Re: [JBoss-user] Question on Security Role Mapping
That is correct. On Mon, 14 May 2001 15:52:05 -0400 "Dale V. Georg" <[EMAIL PROTECTED]> wrote: > > OK, I think I understand now. Here's why I was getting > confused: I was > looking at the JAAS login module which uses the > users.properties and > roles.properties files and I was sort of equating it to > NT security > where users.properties represents the NT users and > roles.properties > represents the NT groups. And looking at it that way led > me to the > erroneous conclusion that the ejb-jar.xml entries were > thus the > principles (note that by principle I mean either the user > id OR a user > group from the underlying security system, and maybe that > was another > source of confusion on my part). However, what you're > saying is that > the right way to look at it is that users.properties is > the users and > roles.properites maps the physical users to the logical > roles. Gee, > it's obvious once you understand it. :) Theoretically, > then, you could > have a JAAS login module that authenticated the user > against an NT > domain, discovered the NT groups the user belonged to, > and then mapped > those groups to the logical roles, correct? > > Dale > > >Dale V. Georg >Technical Manager >Indus Consultancy Services >[EMAIL PROTECTED] >(201) 261-3100 x229 > > > ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Question on Security Role Mapping
OK, I think I understand now. Here's why I was getting confused: I was looking at the JAAS login module which uses the users.properties and roles.properties files and I was sort of equating it to NT security where users.properties represents the NT users and roles.properties represents the NT groups. And looking at it that way led me to the erroneous conclusion that the ejb-jar.xml entries were thus the principles (note that by principle I mean either the user id OR a user group from the underlying security system, and maybe that was another source of confusion on my part). However, what you're saying is that the right way to look at it is that users.properties is the users and roles.properites maps the physical users to the logical roles. Gee, it's obvious once you understand it. :) Theoretically, then, you could have a JAAS login module that authenticated the user against an NT domain, discovered the NT groups the user belonged to, and then mapped those groups to the logical roles, correct? Dale Dale V. Georg Technical Manager Indus Consultancy Services [EMAIL PROTECTED] (201) 261-3100 x229 Scott M Stark wrote: > > The ejb-jar.xml roles are logical names. Where are you getting that they > are the principal name? The tutorial demonstrates that they are not > by securing the beans using a roles of Echo & Coder, to which the principal > names are mapped via the JAAS login module. The ejb-jar.xml descriptor > is completely portable to JBoss. > > The only difference is that JBoss does not do the mapping via the jboss.xml > descriptor directly. Rather the element specifies > the security manger instance that does this at runtime based on the authenticated > principal name. > > - Original Message - > From: "Dale V. Georg" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, May 11, 2001 11:45 AM > Subject: Re: [JBoss-user] Question on Security Role Mapping > > > > > Yes, I did read through that; in fact, I used that as my guide for > > converting our app from WebLogic to jBoss, and everything is working > > great. I was just questioning whether the role-name in the ejb-jar.xml > > mapping directly to the security principle was the only way jBoss > > supported roles, or whether there was an additional mapping you could do > > in the jboss.xml. > > > > The main reason I'm looking at this is we are trying to make our app > > support multiple application servers. Up until now, ejb-jar.xml was > > generic and didn't require changes between the different app servers, > > since any app server specific stuff was in the appserver.xml. Further, > > in the appserver.xml we are mapping all of our roles to guest by > > default. But if jBoss assumes that the role-name from ejb-jar.xml is > > the principle name, then we may need to have a special case for jBoss. > > > > Thanks, > > Dale > > > > > > ___ > JBoss-user mailing list > [EMAIL PROTECTED] > http://lists.sourceforge.net/lists/listinfo/jboss-user -- ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Question on Security Role Mapping
