Sohil Shah wrote:
Since it makes sense to associate this mapping at the security-domain level to be utilized at different layers of the app (not just ejb and web)(I am thinking Portal,SEAM, JBPM etc)
It makes absolutely no sense at all to do this at the security domain level.
Let me give you an example.
I have 2 applications running on a JBoss instance.
Both applications use basic authentication using a single company wide active directory configuration.
Both applications use a common user role called "user" and an application administrator called "admin"
The role names "admin" and "user" are defined in the standard deployment descriptors. This is as it should be right?
Now a user for application 1 may not have any rights to use application 2
Another user may have admin rights for application 1 and only user rights for application two.
Since both applications use the same company wide authentication / authorization it make sense to define a single security domain, but if I do that I cannot differentiate between the rights for the two applications by using a domain level role mapper.
Sohil Shah wrote:
wouldn't it make sense to extend the configuration options in the login-config.xml so that you can specify the role/identity mappings kind of like this:
<application-role>whatever role from login module</application-role>
<deployment-role>whatever deployment role it should map to</deployment-role>
Ofcourse this is just an example, and definitely needs better element names
This is a stupid idea. Think about PaaS. Applications move from application server to application server. You don't want to change your login-config every time you move your application to a different application server. While it is possible to deploy a login config with the application or make it part of the deployment unit. This would still mean you create a new security domain for every application you deploy and that would certainly be a waste of resources and a security nightmare.
It would be much better to remap roles in the container specific deployment descriptors.
In my opinion this is a deployment issue and not security issue!