Having a custom realm extending the LdapRealm, where you override the
getGroups() method is an option in your case.
Default Principal to role mapping maps the role names defined in
web.xml to the principal names without a need for explicit mappings
(security-role-mapping) . IIRC, this may apply to mapping the group
principals. You can check this link
<
https://docs.oracle.com/cd/E18930_01/html/821-2418/beacr.html>for more
info.
HTH
Nithya
On 7/7/2016 9:50 AM, Mahantesh Prasad Katti wrote:
>
> Hi All,
>
> Currently this is how the authorization works in our application.
>
> 1.Uses JAAS
>
> 2.Uses LDAP realm.
>
> 3.Group memberships are on LDAP server. These are fetched post
> successful login.
>
> 4.We have a role-name --> group-name mapping specified in
> glass-fish-web.xml.
>
> I believe, this is how authorization fundamentally works in J2EE.
> However, currently there is a requirement where LDAP will not send
> back the group information. LDAP will only be used for authentication.
> In such a scenario, is it possible to delink the current mapping
> between LDAP groups and application roles? If not what are the options
> available? I know some that I can list.
>
> a.Define a custom LDAP realm.
>
> b.I also read something about "default principal to role mapping"
> feature. I was wondering if this helps at all assuming no group
> information is retrieved from LDAP?
>
> c.Is it possible at all to work without groups while using JAAS as the
> authentication scheme?
>
> Regards,
>
> Prasad
>