Ignore last. Let me ask it a different way.
How do user identities (say, those authenticated via LDAP loginmodule) get mapped to an EJB group or role, in a declarative implementation?
We will have EJB with web and fat clients. There are several apps for which I want to use a unified security model. All users would be authenticated via LDAP. Since we have little control over the LDAP object structure, I don't want to assume we can store user roles there. This would be done in RDBMS.
So the steps would be:
1) Authenticate user vs. LDAP
2) Take user name, go to DB and get group or role names.
I was thinking 1/2 could be done via custom login module, basically extending the LdapLoginModule to get the groups/roles out of the DB. instead of LDAP.
- Does this approach make sense?
- I am confused as to the meaning of roles vs. groups in the context of J2EE security model. I want to map the user identity to some 'aggregated identity' and use that for access control. Which is it: group or role?
- I want to use the same 'aggregated identity' to control web and EJB resources. How does this get propagated between web and ejb container?
I know these questions seem primitive. Thanks mucho for the patience.
> Does this approach make sense?
If you can't store the roles in LDAP, I suppose so.
You can subclass
protected Group getRoleSets() throws LoginException
(you access the user through getIdentity().getName() )
and make your DB call in this method, that should work.
I don't know about the web permissions stuff.