geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aaron Mulder <ammul...@alumni.princeton.edu>
Subject Re: JAAS and Tomcat
Date Sat, 20 Nov 2004 18:03:27 GMT
	Are you trying to run Tomcat within Geronimo, or run both Tomcat 
and Geronimo on the same box separately but talking to each other?

	In any case, unfortunately, you'll have to change your tests, 
because the properties file realm just went away.  If you look at the 
Jetty test you based your stuff on, you'll see how to replace that with a 
PropertiesFileLoginModule and a GenericSecurityRealm (two GBeans).

	The problem you're having with authorization may be due to the
Subject you're getting as a result of the login.  It's not actually
populated with all the principals that the server generates, because the
server only gives the "client" a single ID to identify itself as of now.  
There's a change on the table to return more of the principals to the
client, and you'll have to wait for that if you can't change the JAAS code
on the Tomcat side.  Otherwise, you can insert a call like "subject =
ContextManager.getServerSideSubject(subject);" to get the fully-populated
Subject.

	But it kind of sounds like you're runing tomcat inside Geronimo, 
in which case you've got a ways yet to go -- I think we want to configure 
Tomcat fully through GBeans and geronimo-tomcat.xml (or whatever), and not 
used server.xml, a JAAS config file, or anything like that.  If you were 
at ApacheCon this week, there was a pretty detailed talk about embedding 
Tomcat.  Anyway, I'm not sure if you're working toward this but not there 
yet, or trying to get it to work in a different configuration.

Aaron

On Sat, 20 Nov 2004, Jeff Genender wrote:
> I have semi-successfully gotten Tomcat to use the Geronimo JAAS 
> component.  I say semi-successful because I wrote some unit tests, got 
> Tomcat running along with some other security base GBeans, and was able 
> to protect resources in a web application, and access them with the 
> org.apache.geronimo.security.realm.providers.PropertiesFileSecurityRealm.
> However, what does not seem to be working is the group/role side of 
> things.  If I protect the resources in teh web.xml with the following:
> 
> <auth-constraint>
>      <role-name>*</role-name>
> </auth-constraint>
> 
> Then it works as planned.  But if I state a particular role/group, it 
> does not work.  So I need see why Tomcat is accepting the authentication 
> piece of this, but not the authorization.
> 
> For a synopsis of what I did, I essentially took the BasicSecurityTest 
> and SecurityTest unit tests from Jetty and altered them to work with 
> Tomcat.  I then used the war3 test-resource for Jetty to use as a 
> protected web application.
> 
> Most of getting this to work was setting configuration files (i.e the 
> server.xml with an appropriate context and ensuring the 
> -Djava.security.auth.login.config is set to point at a proper 
> login.config file.
> 
> Right now, the context needs to be declared in the server.xml.  I don't 
> like this.  I need to write a ContextInterceptor so the context can be 
> dynamically loaded from a geronimo-web.xml in the WEB-INF.  Hence, after 
> I get the role/group to work, I will write the interceptor, and I think 
> Geronimo JAAS will dynamically work with Tomcat.
> 
> For the security experts, please have a look at my unit test and configs 
> below and see if you think I missed anything relative to getting the 
> group to work:
> 
> Here is the login.config used by java.security.auth.login.config:
> 
> jaasTest {
>      org.apache.geronimo.security.jaas.JaasLoginCoordinator required
>      realm="demo-properties-realm"
>      kernel="geronimo.kernel";
> };
> 
> In the server.cml:
> 
> <Context path="/test" docBase="war3" debug="99" reloadable="true">
>      <Logger className="org.apache.catalina.logger.FileLogger"
>              prefix="test_log." suffix=".txt"
>              timestamp="true"/>
> 
>      <Realm className="org.apache.catalina.realm.JAASRealm" debug="99"
>                             appName="jaasTest" 
> userClassNames="org.apache.geronimo.security.realm.providers.PropertiesFileUserPrincipal"

> 
> roleClassNames="org.apache.geronimo.security.realm.providers.PropertiesFileGroupPrincipal"

