Details
-
New Feature
-
Status: Closed
-
Minor
-
Resolution: Abandoned
-
5.3.0
-
None
-
None
-
None
-
Patch Available
Description
Use Case:
A web application in the container requires authorization with the role name 'Admin'. The application team decides the rule for authorization to be 'Any authenticated user who is a member of AD group "AllAuthorizedUsers"'. There is no AD group with the name "Admin" (as enforced by the WebApp in the container). The requirement is to enforce this security constraint without having to modify the WebApp web.xml (role-name from 'Admin' to 'AllAuthorizedUsers').
Enhancement Request:
Support a roleNameAlias option for the LDAPLoginModule which does a lookup for the aliased role name in the fetched roles for the user, and associated another GroupPrincipal (with the new alias name) to the Subject.
In the use case described above, an example roleNameAlias value can be 'AllAuthorizedUsers=Admin'.
Sample JAAS configuration :
TestLogin {
org.apache.activemq.jaas.LDAPLoginModule required
debug=false
initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
connectionURL="ldap://somehost:389"
connectionUsername="uid=generic.gen,OU=Generics,O=something"
connectionPassword="generic123"
connectionProtocol=""
authentication=simple
userBase="OU=Users,O=something"
userSearchMatching="(uid=
userSearchSubtree=true
userRoleName="memberOf"
roleName="CN"
roleBase="OU=Groups,O=something"
roleSearchMatching="member={0}
"
roleSearchSubtree=true
roleNameAlias="somegroupname=admin,someothergroupname=manager"
;
};