geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alan D. Cabrera" <...@toolazydogs.com>
Subject RE: Security providers
Date Wed, 18 Aug 2004 12:24:30 GMT
> -----Original Message-----
> From: David Blevins [mailto:david.blevins@visi.com]
> Sent: Monday, August 16, 2004 7:55 PM
> To: dev@geronimo.apache.org
> Subject: Security providers
> 
> Is the securtiy stuff hooked up by default?  If not, what does it take
> to get a Provider plugged in?  Or how do you change from one to the
other?
> 
> -David

The security stuff is setup in configuration plan
org/apache/geronimo/Server but you may not find a useful security realm
configured.  Walking through the GBean names, I will briefly explain
what they do:

geronimo.security:type=SecurityRealm,realm=geronimo-properties-realm
This is a security realm named "geronimo-properties-realm".  It is
implemented by the security realm provider PropertiesFileSecurityRealm
which uses two properties files, one for users and one for groups.  I
think that Jeremy uses this realm to provide security for remote JMX.

geronimo.security:type=ConfigurationEntry,jaasId=JMX
This registers a JAAS configuration entry for the above security realm.
Its application configuration name is "JMX" and this is what you pass to
a LoginContext.

geronimo.security:type=LoginConfiguration
This bean's sole purpose is to register Geronimo's LoginConfiguration
handler.

geronimo.security:type=SecurityService
This is Geronimo's JACC default implementation.  I intend to refactor it
so that it's obvious that this is not an all encompassing service but is
just a default JACC implementation.  Third party vendors can swap in
their own JACC implementations here.

geronimo.security:type=LoginService
This is Geronimo's login service.  Geronimo LoginModules speak to this
service to obtain their secure, hopefully spoof-proof, identification.


If you want to use a different security realm, you'll need to configure
two new beans, one for the security realm itself, the other for its JAAS
configuration entry.  These would be similar to the two beans listed
above.

Here's an example; you can see it in action in
org.apache.geronimo.security.jaas. LoginSQLTest.  Let's say that I work
for POOKIE Corporation and we have a SQL DB with users in it.  The
schema looks roughly like:

CREATE TABLE Users(UserName VARCHAR(16), Password VARCHAR(16))
CREATE TABLE Groups(GroupName VARCHAR(16), UserName VARCHAR(16))

Its GBean security realm configuration could look like:

<gbean name="geronimo.security:type=SecurityRealm,realm=pookie-realm"
class="org.apache.geronimo.security.realm.providers.SQLSecurityRealm">
<attribute name="realmName"
type="java.lang.String">pookie-realm</attribute>
<attribute name="maxLoginModuleAge" type="long">10000</attribute>
<attribute name=" connectionURL"
type="java.lang.String">jdbc:hsqldb:target/database/LoginSQLTest</attrib
ute>
<attribute name="user" type="java.lang.String">dbid</attribute>
<attribute name="password" type="java.lang.String">dbpw</attribute>
<attribute name="userSelect" type="java.lang.String">SELECT UserName,
Password FROM Users</attribute>
<attribute name="groupSelect" type="java.lang.String">SELECT GroupName,
UserName FROM Groups</attribute>
</gbean>

Here, I've configured the realm name, "pookie-realm".  The attribute
maxLoginModuleAge says how long to keep the login module around when
someone attempts to login, I've given them ten seconds.  The attribute
connectionURL is the JDBC connection URL.  User and password are the
login credentials to login to the DB.  Finally there are the two select
statements to use to obtain a list of users and the groups that they
belong in.

Finally, we need to configure a JAAS configuration entry for it.  Let's
say that we want to use the application configuration name of "BEAR":

<gbean name="geronimo.security:type=ConfigurationEntry,jaasId=BEAR"
class="org.apache.geronimo.security.jaas.ConfigurationEntryRealmLocal">
<attribute name="applicationConfigName"
type="java.lang.String">BEAR</attribute>
<attribute name="realmName"
type="java.lang.String">pookie-realm</attribute>
<attribute name="controlFlag"
type="org.apache.geronimo.security.jaas.LoginModuleControlFlag">REQUIRED
</attribute>
</gbean>


I hope you found this helpful.


Regards,
Alan




Mime
View raw message