2 Replies Latest reply on Feb 19, 2002 4:50 AM by J. Wolfgang Kaltz

    User mapping - dumb question

    Mike Finn Apprentice

      A general question on implementing security.

      How do you map authenticated user/principal to an 'aliased' user to invoke EJB methods? For example, my users will be authenticated against LDAP, but I don't want to manage all those users as real EJB users (there are 10K+ of them). What is the standard mechanism by which this is done? I am sure it's in front of my face, but am just not seeing it....

      TIA,
      Mike

        • 1. Re: User mapping - dumb question
          Mike Finn Apprentice

          Ignore last. Let me ask it a different way.
          How do user identities (say, those authenticated via LDAP loginmodule) get mapped to an EJB group or role, in a declarative implementation?

          We will have EJB with web and fat clients. There are several apps for which I want to use a unified security model. All users would be authenticated via LDAP. Since we have little control over the LDAP object structure, I don't want to assume we can store user roles there. This would be done in RDBMS.

          So the steps would be:
          1) Authenticate user vs. LDAP
          2) Take user name, go to DB and get group or role names.
          I was thinking 1/2 could be done via custom login module, basically extending the LdapLoginModule to get the groups/roles out of the DB. instead of LDAP.

          - Does this approach make sense?
          - I am confused as to the meaning of roles vs. groups in the context of J2EE security model. I want to map the user identity to some 'aggregated identity' and use that for access control. Which is it: group or role?
          - I want to use the same 'aggregated identity' to control web and EJB resources. How does this get propagated between web and ejb container?

          I know these questions seem primitive. Thanks mucho for the patience.

          TIA,
          Mike

          • 2. Re: User mapping - dumb question
            J. Wolfgang Kaltz Novice

            > Does this approach make sense?

            If you can't store the roles in LDAP, I suppose so.
            You can subclass
            org.jboss.security.auth.spi.UsernamePasswordLoginModule
            and overwrite
            protected Group[] getRoleSets() throws LoginException
            (you access the user through getIdentity().getName() )
            and make your DB call in this method, that should work.

            I don't know about the web permissions stuff.