2 Replies Latest reply on Nov 17, 2010 6:09 AM by Martin Borgman

    JSR 196 : Role Mapping

    Sebastian Mohan Newbie

      I have been searching to configure role mapping in JBoss 5.1.0.GA and found this from one of the presentation slides. Is there any more details I could get apart from below.


      <application-policy name="MyDomain">
      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
      <module-option name="usersProperties">users.properties</module-option>
      <module-option name="rolesProperties">roles.properties</module-option>
      <module-option name="password-stacking">useFirstPass</module-option>
      <policy-module code="org.jboss.security.authorization.modules.DelegatingAuthorizationModule" flag="required"/>
      <mapping-module code="org.jboss.security.mapping.providers.DeploymentRolesMappingProvider">


      We are trying to map the application specific roles to the roles defined in our client LDAP


      Say we have a role defined 'AppUser' who can access our application.


      Our client has a role (Active Directory group) defined as 'Doctor'.


      I am trying to map AppUser=Doctor in my application-policy definition. I am wondering where those definition goes.




        • 2. Re: JSR 196 : Role Mapping
          Martin Borgman Newbie

          Hi Sebastian,


          Let me describe a real live example for you.

          I Have 3 applications running on my JBoss Application Server.

          Each application has a common user role called "user" and an application administrator role called "admin".

          In the web.xml or ejb-jar.xml these roles are defined the standard way.

          Everything is OK right?

          On the technical front you have to differentiate between app1-user and app2-user etc because a user may have right to use app1 but not app2 and app3. A user can be admin for app1 and user for app3.

          If you use the RoleMappingLoginModules mapping occurs at the security domain level not at the application level.

          This means you have to create a security domain for each app to make this work. This is an incredible waste of resources that were supposed to be shared.

          The RoleMappingLoginModules does do role mapping but at the wrong level in my opinion.



          Martin Borgman