Details
Major Description
For secured applications you currently need a Geronimo-specific deployment plan which defines among others a mapping of realm groups onto JEE roles. This goes against the spirit of EJB3 which replaces deployment descriptors with annotations.
It would be desirable to be able to run a standard-conforming JEE application under container security without the need for Geronimo-specific deployment plans.
But this raises the need of another mean to specify Group-Role Mapping. I suggest that this can be specified at the security-realm level. A realm should be linked to a mapping (n:1 mapping, several realms should potentially use the same mapping). There should be a default identity mapping, if you have several thousands of users in LDAP.
Mappings should be definable via console.