2.4. Role Mapping
Once the user has been authenticated against the KDC (this occurs through org.jboss.security.negotiation.spnego.SPNEGOLoginModule), the application server needs to obtain the user roles. The authentication can use either the org.jboss.security.auth.spi.UsersRolesLoginModule to obtain user roles from a roles.properties file or the org.jboss.security.negotiation.AdvancedLdapLoginModule to obtain user roles from an LDAP server.
2.4.1. Setting up Role Mapping with a Roles Properties File
To allow SPNEGO to obtain the roles of an authenticated user from a roles.properties file, do the following:
- In the application security domain, set the second login module of the SPNEGO authentication to
org.jboss.security.auth.spi.UsersRolesLoginModule
(refer to Example 2.2, “Application Security Domain”) and provide the module options. Refer to UsersRolesLoginModule in the Security Guide). - If the application security domain is defined in the
$JBOSS_HOME/server/$PROFILE/conf/login-config.xml
file, define the user roles in the$JBOSS_HOME/server/$PROFILE/conf/props/spnego-users.properties
file. Use the following pattern:fullyQualifiedUserName=comma-separatedListOfRoles
Example 2.3. roles.properties file
# A roles.properties file for use with the UsersRolesLoginModule darranl@KERBEROS.JBOSS.ORG=Users,Admins