-
1. Re: how to map roles to users and groups in JBoss?
sebastianmohan Jan 25, 2010 7:20 AM (in response to legolas.w)1 of 1 people found this helpfulRoles assigned to the web artifacts in the web.xml directly maps to the roles/groups defined in DB/LDAP.
If user A is a member of group G in the Active directory. Then user A will be able to access the web resources that has been associated to the Role G in the web.xml.
For this scenario your security constraint would look like this
<security-role>
<role-name>G</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/private/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>G</role-name>
</auth-constraint>
</security-constraint>
Apart from adding security domain in jboss-web.xml. You would also define an application policy(name should match the domain name) in login-config.xml.
Hope this helps.
Regards
Sebastian
-
2. Re: how to map roles to users and groups in JBoss?
legolas.w Jan 25, 2010 10:34 AM (in response to sebastianmohan)Thank you for looking at my question.
My problem looks to be about the login-config.xml.
I have not been able to find a document or a manual which shows how I can define the policy inside that file. for example I have a role and I want to map it to a username james.k and a group named employees. How I can do that assuming that I want to either use a JDBC realm or an LDAP realm?
Thanks.
-
3. Re: how to map roles to users and groups in JBoss?
sebastianmohan Jan 25, 2010 11:05 AM (in response to legolas.w)Following links describes how to configure the login-config.xml
For DatabaseLoginModule
http://community.jboss.org/wiki/DatabaseServerLoginModule
For LDAP
This is a basic module
http://community.jboss.org/wiki/ldaploginmodule
This module has the search capability for the given service account
http://community.jboss.org/wiki/ldapextloginmodule
Sebastian
-
4. Re: how to map roles to users and groups in JBoss?
peterj Jan 25, 2010 12:48 PM (in response to legolas.w)Perhaps there is a little bit of confusion here - there is no "mapping" of roles in the database or LDAP to the roles in web.xml. If the roles in LDAP, for example, for user "james.k" are "dept.a", "manager" and "ops", then you can use any of those roles in web.xml to grant james.k access to resources.
There is no way to translate roles in LDAP or the database into another set of roles for use in web.xml. At least, not as far as I know without writing some code. So there is no way to, for example, map the "dept.a" role in LDAP to an "employee" role used in web.xml.
-
5. Re: how to map roles to users and groups in JBoss?
sebastianmohan Jan 25, 2010 12:54 PM (in response to peterj)Now I understand. I guess we are all in the same boat now. I have been trying to figure out this problem. I have posted a question last week. http://community.jboss.org/thread/147192?tstart=0
Sebastian
-
6. Re: how to map roles to users and groups in JBoss?
sebastianmohan Jan 25, 2010 5:25 PM (in response to sebastianmohan)I think this LoginModule might help in mapping roles from the web.xml to the LDAP/DB.