> 
>       />
> </Context>
> 
> I used the following code to fire up the necessary GBeans ina unit test:
> 
> containerName = new ObjectName("geronimo.tomcat:role=Container");
> containerPatterns = Collections.singleton(containerName);
> appName = new ObjectName("geronimo.tomcat:app=test");
> 
> tmName = new ObjectName("geronimo.test:role=TransactionManager");
> tcmName = new ObjectName("geronimo.test:role=TransactionContextManager");
> tcaName = new 
> ObjectName("geronimo.test:role=ConnectionTrackingCoordinator");
> 
> kernel = new Kernel("geronimo.kernel");
> kernel.boot();
> 
> serverInfoGBean = new GBeanMBean(ServerInfo.GBEAN_INFO);
> serverInfoName = new ObjectName("geronimo.system:role=ServerInfo");
> serverInfoGBean.setAttribute("baseDirectory", ".");
> 
> container = new GBeanMBean(TomcatGBean.GBEAN_INFO);
> container.setAttribute("CatalinaHome","target/var/catalina");
> container.setAttribute("CatalinaBase","target/var/catalina");
> container.setAttribute("CatalinaConfig","target/var/catalina/conf/server.xml");
> container.setReferencePatterns("ServerInfo",Collections.singleton(serverInfoName));
> 
> securityServiceGBean = new 
> GBeanMBean("org.apache.geronimo.security.SecurityService");
> securityServiceName = new 
> ObjectName("geronimo.security:type=SecurityService");
> securityServiceGBean.setReferencePatterns("Realms", 
> Collections.singleton(new 
> ObjectName("geronimo.security:type=SecurityRealm,*")));
> securityServiceGBean.setAttribute("policyConfigurationFactory", 
> "org.apache.geronimo.security.jacc.GeronimoPolicyConfigurationFactory");
> 
> loginServiceGBean = new 
> GBeanMBean("org.apache.geronimo.security.jaas.JaasLoginService");
> loginServiceName = new 
> ObjectName("geronimo.security:type=JaasLoginService");
> loginServiceGBean.setReferencePatterns("Realms", 
> Collections.singleton(new 
> ObjectName("geronimo.security:type=SecurityRealm,*")));
> //        loginServiceGBean.setAttribute("reclaimPeriod", new Long(1000 
> * 1000));
> loginServiceGBean.setAttribute("algorithm", "HmacSHA1");
> loginServiceGBean.setAttribute("password", "secret");
> 
> propertiesRealmGBean = new 
> GBeanMBean("org.apache.geronimo.security.realm.providers.PropertiesFileSecurityRealm");
> propertiesRealmName = new 
> ObjectName("geronimo.security:type=SecurityRealm,realm=demo-properties-realm");
> propertiesRealmGBean.setReferencePatterns("ServerInfo", 
> Collections.singleton(serverInfoName));
> propertiesRealmGBean.setAttribute("realmName", "demo-properties-realm");
> propertiesRealmGBean.setAttribute("defaultPrincipal", "metro");
> propertiesRealmGBean.setAttribute("maxLoginModuleAge", new Long(1 * 1000));
> propertiesRealmGBean.setAttribute("usersURI", (new File(new File("."), 
> "src/test-resources/data/users.properties")).toURI());
> propertiesRealmGBean.setAttribute("groupsURI", (new File(new File("."), 
> "src/test-resources/data/groups.properties")).toURI());
> 
> start(serverInfoName, serverInfoGBean);
> start(propertiesRealmName, propertiesRealmGBean);
> start(containerName, container);
> start(securityServiceName, securityServiceGBean);
> start(loginServiceName, loginServiceGBean);
> 
> tm = new GBeanMBean(GeronimoTransactionManager.GBEAN_INFO);
> tm.setAttribute("defaultTransactionTimeoutSeconds", new Integer(10));
> Set patterns = new HashSet();
> patterns.add(ObjectName.getInstance("geronimo.server:j2eeType=JCAManagedConnectionFactory,*"));
> tm.setReferencePatterns("ResourceManagers", patterns);
> start(tmName, tm);
> tcm = new GBeanMBean(TransactionContextManager.GBEAN_INFO);
> tcm.setReferencePattern("TransactionManager", tmName);
> start(tcmName, tcm);
> ctc = new GBeanMBean(ConnectionTrackingCoordinator.GBEAN_INFO);
> start(tcaName, ctc);
> 
> 

Mime
View raw message