eclipse-ee4j / glassfish

Eclipse GlassFish
https://eclipse-ee4j.github.io/glassfish/
385 stars 143 forks source link

Administrator needs to know declared roles #7085

Closed glassfishrobot closed 4 years ago

glassfishrobot commented 15 years ago

Using @DeclareRoles, @RolesAllowed etc. a programmer can declare the logical roles he invented and which must be mapped to physical user groups at deployment by the server administrator or deployer.

There are two problems:

glassfishrobot commented 6 years ago
glassfishrobot commented 13 years ago

@glassfishrobot Commented mkarg said: Not even a single comment in over two years? Does not feel like GF team likes to get ideas like this one from ISVs. ;-(

glassfishrobot commented 13 years ago

@glassfishrobot Commented @vbkumarjayanti said: Sorry for inaction on this. If we have to start anything in this direction there is lots of work to be done and it has to become part of a major release. However the focus of major releases in the recent past has been JavaEE6 and then Clustering.

The GlassFish Engineering is well aware of this limitation and it often comes up as a potential task item, but it has somehow not made it to any release yet.

That said, GlassFish does allow Pluggability of RoleMapper OOTB (to address your point 2) via the In Memory JACC Provider. Please see :

http://blogs.oracle.com/monzillo/entry/prelude_includes_portable_in_memory http://blogs.oracle.com/monzillo/entry/how_to_configure_an_alternative

The default RoleMapper implementation in the InMemory JACC Provider simply makes use of the mappings in sun-*.xml. However you can write your own that does support a more dynamic way of obtaining the role to group mappings.

As part of our JavaOne 2010 session on GlassFish 3.1 Security we demonstrated a more dynamic impl of this RoleMapper where it would allow changing the role to group mapping without requiring a restart. However we have not found time to put out that code in the public somewhere.

You can also write your own JACC Provider where you can possibly use a completely different interface/mechanism to manage the Role to Group Mappings.

GlassFish also has OOTB the Default P2R feature where the same named Role is mapped to Same Named Group automatically (without requiring explicit listing of G2R in sun*.xml). This can address both 1 and 2 (to an extent).

glassfishrobot commented 15 years ago

@glassfishrobot Commented Was assigned to jefftancill

glassfishrobot commented 7 years ago

@glassfishrobot Commented This issue was imported from java.net JIRA GLASSFISH-7085

glassfishrobot commented 15 years ago

@glassfishrobot Commented Reported by mkarg

github-actions[bot] commented 4 years ago

This issue has been marked as inactive and old and will be closed in 7 days if there is no further activity. If you want the issue to remain open please add a comment