We work with JBoss and we have a jboss-web.xml configuration file in our application. It contains entries, such as
<security-role>
<role-name>anz_beleg_detail</role-name>
<principal-name>APP-UKVLEI_AENDERUNG</principal-name>
<principal-name>APP-UKVLEI_AUSKUNFT</principal-name>
<principal-name>APP-UKVLEI_EINGABE</principal-name>
<principal-name>APP-UKVLEI_FREIGABE</principal-name>
</security-role>
What is exactly the principal-name? Where is it defined? Where is it specified what a principal-name a logged in user has?
In JBoss Application Server v5.0 and beyond, it is possible to map roles from the ones derived at the security domain level to include additional roles included in deployment (such as at the EAR level).
Mapping Provider: org.jboss.security.mapping.providers.DeploymentRolesMappingProvider
Configuration:
<application-policy name="some-sec-domain">
<authentication>
...
</authentication>
<mapping>
<mapping-module code="org.jboss.security.mapping.providers.DeploymentRolesMappingProvider"
type="role"/>
</mapping>
...
</application-policy>
Now you can have deployment level role mapping, as follows:
In jboss.xml or jboss-web.xml, you can have something like:
<assembly-descriptor>
...
<security-role>
<role-name>Support</role-name>
<principal-name>Mark</principal-name>
<principal-name>Tom</principal-name>
</security-role>
...
</assembly-descriptor>
In normal cases, this is viewed as the addition of roles to a RunAsIdentity as described in here
if you include this mapping configuration element in your security domain configuration with the DeploymentRolesMappingProvider, you are essentially forcing an additional interpretation of roles to be added to a particular principal for this particular deployment (war, ear, ejb-jar etc).
Refer guide