JBoss.orgCommunity Documentation
In JBoss AS 6, it is possible to map additional roles at the deployment level from those derived at the security domain level (such as at the EAR level). This is achieved by declaring the org.jboss.security.mapping.providers.DeploymentRolesMappingProvider class as the value for the class attribute in the <mapping-module> element. Additionally, the type attribute must be set to role.
By configuring the mapping configuration element within the role-based parameter, you can force additional role interpretation to the declared principals specified for the particular deployment (war, ear, ejb-jar etc).
In previous versions, the <rolemapping> element contained the <mapping-module> element and class declaration. <rolemapping> has now been deprecated, and replaced with the <mapping> element.
Example 9.1. <mapping-module> declaration
<application-policy name="some-sec-domain">
<authentication>
...
</authentication>
<mapping>
<mapping-module code="org.jboss.security.mapping.providers.DeploymentRolesMappingProvider"
type="role"/>
</mapping>
...
</application-policy>
Once the security domain is configured correctly, you can append the <security-role> element group as a child element of the <assembly-descriptor> to the jboss.xml, or jboss-web.xml files.
Example 9.2. <security-role> declaration
<assembly-descriptor>
...
<security-role>
<role-name>Support</role-name>
<principal-name>Mark</principal-name>
<principal-name>Tom</principal-name>
</security-role>
...
</assembly-descriptor>
In Example 9.2, “<security-role> declaration”, a security role relating to Support principals is implemented in addition to the base security role information contained in jboss.xml or jboss-web.xml.