2 Replies Latest reply on Nov 17, 2010 6:09 AM by martinborgman

    JSR 196 : Role Mapping

    sebastianmohan
    sebastianmohan Jan 22, 2010 5:09 PM

      I have been searching to configure role mapping in JBoss 5.1.0.GA and found this from one of the presentation slides. Is there any more details I could get apart from below.

       

      <application-policy name="MyDomain">
      <authentication>
      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
      <module-option name="usersProperties">users.properties</module-option>
      <module-option name="rolesProperties">roles.properties</module-option>
      <module-option name="password-stacking">useFirstPass</module-option>
      </login-module>
      </authentication>
      <authorization>
      <policy-module code="org.jboss.security.authorization.modules.DelegatingAuthorizationModule" flag="required"/>
      </authorization>
      <rolemapping>
      <mapping-module code="org.jboss.security.mapping.providers.DeploymentRolesMappingProvider">
      </mapping-module>
      </rolemapping>
      </application-policy>


      We are trying to map the application specific roles to the roles defined in our client LDAP

       

      Say we have a role defined 'AppUser' who can access our application.

       

      Our client has a role (Active Directory group) defined as 'Doctor'.

       

      I am trying to map AppUser=Doctor in my application-policy definition. I am wondering where those definition goes.

       

      Thanks

      Sebastian

      • 6648 Views
      • Tags:
        • 1. Re: JSR 196 : Role Mapping
          sebastianmohan
          sebastianmohan Jan 25, 2010 5:27 PM (in response to sebastianmohan)

          I found RoleMappingLoginModule which solves my problem

          http://community.jboss.org/wiki/RoleMappingLoginModule.

            • Actions
          • 2. Re: JSR 196 : Role Mapping
            martinborgman
            martinborgman Nov 17, 2010 6:09 AM (in response to sebastianmohan)

            Hi Sebastian,

             

            Let me describe a real live example for you.

            I Have 3 applications running on my JBoss Application Server.

            Each application has a common user role called "user" and an application administrator role called "admin".

            In the web.xml or ejb-jar.xml these roles are defined the standard way.

            Everything is OK right?

            On the technical front you have to differentiate between app1-user and app2-user etc because a user may have right to use app1 but not app2 and app3. A user can be admin for app1 and user for app3.

            If you use the RoleMappingLoginModules mapping occurs at the security domain level not at the application level.

            This means you have to create a security domain for each app to make this work. This is an incredible waste of resources that were supposed to be shared.

            The RoleMappingLoginModules does do role mapping but at the wrong level in my opinion.

             

            Regards.

            Martin Borgman

              • Actions