1 Reply Latest reply on May 26, 2005 10:45 AM by ddossot

    Per-application role to principal mappings

    Marvin Lau Newbie


      I am trying to create an application EAR file with role to principal mappings that are specific to the application. For example, an EJB in my EAR file has granted permission to role "role_1", while user "user_2" in the user repository (e.g. an LDAP directory) has role "role_2". I want to grant "role_1" to "user_2" for this EAR file only.

      I tried to use <security-role> like the following


      to specify role to principal mappings in jboss.xml, jboss-web.xml and jboss-app.xml but it did not work. When I log in as "user_2" and access the EJB, instead of getting the role "role_1" from the deployment descriptor, I still only get the role "role_2" from LDAP, and cannot access the EJB. When I log in as another user that has role "role_1" in LDAP, I can access the EJB successfully.

      I tried this in JBoss 4.0.1 SP 1, using LdapLoginModule to access the user repository in an LDAP directory.

      Thanks in advance for any help.


        • 1. Re: Per-application role to principal mappings

          Dear Marvin,

          I had the same expectations as you, but we were both wrong! Here is what is the real usage of these mappings:

          "The only use of the security-role settings in the jboss.xml and jboss-web.xml descriptors is to assign additional roles to a run-as identity. These have no affect for authenticated users. The user to role mapping for actual users is based on the JAAS login module configuration and associated security store." (Scott Stark)

          Hope this helps,
          Best regards,