2.4. Role Mapping
Once the user has been authenticated against the KDC (this occurs through org.jboss.security.negotiation.spnego.SPNEGOLoginModule), the application server needs to obtain the user roles. The authentication can use either the org.jboss.security.auth.spi.UsersRolesLoginModule to obtain user roles from a roles.properties file or the org.jboss.security.negotiation.AdvancedLdapLoginModule to obtain user roles from an LDAP server.
2.4.1. Setting up Role Mapping with a Roles Properties File
To allow SPNEGO to obtain the roles of an authenticated user from a roles.properties file, do the following:
- In the application security domain, set the second login module of the SPNEGO authentication to
org.jboss.security.auth.spi.UsersRolesLoginModule(refer to Example 2.2, “Application Security Domain”) and provide the module options. Refer to UsersRolesLoginModule in the Security Guide). - If the application security domain is defined in the
$JBOSS_HOME/server/$PROFILE/conf/login-config.xmlfile, define the user roles in the$JBOSS_HOME/server/$PROFILE/conf/props/spnego-users.propertiesfile. Use the following pattern:fullyQualifiedUserName=comma-separatedListOfRolesExample 2.3. roles.properties file
# A roles.properties file for use with the UsersRolesLoginModule darranl@KERBEROS.JBOSS.ORG=Users,Admins
