Organizational Role to Application Role mapping using LDAP?
tjp Mar 25, 2004 5:40 PMI am trying to configure an LDAP LoginModule for my Web application and understand everything except how to map a user's organizational role name (defined in the LDAP server, such as "QA Managers"):
dn: cn=QA Managers,ou=groups,o=techniques.org objectclass: top objectclass: groupOfUniqueNames cn: QA Managers ou: groups uniquemember: uid=abergin, ou=People, o=techniques.org uniquemember: uid=jwalker, ou=People, o=techniques.org description: People who can manage QA entries
to an application role name defined by my Web application's deployment descriptor, such as "qamgr":
<security-role> <description>quality assurance managers</description> <role-name>qamgr</role-name> </security-role>
At runtime, from a Servlet in my Web application, I would like to do:
request.isUserInRole("qamgr")
and would expect a return value of true if the authenticated user is "abergin" or "jwalker".
I'll use an example from your admin documentation, chapter 8, to clarify my point:
The documentation sets up a org.jboss.security.auth.spi.LdapLoginModule that would result in the "jduke" user having the "TheDuke" and "AnimatedCharacter" roles after login succeeds.
I'm confused about whether "TheDuke" and "AnimatedCharacter" are application roles to be used in Web application descriptors and calls like:
request.isUserInRole("TheDuke")
and Web application <security-constraint> elements such as:
<security-constraint> <web-resource-collection> <web-resource-name>Pages for the Duke</web-resource-name> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <description>only for animated dukes</description> <role-name>TheDuke</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint>
OR
are these organizational roles that are somehow mapped to application roles?
In other words, how do you map a user's organizational roles defined in the LDAP server to logical application security roles when using the LdapLoginModule?
I've done some research and it seems like this process is called Principal mapping (or Realm mapping). Is this true??? Unfortunately, I don't know much about this process and would appreciate some help understanding how this should work ;-)
I've worked with this a little in the past with WebLogic using: weblogic.xml
<security-role-assignment> <role-name>Users</role-name> <principal-name>users</principal-name> </security-role-assignment>
Does such a process exist for JBoss? Kind regards, Tim