Many users would like to map the application roles that are derived out of the Jaas authentication process to declarative roles (defined in various deployment descriptors like web.xml).
There is a feature request that has been implemented with an optional login module called as the RoleMappingLoginModule.
http://jira.jboss.com/jira/browse/JBAS-3323
This works perfectly fine for majority of the cases except for one, when there are login modules with the control flag of "Sufficient" and no "required/requisite" modules. The problem is that the optional RoleMapping LM will never be reached, if authentication succeeds.
Given this, there are alternatives:
1) The user can override the getRoleSets method of any JBoss standard LM.
2) The Abstract Server LM base class can be retroffited with role mapping logic.
Both the options hold merit in various usecases. Option 2 can solve majority of the user needs, but the issue is that we cannot tie the logic to a single store for role map, like the properties file as done by the RoleMappingLoginModule. This can require a override in all LM if users need to do it.
The right solution is logic should be added after the Jaas authentication process is completed. This will decouple the process from the login module life cycle. The above discussion holds true mainly for JBoss 4.0.x
As I see, I think we will need to add the logic into the JaasSecurityManager. The question is should we get the rolemapping setup for a particular security domain, by peeking into the jaas configuration. I welcome your thoughts on this topic.
For JBoss 5.x, the Security SPI as discussed in the following forum thread:
http://www.jboss.com/index.html?module=bb&op=viewtopic&t=81097
will handle the Role Mapping logic.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3955884#3955884
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3955884
|
