How JBoss Portal roles are mapped to JAAS roles?

Solution Verified - Updated -

Environment

  • Red Hat JBoss Portal (JPP)
    • 6.x

Issue

How are JPP groups and membership are related to JAAS roles? For example, how users belonging to group /platform/administrators will be mapped to JAAS role and how can we check it from a portlet?

Resolution

The portlet spec 2.0 supports the method isUserInRole in the security mechanism in PLT.24.3

PLT.24.3 Programmatic Security

The isUserInRole method expects a string parameter with the role-name. A security-role-ref element must be declared by the portlet in deployment descriptor with a role-name sub-element containing the role-name to be passed to the method. The security-role-ref element should contain a role-link sub-element whose value is the name of the application security role that the user may be mapped into. This mapping is specified in the web.xml deployment descriptor file. The container uses the mapping of
security-role-ref to security-role when determining the return value of the call.

For example, to map the security role reference "FOO" to the security role with role-name "manager" the syntax would be:

   <portlet-app>
     ...
     <portlet>
        ...
        <security-role-ref>
          <role-name>FOO</role-name>
          <role-link>manager</role-link>
        </security-role-ref>
     </portlet>
     ...
     ...
  </portlet-app>

The role mentioned above is used when you want to programmatically call the method isUserInRole in the portlet application. The portlet role is mapped with the security role specified in the web.xml. The role specified in the web.xml is the JEE role or JAAS role in JBoss's implementation. JPP creates JAAS role for users based on their groups.

The wiki page contains a FAQ: Q3. When I try to login I get "HTTP Status 403" response that explains how JPP interprets the user group defined in JPP configuration into JAAS role.

Basically, JPP uses DefaultRolesExtractorImpl to always return the root group with the exception for group configured with user.role.parent.group service option which by default is platform. For example user belonging to groups /platform/users /platform/administrators and /acme/roles/employees will have following JEE roles: users, administrators and acme.

If a user is assigned with both JAAS role and a JPP group, the user will have both roles from the JAAS role and the role mapped from the JPP group. Both JAAS role and JPP group take equal priority in JPP.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.