Closed glassfishrobot closed 4 years ago
@glassfishrobot Commented mkarg said: Not even a single comment in over two years? Does not feel like GF team likes to get ideas like this one from ISVs. ;-(
@glassfishrobot Commented @vbkumarjayanti said: Sorry for inaction on this. If we have to start anything in this direction there is lots of work to be done and it has to become part of a major release. However the focus of major releases in the recent past has been JavaEE6 and then Clustering.
The GlassFish Engineering is well aware of this limitation and it often comes up as a potential task item, but it has somehow not made it to any release yet.
That said, GlassFish does allow Pluggability of RoleMapper OOTB (to address your point 2) via the In Memory JACC Provider. Please see :
http://blogs.oracle.com/monzillo/entry/prelude_includes_portable_in_memory http://blogs.oracle.com/monzillo/entry/how_to_configure_an_alternative
The default RoleMapper implementation in the InMemory JACC Provider simply makes use of the mappings in sun-*.xml. However you can write your own that does support a more dynamic way of obtaining the role to group mappings.
As part of our JavaOne 2010 session on GlassFish 3.1 Security we demonstrated a more dynamic impl of this RoleMapper where it would allow changing the role to group mapping without requiring a restart. However we have not found time to put out that code in the public somewhere.
You can also write your own JACC Provider where you can possibly use a completely different interface/mechanism to manage the Role to Group Mappings.
GlassFish also has OOTB the Default P2R feature where the same named Role is mapped to Same Named Group automatically (without requiring explicit listing of G2R in sun*.xml). This can address both 1 and 2 (to an extent).
@glassfishrobot Commented Was assigned to jefftancill
@glassfishrobot Commented This issue was imported from java.net JIRA GLASSFISH-7085
@glassfishrobot Commented Reported by mkarg
This issue has been marked as inactive and old and will be closed in 7 days if there is no further activity. If you want the issue to remain open please add a comment
Using @DeclareRoles, @RolesAllowed etc. a programmer can declare the logical roles he invented and which must be mapped to physical user groups at deployment by the server administrator or deployer.
There are two problems:
The administrator or deployer does not have insight into the source code, so the installer tool must tell him the declared roles. Otherwise he just doesn't know them. GlassFish currently has no such tool, so how should the deployer know what roles do exist?
From time to time it happens that the mapping from roles to groups will change due to business reorganization. The administrator then must change the sun-*.xml file that contains the mapping, and redeploy the administration. This is not nice, since it implies a pause in the availability of the application. It would be better if no redeploy would be needed and the mapping from roles to groups could just be configures using a live GUI.
Environment
Operating System: All Platform: All
Affected Versions
[9.1peur2]