geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache Geronimo v2.2 > Replacing default Realm in Geronimo
Date Tue, 15 Sep 2009 09:37:02 GMT
<html>
<head>
    <base href="http://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/1519/1/1/_/styles/combined.css?spaceKey=GMOxDOC22&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background-color: white" bgcolor="white">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
     <h2><a href="http://cwiki.apache.org/confluence/display/GMOxDOC22/Replacing+default+Realm+in+Geronimo">Replacing
default Realm in Geronimo</a></h2>
     <h4>Page <b>edited</b> by             <a href="http://cwiki.apache.org/confluence/display/~chirunhua@gmail.com">Runhua
Chi</a>
    </h4>
     update with 2 samples
          <div id="versionComment" class="noteMacro" style="display:none; padding: 5px;">
     update with 2 samples<br />
     </div>
          <br/>
     <div class="notificationGreySide">
         <style type='text/css'>/*<![CDATA[*/
table.ScrollbarTable  {border: none;padding: 3px;width: 100%;padding: 3px;margin: 0px;background-color:
#f0f0f0}
table.ScrollbarTable td.ScrollbarPrevIcon {text-align: center;width: 16px;border: none;}
table.ScrollbarTable td.ScrollbarPrevName {text-align: left;border: none;}
table.ScrollbarTable td.ScrollbarParent {text-align: center;border: none;}
table.ScrollbarTable td.ScrollbarNextName {text-align: right;border: none;}
table.ScrollbarTable td.ScrollbarNextIcon {text-align: center;width: 16px;border: none;}

/*]]>*/</style><div class="Scrollbar"><table class='ScrollbarTable'><tr><td
class='ScrollbarPrevIcon'><a href="/confluence/display/GMOxDOC22/OpenID"><img
border='0' align='middle' src='/confluence/images/icons/back_16.gif' width='16' height='16'></a></td><td
width='33%' class='ScrollbarPrevName'><a href="/confluence/display/GMOxDOC22/OpenID">OpenID</a>&nbsp;</td><td
width='33%' class='ScrollbarParent'><sup><a href="/confluence/display/GMOxDOC22/Administering+Security"><img
border='0' align='middle' src='/confluence/images/icons/up_16.gif' width='8' height='8'></a></sup><a
href="/confluence/display/GMOxDOC22/Administering+Security">Administering Security</a></td><td
width='33%' class='ScrollbarNextName'>&nbsp;</td></tr></table></div>

<p>This article is about how to replace default .properties realm <tt>geronimo-admin</tt>
with SQL or LDAP realms.</p>

<p>By default, Geronimo is using a .properties file realm for authentication named <tt>geronimo-admin</tt>,
which is used by JMX server, Administration Console, Online-deploy and MEJB applications.
However, you may not want to use it for production use. Alternatively, you can use database(SQL)
or LDAP realms in a production environment. To demonstrate how to replace the default realm,
we will use 2 samples as followed:</p>
<div>
<ul>
    <li><a href='#ReplacingdefaultRealminGeronimo-Withadatabase%28SQL%29realm'>With
a database(SQL) realm</a></li>
    <li><a href='#ReplacingdefaultRealminGeronimo-WithaLDAPream'>With a LDAP ream</a></li>
</ul></div>