The ejb-jar.xml roles are logical names. Where are you getting that they are the principal name? The tutorial demonstrates that they are not by securing the beans using a roles of Echo & Coder, to which the principal names are mapped via the JAAS login module. The ejb-jar.xml descriptor is completely portable to JBoss. The only difference is that JBoss does not do the mapping via the jboss.xml descriptor directly. Rather the element specifies the security manger instance that does this at runtime based on the authenticated principal name. - Original Message - From: "Dale V. Georg" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, May 11, 2001 11:45 AM Subject: Re: [JBoss-user] Question on Security Role Mapping > > Yes, I did read through that; in fact, I used that as my guide for > converting our app from WebLogic to jBoss, and everything is working > great. I was just questioning whether the role-name in the ejb-jar.xml > mapping directly to the security principle was the only way jBoss > supported roles, or whether there was an additional mapping you could do > in the jboss.xml. > > The main reason I'm looking at this is we are trying to make our app > support multiple application servers. Up until now, ejb-jar.xml was > generic and didn't require changes between the different app servers, > since any app server specific stuff was in the appserver.xml. Further, > in the appserver.xml we are mapping all of our roles to guest by > default. But if jBoss assumes that the role-name from ejb-jar.xml is > the principle name, then we may need to have a special case for jBoss. > > Thanks, > Dale > > ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Question on Security Role Mapping
Yes, I did read through that; in fact, I used that as my guide for converting our app from WebLogic to jBoss, and everything is working great. I was just questioning whether the role-name in the ejb-jar.xml mapping directly to the security principle was the only way jBoss supported roles, or whether there was an additional mapping you could do in the jboss.xml. The main reason I'm looking at this is we are trying to make our app support multiple application servers. Up until now, ejb-jar.xml was generic and didn't require changes between the different app servers, since any app server specific stuff was in the appserver.xml. Further, in the appserver.xml we are mapping all of our roles to guest by default. But if jBoss assumes that the role-name from ejb-jar.xml is the principle name, then we may need to have a special case for jBoss. Thanks, Dale Scott M Stark wrote: > > See the security tutorial: http://www.jboss.org/documentation/HTML/ch11s78.html > > - Original Message - > From: "Dale V. Georg" <[EMAIL PROTECTED]> > To: "jBoss mailing List" <[EMAIL PROTECTED]> > Sent: Friday, May 11, 2001 9:10 AM > Subject: [JBoss-user] Question on Security Role Mapping > > > > > In my ejb-jar.xml, I define a number of security roles, for example: > > > > > > All users with read access to instance > > 1 > > Instance1Reader > > > > > > In other application servers that I have worked with, this role-name is > > a "logical" role name, which in turn must be mapped to a "physical" > > principle in the app server specific xml. For example, in > > weblogic-ejb-jar.xml, I would specify: > > > > > >Instance1Reader > > guest > > > > > > However, unless I am missing something, it seems that jboss.xml does not > > provide an equivalent mapping, and that jBoss expects the role-name from > > the ejb-jar.xml file itself to be the actual principle name. Is this > > correct? > > > > Thanks, > > Dale > > > > ___ > JBoss-user mailing list > [EMAIL PROTECTED] > http://lists.sourceforge.net/lists/listinfo/jboss-user -- Dale V. Georg Technical Manager Indus Consultancy Services [EMAIL PROTECTED] (201) 261-3100 x229 ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Question on Security Role Mapping
See the security tutorial: http://www.jboss.org/documentation/HTML/ch11s78.html - Original Message - From: "Dale V. Georg" <[EMAIL PROTECTED]> To: "jBoss mailing List" <[EMAIL PROTECTED]> Sent: Friday, May 11, 2001 9:10 AM Subject: [JBoss-user] Question on Security Role Mapping > > In my ejb-jar.xml, I define a number of security roles, for example: > > > All users with read access to instance > 1 > Instance1Reader > > > In other application servers that I have worked with, this role-name is > a "logical" role name, which in turn must be mapped to a "physical" > principle in the app server specific xml. For example, in > weblogic-ejb-jar.xml, I would specify: > > >Instance1Reader > guest > > > However, unless I am missing something, it seems that jboss.xml does not > provide an equivalent mapping, and that jBoss expects the role-name from > the ejb-jar.xml file itself to be the actual principle name. Is this > correct? > > Thanks, > Dale > ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user