Return-Path: 
 <dev-return-8309-apmail-geronimo-dev-archive=geronimo.apache.org@geronimo.apache.org>
Delivered-To: apmail-geronimo-dev-archive@www.apache.org
Received: (qmail 12704 invoked from network); 18 Aug 2004 12:26:44 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur-2.apache.org with SMTP; 18 Aug 2004 12:26:44 -0000
Received: (qmail 87061 invoked by uid 500); 18 Aug 2004 12:26:30 -0000
Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org
Received: (qmail 87033 invoked by uid 500); 18 Aug 2004 12:26:30 -0000
Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:dev-help@geronimo.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@geronimo.apache.org>
list-post: <mailto:dev@geronimo.apache.org>
Reply-To: dev@geronimo.apache.org
Delivered-To: mailing list dev@geronimo.apache.org
Received: (qmail 87015 invoked by uid 99); 18 Aug 2004 12:26:30 -0000
X-ASF-Spam-Status: No, hits=0.0 required=10.0
	tests=
X-Spam-Check-By: apache.org
Received: from [166.84.147.110] (HELO alan.toolazydogs.com) (166.84.147.110)
  by apache.org (qpsmtpd/0.27.1) with ESMTP; Wed, 18 Aug 2004 05:26:26 -0700
content-class: urn:content-classes:message
Subject: RE: Security providers
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 18 Aug 2004 08:24:30 -0400
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
Message-ID: <FF7CE36846E01B439945B55FFB1DF5BEF75D@mail.toolazydogs.com>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: Security providers
Thread-Index: AcSD9K02DQyMhF4PQyukl6H0RhXFFQBIpZvw
From: "Alan D. Cabrera" <adc@toolazydogs.com>
To: <dev@geronimo.apache.org>
X-Virus-Checked: Checked
X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N

> -----Original Message-----
> From: David Blevins [mailto:david.blevins@visi.com]
> Sent: Monday, August 16, 2004 7:55 PM
> To: dev@geronimo.apache.org
> Subject: Security providers
>=20
> Is the securtiy stuff hooked up by default?  If not, what does it take
> to get a Provider plugged in?  Or how do you change from one to the
other?
>=20
> -David

The security stuff is setup in configuration plan
org/apache/geronimo/Server but you may not find a useful security realm
configured.  Walking through the GBean names, I will briefly explain
what they do:

geronimo.security:type=3DSecurityRealm,realm=3Dgeronimo-properties-realm
This is a security realm named "geronimo-properties-realm".  It is
implemented by the security realm provider PropertiesFileSecurityRealm
which uses two properties files, one for users and one for groups.  I
think that Jeremy uses this realm to provide security for remote JMX.

geronimo.security:type=3DConfigurationEntry,jaasId=3DJMX
This registers a JAAS configuration entry for the above security realm.
Its application configuration name is "JMX" and this is what you pass to
a LoginContext.

geronimo.security:type=3DLoginConfiguration
This bean's sole purpose is to register Geronimo's LoginConfiguration
handler.

geronimo.security:type=3DSecurityService
This is Geronimo's JACC default implementation.  I intend to refactor it
so that it's obvious that this is not an all encompassing service but is
just a default JACC implementation.  Third party vendors can swap in
their own JACC implementations here.

geronimo.security:type=3DLoginService
This is Geronimo's login service.  Geronimo LoginModules speak to this
service to obtain their secure, hopefully spoof-proof, identification.


If you want to use a different security realm, you'll need to configure
two new beans, one for the security realm itself, the other for its JAAS
configuration entry.  These would be similar to the two beans listed
above.

Here's an example; you can see it in action in
org.apache.geronimo.security.jaas. LoginSQLTest.  Let's say that I work
for POOKIE Corporation and we have a SQL DB with users in it.  The
schema looks roughly like:

CREATE TABLE Users(UserName VARCHAR(16), Password VARCHAR(16))
CREATE TABLE Groups(GroupName VARCHAR(16), UserName VARCHAR(16))

Its GBean security realm configuration could look like:

<gbean =
name=3D"geronimo.security:type=3DSecurityRealm,realm=3Dpookie-realm"
class=3D"org.apache.geronimo.security.realm.providers.SQLSecurityRealm">
<attribute name=3D"realmName"
type=3D"java.lang.String">pookie-realm</attribute>
<attribute name=3D"maxLoginModuleAge" type=3D"long">10000</attribute>
<attribute name=3D" connectionURL"
type=3D"java.lang.String">jdbc:hsqldb:target/database/LoginSQLTest</attri=
b
ute>
<attribute name=3D"user" type=3D"java.lang.String">dbid</attribute>
<attribute name=3D"password" type=3D"java.lang.String">dbpw</attribute>
<attribute name=3D"userSelect" type=3D"java.lang.String">SELECT =
UserName,
Password FROM Users</attribute>
<attribute name=3D"groupSelect" type=3D"java.lang.String">SELECT =
GroupName,
UserName FROM Groups</attribute>
</gbean>

Here, I've configured the realm name, "pookie-realm".  The attribute
maxLoginModuleAge says how long to keep the login module around when
someone attempts to login, I've given them ten seconds.  The attribute
connectionURL is the JDBC connection URL.  User and password are the
login credentials to login to the DB.  Finally there are the two select
statements to use to obtain a list of users and the groups that they
belong in.

Finally, we need to configure a JAAS configuration entry for it.  Let's
say that we want to use the application configuration name of "BEAR":

<gbean =
name=3D"geronimo.security:type=3DConfigurationEntry,jaasId=3DBEAR"
class=3D"org.apache.geronimo.security.jaas.ConfigurationEntryRealmLocal">=

<attribute name=3D"applicationConfigName"
type=3D"java.lang.String">BEAR</attribute>
<attribute name=3D"realmName"
type=3D"java.lang.String">pookie-realm</attribute>
<attribute name=3D"controlFlag"
type=3D"org.apache.geronimo.security.jaas.LoginModuleControlFlag">REQUIRE=
D
</attribute>
</gbean>


I hope you found this helpful.


Regards,
Alan