Role Mapping & J2EE Security


The discussion of J2EE Security on the JBoss Application Server continues as  Role Mapping is introduced.

By default, a J2EE Role will be assumed to map directly to an LDAP Group of the same name, if LDAP is the User Repository.  It is desirable to create a layer of abstraction between these two groups of data.  Generally, these two data sets will be managed by separate groups.

With JBoss, it is possible to have a JAAS Login Module perform Role Mapping.  This makes it the responsibility of the J2EE Administrator to define this mapping.

RoleMappingLoginModule JAAS Login Module Configuration

The RoleMappingLoginModule can be applied to the Login Module chain used by the web application. This will allow the J2EE Roles to be mapped to LDAP groups via entries in a flat file.
The new configuration stanza in login-config.xml now looks like:

<application-policy name="subject">
code="" flag="required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://localhost:389/</module-option>
<module-option name="">simple</module-option>
<module-option name="bindDN">cn=Manager,dc=thinkmiddleware,dc=com</module-option>
<module-option name="bindCredential">secret</module-option>
<module-option name="rolesCtxDN">ou=Groups,dc=thinkmiddleware,dc=com</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="baseCtxDN">ou=Users,dc=thinkmiddleware,dc=com</module-option>
<module-option name="baseFilter">(cn={0})</module-option>
<login-module code="" flag="required">
<module-option name="rolesProperties">subject/</module-option>


Notice, this Login Module is also set to required. If a corresponding entry for a J2EE Role is not found in, authentication will fail.
The module has a single configuration property: rolesProperties. This points at a flat file containing the Role to Group mappings.


The configuration of the new login module defines a flat file where J2EE Roles defined in application deployment descriptors can be mapped to LDAP groups in Openldap.
In this example, the $SERVER_HOME/conf/subject/ file contains the following:


So, the LDAP Group, Group1, maps to the J2EE Role, Role1.

If a configuration entry isn’t present for a given J2EE Role or this Login Module were not used, the J2EE Roles would map to LDAP Groups.