As I've stated, our customers have runtime control over users, groups and the roles assigned to them. Our software is embedded at many different remote sites, owned by different customers. Each site has its own unique groups with different privileges. I find it hard to believe that I'm the only user who needs to change the roles for a Principal at runtime. I'm looking for a solution with minimal impact and I must keep the customer facing part of this application completely intact.
I don't know how the default-principal-to-role-mapping gets the list of groups it creates roles for. If it only happens at initial deployment before ServletContextListeners are triggered, then this would be an issue. I can also envision install issues should one of our modules fail to deploy properly. I get the general feeling that this one-to-one mapping of a group to a role is a workaround, not desired behavior, and that this particular server property is a hack, designed to facilitate somewhat simpler migrations from other application servers. I think there are a few issues that would prevent me from using it this way.
The way I see it the options I have are:
[1] Create the sun-web.xml with the one-to-one group to role mappings, point the group-table at my user_role view and ignore my actual groups in the Realm configuration. This seems inefficient but possibly workable. Is it more burden on the security manager to check a list of 50 Principals for a single role than to check just one pair of user and group Principals for it, with the group having 50 roles? On some complex pages there could be 20 calls to HttpServletRequest.isUserInRole().
[2] I really want to override the RoleMapper somehow through configuration. I'm trying to determine if this is possible without having to modify the source and recompile Glassfish itself. I doubt I could get the green light from my supervisors to deploy to production like this. It seems to me that there should be three parts to a custom realm implementation: Realm, LoginModule and RoleMapper. I already need to create my own AppsrvRealm to tweak a couple of things (and I was disappointed to discover that com.sun.enterprise.security.auth.realm.jdbc.JDBCRealm is marked "public final").
[3] I could just migrate away from container managed security using some third party framework, but this is definitely not minimal impact.
I just don't understand this implementation. The appserv-rt.jar contains org.apache.catalina.realm.JDBCRealm but I'm not able to use it, because I need an AppsrvRealm derived class. Catalina realms understand roles, AppsrvReamls understand groups ... at first this seemed like a real win for the AppsrvRealm, but not having a way to map roles to the users/groups in the database is a big downfall. It would be really cool to have this ability.
Thanks,
--pw
[Message sent by forum member 'pwardrip' (pwardrip)]
http://forums.java.net/jive/thread.jspa?messageID=321129