Version 2



    Fully Qualified Name



    JIRA Issue





    JBoss 3.2.8.SP2, JBoss 4.0.5, JBoss 5.0.0 onwards




    Users would like to map roles that are the end result of the authentication process to one or more declarative roles.  For example, if the authentication process has determined that an user "jduke" has the following roles - ldapAdmin, testAdmin and the declarative roles defined in the web.xml or ejb-jar.xml for access is "admin", then this login module can be used to map the roles.




    This module needs to be added as an "optional" module into the jaas configuration.



    <application-policy name="jmx-console">
          <login-module code=""
            <module-option name="usersProperties">props/</module-option>
            <module-option name="rolesProperties">props/</module-option>
          <login-module code=""
            <module-option name="rolesProperties">props/</module-option>


    Module Options


    The module options that can be passed are as follows:



    • rolesProperties: can be the name of the properties file that can be located via the Classloader or an absolute location given by the pattern (Eg: file:/ etc)

    • replaceRole: By default, this module adds the mapped roles to the authenticated subject.  If it is desired that the key role needs to be replaced with the mapped roles, pass this option with "true".


    Example of Properties file






    If there is a "Role3" in the authenticated subject, then the following roles "testRole" and "testRole2" will be added to the authenticated subject. If a module option (replaceRole has been set to "true"), then the "Role3" will be removed from the authenticated subject.