1 Reply Latest reply: Oct 21, 2005 4:44 PM by Scott Stark RSS

Role mapping

Chris Miles Newbie

Hello,

I'm currently migrating our application from Weblogic and Websphere to JBoss 4.0.3 and had a question about role mappings in the web.xml file.

I've searched everywhere and the only place I see something mentioned about this is in the weblogic migration wiki but wanted some confirmation here.

In our web.xml we setup an auth constraint on a url pattern as such:

<web-resource-collection>
<web-resource-name>blah</web-resource-name>
<url-pattern>*.lsw</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>twuser</role-name>
</auth-constraint>
<security-role>
<role-name>twuser</role-name>
</security-role>

For WebLogic, in the weblogic.xml we could map the role twuser to some physical role in our security provider as such:

<security-role-assignment>
<role-name>twuser</role-name>
<principal-name>users</principal-name>
</security-role-assignment>

What this did was cause any authenticated user (a member of the weblogic role users) to have access to our web app.

For WebSphere we could map the role twuser to all authenticated users via the admin console.

Now for JBoss I cannot find any doc on how you can perform role mapping. The migration to weblogic wiki does mention something about it by stating:

"In JBoss the role names must be exactly the same as the LDAP names. So change all of them in web.xml (and code too perhaps?) to be the LDAP ones."

So is this correct in that the roles specified in the web.xml have to actually exist in the security provider? So no role mapping exists?

The other question I have related to this is, is there an equivalent thing that allows you to map authenticated users to some role? What we want is for any authenticated user to have access to our web app, no matter what roles they belong to. Currently with the auth-constraint being set to role twuser, you MUST be a member of this role before you get access to the web app and for Weblogic and WebSphere we could map this role to all authenticated users so therefore you didn't have to manually make a user a member as they were automatically made one once they were authenticated.

Thanks

  • 1. Re: Role mapping
    Scott Stark Master

    Role mapping is done by the JAAS login module doing the authentication. We don't provide any static role mapping functionality currently, so you would just add it by either extending an existing login module or stacking a role mapping login module with the jboss one.