12.3. Included Security Mapping Modules
Code | Class |
---|---|
PropertiesRoles | org.jboss.security.mapping.providers.role.PropertiesRolesMappingProvider |
SimpleRoles | org.jboss.security.mapping.providers.role.SimpleRolesMappingProvider |
DeploymentRoles | org.jboss.security.mapping.providers.DeploymentRolesMappingProvider |
DatabaseRoles | org.jboss.security.mapping.providers.role.DatabaseRolesMappingProvider |
LdapRoles | org.jboss.security.mapping.providers.role.LdapRolesMappingProvider |
LdapAttributes | org.jboss.security.mapping.providers.attribute.LdapAttributeMappingProvider |
A Role Mapping Module that takes into consideration a principal to roles mapping that can be done in jboss-web.xml
and jboss-app.xml
deployment descriptors.
Example 12.1. Example
<jboss-web> ... <security-role> <role-name>Support</role-name> <principal-name>Mark</principal-name> <principal-name>Tom</principal-name> </security-role> ... </jboss-web>
A Role to Roles Mapping Module that takes into consideration a principal to roles mapping that can be done in the deployment descriptors jboss-web.xml
and jboss-app.xml
. In this case principal-name denotes role to map other roles.
Example 12.2. Example
<jboss-web> ... <security-role> <role-name>Employee</role-name> <principal-name>Support</principal-name> <principal-name>Sales</principal-name> </security-role> ... </jboss-web>
Role Mapping Provider that picks up the roles from the options and then appends them to the passed Group. Takes the properties style mapping of role name (key) with a comma separated list of roles (values).
A principal mapping provider that takes in a SimplePrincipal and converts into SimplePrincipal with a different principal name.
A MappingProvider that reads roles from a database.
dsJndiName
: JNDI name of data source used to map roles to the user.rolesQuery
: This option should be a prepared statement equivalent to "select RoleName from Roles where User=?" ? is substituted with current principal name.suspendResume
: Boolean - To suspend and later resume transaction associated with current thread while performing search for roles.transactionManagerJndiName
: JNDI name of Transaction mamager (default is java:/TransactionManager)
A mapping provider that assigns roles to an user using a LDAP server to search for the roles.
bindDN
: The DN used to bind against the LDAP server for the user and roles queries. This DN needs read and search permissions on the baseCtxDN and rolesCtxDN values.bindCredential
: The password for the bindDN. This can be encrypted if the jaasSecurityDomain is specified.rolesCtxDN
: The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.roleAttributeID
: The LDAP attribute which contains the names of authorization roles.roleAttributeIsDN
: Whether or not theroleAttributeID
contains the fully-qualified DN of a role object. If false, the role name is taken from the value of theroleNameAttributeId
attribute of the context name. Certain directory schemas, such as Microsoft Active Directory, require this attribute to be set totrue
.roleNameAttributeID
: Name of the attribute within theroleCtxDN
context which contains the role name. If theroleAttributeIsDN
property is set totrue
, this property is used to find the role object's name attribute.parseRoleNameFromDN
: A flag indicating if the DN returned by a query contains the roleNameAttributeID. If set totrue
, the DN is checked for the roleNameATtributeID. If set tofalse
, the DN is not checked for the roleNameAttributeID. This flag can improve the performance of LDAP queries.roleFilter
: A search filter used to locate the roles associated with the authenticated user. The input username oruserDN
obtained from the login module callback is substituted into the filter anywhere a{0}
expression is used. The authenticateduserDN
is substituted into the filter anywhere a{1}
is used. An example search filter that matches on the input username is(member={0})
. An alternative that matches on the authenticateduserDN
is(member={1})
.roleRecursion
: The numbers of levels of recursion the role search will go below a matching context. Disable recursion by setting this to0
.searchTimeLimit
: The timeout in milliseconds for the user/role searches. Defaults to 10000 (10 seconds).searchScope
: The search scope to use.
A MappingProvider that reads roles from a properties file in the following format: username=role1,role2,...
rolesProperties
: Properties formatted file name. Expansion of JBoss variables can be used in form of${jboss.variable}
.
A simple MappingProvider that reads roles from the options map. The option attribute name is the name of principal to assign roles to and the attribute value is the comma separated role names to assign to the principal.
Example 12.3. Example
<module-option name="JavaDuke" value="JBossAdmin,Admin"/> <module-option name="joe" value="Users"/>
Checks module and locates principal name from mapping context to create attribute e-mail address from module option named principalName + ".email" and maps it to the given principal.
Maps attributes from LDAP to the subject. The options include whatever options your LDAP JNDI provider supports.
Example 12.4. Examples of standard property names include:
Context.INITIAL_CONTEXT_FACTORY = "java.naming.factory.initial" Context.SECURITY_PROTOCOL = "java.naming.security.protocol" Context.PROVIDER_URL = "java.naming.provider.url" Context.SECURITY_AUTHENTICATION = "java.naming.security.authentication"
bindDN
: The DN used to bind against the LDAP server for the user and roles queries. This DN needs read and search permissions on the baseCtxDN and rolesCtxDN values.bindCredential
: The password for the bindDN. This can be encrypted if the jaasSecurityDomain is specified.baseCtxDN
: The fixed DN of the context to start the user search from.baseFilter
: A search filter used to locate the context of the user to authenticate. The input username oruserDN
as obtained from the login module callback is substituted into the filter anywhere a{0}
expression is used. This substituion behavior comes from the standard__DirContext.search(Name, String, Object[], SearchControls cons)__
method. An common example search filter is(uid={0})
.searchTimeLimit
: The timeout in milliseconds for the user/role searches. Defaults to 10000 (10 seconds).attributeList
: A comma-separated list of attributes for the user. For example, mail,cn,sn,employeeType,employeeNumber.jaasSecurityDomain
: The JaasSecurityDomain to use to decrypt thejava.naming.security.principal
. The encrypted form of the password is that returned by theJaasSecurityDomain#encrypt64(byte[])
method. Theorg.jboss.security.plugins.PBEUtils
can also be used to generate the encrypted form.