<h1><a name="ReplacingdefaultRealminGeronimo-Withadatabase%28SQL%29realm"></a>With
a database(SQL) realm</h1>
<p>In this example, we will use an embedded Derby database as the security provider.</p>
<ol>
	<li>Create a database named <tt>SecurityDatabase</tt> using <b>DB
manager</b> on the administration console;</li>
	<li>Create two tables <tt>Users</tt> and <tt>Groups</tt> to
store user credential and group information;
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-sql">
create table users(username varchar(15),password varchar(15));
create table groups(username varchar(15),groupname varchar(15));
insert into users values('userone','p1');
insert into users values('usertwo','p2');
insert into users values('userthree','p3');
insert into groups values('userone','admin');
insert into groups values('usertwo','admin');
insert into groups values('userthree','user');
</pre>
</div></div></li>
	<li>Create an Derby XA database pool named <tt>SecurityDatabasePool</tt>
using <b>Database Pools</b> on the console;</li>
	<li>Stop the server and update module <tt>org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car</tt>
in the <tt>&lt;Geronimo_Home&gt;/var/config/config.xml</tt> file to enable
the SQL realm.
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;module name=<span class="code-quote">"org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car"</span>&gt;</span>
        <span class="code-tag">&lt;gbean name=<span class="code-quote">"org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car,j2eeType=LoginModule,name=security-realm"</span>
gbeanInfo=<span class="code-quote">"org.apache.geronimo.security.jaas.LoginModuleGBean"</span>&gt;</span>
            <span class="code-tag">&lt;attribute name=<span class="code-quote">"loginModuleClass"</span>&gt;</span>org.apache.geronimo.security.realm.providers.SQLLoginModule<span
class="code-tag">&lt;/attribute&gt;</span>
            <span class="code-tag">&lt;attribute name=<span class="code-quote">"options"</span>&gt;</span>dataSourceName=SecurityDatabasePool
                                      databasesourceApplication=null
                                      groupSelect=select username, groupname from groups where
username=?
                                      userSelect=select username, password from users where
username=?<span class="code-tag">&lt;/attribute&gt;</span>
            <span class="code-tag">&lt;attribute name=<span class="code-quote">"loginDomainName"</span>&gt;</span>geronimo-admin<span
class="code-tag">&lt;/attribute&gt;</span>
        <span class="code-tag">&lt;/gbean&gt;</span>
        <span class="code-tag">&lt;gbean name=<span class="code-quote">"geronimo-admin"</span>&gt;</span>
            <span class="code-tag">&lt;reference name=<span class="code-quote">"LoginModuleConfiguration"</span>&gt;</span>
                <span class="code-tag">&lt;pattern&gt;</span>
                    <span class="code-tag">&lt;name&gt;</span>realm-login-use<span
class="code-tag">&lt;/name&gt;</span>
                <span class="code-tag">&lt;/pattern&gt;</span>
            <span class="code-tag">&lt;/reference&gt;</span>
        <span class="code-tag">&lt;/gbean&gt;</span>
        <span class="code-tag">&lt;gbean name=<span class="code-quote">"org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car,j2eeType=LoginModuleUse,name=realm-login-use"</span>
gbeanInfo=<span class="code-quote">"org.apache.geronimo.security.jaas.JaasLoginModuleUse"</span>&gt;</span>
            <span class="code-tag">&lt;attribute name=<span class="code-quote">"controlFlag"</span>&gt;</span>REQUIRED<span
class="code-tag">&lt;/attribute&gt;</span>
            <span class="code-tag">&lt;reference name=<span class="code-quote">"LoginModule"</span>&gt;</span>
                <span class="code-tag">&lt;pattern&gt;</span>
                    <span class="code-tag">&lt;name&gt;</span>security-realm<span
class="code-tag">&lt;/name&gt;</span>
                <span class="code-tag">&lt;/pattern&gt;</span>
            <span class="code-tag">&lt;/reference&gt;</span>
        <span class="code-tag">&lt;/gbean&gt;</span>
    <span class="code-tag">&lt;/module&gt;</span>
</pre>
</div></div>
<p>Where </p>
	<ul>
		<li><em>geronimo_admin</em> is the same realm name as the original one.
You might use another name instead, by doing so, you have to replace the security realm name
in all other applications that were using the same security constraint as console.</li>
	</ul>
	</li>
	<li>Then,restart the server and try to login with user name <em>userone</em>
and password <em>p1</em>. You will see the newly created SQL realm working.</li>
</ol>



