Re: roles and rolegroups in DatabaseServerLoginModule

illerd Aug 30, 2002 1:52 PM (in response to illerd)

So, what is the distinction between Roles and CallerPrincipal? Do I have to put in two entries for each account, as in the example, or can I just have one record for each account and put everyone in the 'Roles' RoleGroup?
Actions
4. Re: roles and rolegroups in DatabaseServerLoginModule

illerd Aug 30, 2002 1:54 PM (in response to illerd)

So, what is the distinction between Roles and CallerPrincipal? Do I have to put in two entries for each account, as in the example, or can I just have one record for each account and put everyone in the 'Roles' RoleGroup?
Actions
5. Re: roles and rolegroups in DatabaseServerLoginModule

illerd Aug 30, 2002 1:55 PM (in response to illerd)

So, what is the distinction between Roles and CallerPrincipal? Do I have to put in two entries for each account, as in the example, or can I just have one record for each account and put everyone in the 'Roles' RoleGroup?
Actions
6. Re: roles and rolegroups in DatabaseServerLoginModule

illerd Aug 30, 2002 1:56 PM (in response to illerd)

So, what is the distinction between Roles and CallerPrincipal? Do I have to put in two entries for each account, as in the example, or can I just have one record for each account and put everyone in the 'Roles' RoleGroup?
Actions
7. Re: roles and rolegroups in DatabaseServerLoginModule

illerd Aug 30, 2002 1:56 PM (in response to illerd)

So, what is the distinction between Roles and CallerPrincipal? Do I have to put in two entries for each account, as in the example, or can I just have one record for each account and put everyone in the 'Roles' RoleGroup?
Actions
8. Re: roles and rolegroups in DatabaseServerLoginModule

illerd Aug 30, 2002 6:01 PM (in response to illerd)

oh. It did go through. All 5 of them.
Actions
9. Re: roles and rolegroups in DatabaseServerLoginModule

tool Sep 3, 2002 9:52 AM (in response to illerd)

I haven't played around much with the CallerPrincipal thing, but I know that you don't need them as long as you have an entry under Roles for that user.
It seems to me that CallerPrincipal is just a way of running the application with your CallerPrincipal value as your identity, instead of the username you type to login. They can be the same but don't have to be apparently.
I wonder what they are best used for?
Brian
Actions

Go to original post