<h1><a name="ReplacingdefaultRealminGeronimo-WithaLDAPream"></a>With a LDAP
ream</h1>
<p>To replace the default .properties file realm using a ldap realm, the configuration
is nearly identical to the sample above. The only difference is to use <tt>org.apache.geronimo.security.realm.providers.LDAPLogoinModule</tt>
as <tt>LoginModuleClass</tt>. Here is the code snippet you can use in <tt>config.xml</tt>:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;module name=<span class="code-quote">"org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car"</span>&gt;</span>
        <span class="code-tag">&lt;gbean name=<span class="code-quote">"org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car,j2eeType=LoginModule,name=security-realm"</span>
gbeanInfo=<span class="code-quote">"org.apache.geronimo.security.jaas.LoginModuleGBean"</span>&gt;</span>
            <span class="code-tag">&lt;attribute name=<span class="code-quote">"loginModuleClass"</span>&gt;</span>org.apache.geronimo.security.realm.providers.LDAPLoginModule<span
class="code-tag">&lt;/attribute&gt;</span>
            <span class="code-tag">&lt;attribute name=<span class="code-quote">"options"</span>&gt;</span>roleSearchMatching=uniqueMember={0}
                                      userSearchMatching=uid={0}
                                      userBase=ou=users,ou=system
                                      connectionUsername=uid=admin,ou=system
                                      roleName=cn
                                      userSearchSubtree=true
                                      authentication=simple
                                      initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
                                      roleBase=ou=groups,ou=system
                                      connectionPassword=secret
                                      connectionURL=ldap://9.186.10.16:10389
                                      roleSearchSubtree=true<span class="code-tag">&lt;/attribute&gt;</span>
            <span class="code-tag">&lt;attribute name=<span class="code-quote">"loginDomainName"</span>&gt;</span>geronimo-admin<span
class="code-tag">&lt;/attribute&gt;</span>
        <span class="code-tag">&lt;/gbean&gt;</span>
        <span class="code-tag">&lt;gbean name=<span class="code-quote">"geronimo-admin"</span>&gt;</span>
            <span class="code-tag">&lt;reference name=<span class="code-quote">"LoginModuleConfiguration"</span>&gt;</span>
                <span class="code-tag">&lt;pattern&gt;</span>
                    <span class="code-tag">&lt;name&gt;</span>realm-login-use<span
class="code-tag">&lt;/name&gt;</span>
                <span class="code-tag">&lt;/pattern&gt;</span>
            <span class="code-tag">&lt;/reference&gt;</span>
        <span class="code-tag">&lt;/gbean&gt;</span>
        <span class="code-tag">&lt;gbean name=<span class="code-quote">"org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car,j2eeType=LoginModuleUse,name=realm-login-use"</span>
gbeanInfo=<span class="code-quote">"org.apache.geronimo.security.jaas.JaasLoginModuleUse"</span>&gt;</span>
            <span class="code-tag">&lt;attribute name=<span class="code-quote">"controlFlag"</span>&gt;</span>REQUIRED<span
class="code-tag">&lt;/attribute&gt;</span>
            <span class="code-tag">&lt;reference name=<span class="code-quote">"LoginModule"</span>&gt;</span>
                <span class="code-tag">&lt;pattern&gt;</span>
                    <span class="code-tag">&lt;name&gt;</span>security-realm<span
class="code-tag">&lt;/name&gt;</span>
                <span class="code-tag">&lt;/pattern&gt;</span>
            <span class="code-tag">&lt;/reference&gt;</span>
        <span class="code-tag">&lt;/gbean&gt;</span>
    <span class="code-tag">&lt;/module&gt;</span>
</pre>
</div></div>
     </div>
     <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href="http://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
       </div>

       <a href="http://cwiki.apache.org/confluence/display/GMOxDOC22/Replacing+default+Realm+in+Geronimo">View
Online</a>
       |
       <a href="http://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=119211&revisedVersion=7&originalVersion=6">View
Change</a>
              |
       <a href="http://cwiki.apache.org/confluence/display/GMOxDOC22/Replacing+default+Realm+in+Geronimo?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message