geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache Geronimo v2.2 > Database (SQL) Realm
Date Wed, 09 Sep 2009 08:58:02 GMT
<html>
<head>
    <base href="http://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/1519/1/1/_/styles/combined.css?spaceKey=GMOxDOC22&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background-color: white" bgcolor="white">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
     <h2><a href="http://cwiki.apache.org/confluence/display/GMOxDOC22/Database+%28SQL%29+Realm">Database
(SQL) Realm</a></h2>
     <h4>Page <b>edited</b> by             <a href="http://cwiki.apache.org/confluence/display/~chirunhua@gmail.com">Runhua
Chi</a>
    </h4>
     update groupId of j2ee-security in the plan
          <div id="versionComment" class="noteMacro" style="display:none; padding: 5px;">
     update groupId of j2ee-security in the plan<br />
     </div>
          <br/>
     <div class="notificationGreySide">
         <style type='text/css'>/*<![CDATA[*/
table.ScrollbarTable  {border: none;padding: 3px;width: 100%;padding: 3px;margin: 0px;background-color:
#f0f0f0}
table.ScrollbarTable td.ScrollbarPrevIcon {text-align: center;width: 16px;border: none;}
table.ScrollbarTable td.ScrollbarPrevName {text-align: left;border: none;}
table.ScrollbarTable td.ScrollbarParent {text-align: center;border: none;}
table.ScrollbarTable td.ScrollbarNextName {text-align: right;border: none;}
table.ScrollbarTable td.ScrollbarNextIcon {text-align: center;width: 16px;border: none;}

/*]]>*/</style><div class="Scrollbar"><table class='ScrollbarTable'><tr><td
class='ScrollbarPrevIcon'><a href="/confluence/display/GMOxDOC22/Certificate+Properties+File+Realm"><img
border='0' align='middle' src='/confluence/images/icons/back_16.gif' width='16' height='16'></a></td><td
width='33%' class='ScrollbarPrevName'><a href="/confluence/display/GMOxDOC22/Certificate+Properties+File+Realm">Certificate
Properties File Realm</a>&nbsp;</td><td width='33%' class='ScrollbarParent'><sup><a
href="/confluence/display/GMOxDOC22/Administering+security+realms"><img border='0' align='middle'
src='/confluence/images/icons/up_16.gif' width='8' height='8'></a></sup><a
href="/confluence/display/GMOxDOC22/Administering+security+realms">Administering security
realms</a></td><td width='33%' class='ScrollbarNextName'>&nbsp;<a
href="/confluence/display/GMOxDOC22/LDAP+Realm">LDAP Realm</a></td><td class='ScrollbarNextIcon'><a
href="/confluence/display/GMOxDOC22/LDAP+Realm"><img border='0' align='middle' src='/confluence/images/icons/forwd_16.gif'
width='16' height='16'></a></td></tr></table></div>
<p>In this section we will focus on the use a database for verifying and retrieving
user names and passwords.</p>

<p>For this example we created a new database called <b>SecurityDatabase</b>
using the built-in Derby database. The following steps summarize the procedure performed to
create the database and tables, load some sample data and create the connection pool. Detailed
instructions on how to define database connection pools are described in the Configuring database
pools section.</p>

<h3><a name="Database%28SQL%29Realm-Createdatabaseandloadsampledata"></a>Create
database and load sample data</h3>

<ul>
	<li>In the <b>Console Navigation</b> menu on the left click on <b>DB
Manager</b>.</li>
	<li>Enter <b>SecurityDatabase</b> in the <b>Create DB:</b>
field and click <b>Create</b>.</li>
	<li>Select the <b>SecurityDatabase</b> database from the <b>Use DB:</b>
pull-down menu, enter the following commands and click <b>Run SQL</b>.<br/>
<tt>create table users</tt><br/>
<tt>(username varchar(15),</tt><br/>
<tt>password varchar(15));</tt><br/>
<tt>create table groups</tt><br/>
<tt>(username varchar(15),</tt><br/>
<tt>groupname varchar(15));</tt><br/>
<tt>insert into users values('userone','p1');</tt><br/>
<tt>insert into users values('usertwo','p2');</tt><br/>
<tt>insert into users values('userthree','p3');</tt><br/>
<tt>insert into groups values('userone','admin');</tt><br/>
<tt>insert into groups values('usertwo','admin');</tt><br/>
<tt>insert into groups values('userthree','user');</tt></li>
</ul>


<h3><a name="Database%28SQL%29Realm-Createconnectionpool"></a>Create connection
pool</h3>

<ul>
	<li>In the <b>Console Navigation</b> menu on the left click on <b>Database
Pools</b>.</li>
	<li>Click on <b>Using the Geronimo database pool wizard</b>.</li>
	<li>Enter <b>SecurityDatabasePool</b> as the database pool name.</li>
	<li>Select <b>Derby embedded XA</b> from the database pool type pull-down
menu and click <b>Next</b>.</li>
	<li>From the Driver JAR scroll box select <b>org.apache.geronimo.configs/system-database/2.1.1-SNAPSHOT/car</b>.</li>
	<li>Leave <b>blank</b> the DB user name and password.</li>
	<li>Enter <b>SecurityDatabase</b> as the database name.</li>
	<li>Click <b>Deploy</b>.</li>
</ul>


<h3><a name="Database%28SQL%29Realm-Addanewsecurityrealm"></a>Add a new
security realm</h3>

<p>To create a new security realm click on <b>Add new security realm</b>
from the <b>Security Realms</b> portlet.</p>

<p><img src="/confluence/download/attachments/93427/consoleDBSecurityRealmAdd.png"
align="absmiddle" border="0" /></p>

<p>Enter <b>derby_security_realm</b> in the <b>Name of Security Realm:</b>
field and select <b>Database (SQL) Realm</b> from the <b>Realm type:</b>
pull-down menu and click <b>Next</b>.</p>

<p>The following screen configures the login module. The first two field you need to
fill may vary from one database type to another. In this case we are using the embedded Derby
database so the User and Group select SQL should read as follows:</p>

<p><b>User SELECT SQL:</b> <tt>select username, password from users
where username=?</tt><br/>
<b>Group SELECT SQL:</b> <tt>select username, groupname from groups where
username=?</tt></p>

<p>Once you entered the SQL statements for retrieving users and groups you need to select
from the <b>Database Pool</b> pull-down menu the database connection pool you
created in the previous step. Add the required values as shown below and click <b>Next</b>.</p>

<p><b>Database Pool:</b> <b><tt>SecurityDatabasePool</tt></b></p>

<p><img src="/confluence/download/attachments/93427/consoleSecurityConfigureLogin.png"
align="absmiddle" border="0" /></p>

<p>The following step will allow you to enable auditing for monitoring the login attempts
via this realm. In this step you can also configure the account lockout based on the number
of failed loging attempts withing a specified timeframe. If you enable <b>Store Password</b>,
then it will allow the realm to store the user's password in a private credential in the "Subject".
If you enable <b>Naming Credential</b>, in addition to the user's password, this
option will use private credentials to store user names too.</p>

<p><img src="/confluence/download/attachments/93427/consoleSecurityAdvancedConfiguration.png"
align="absmiddle" border="0" /></p>

<p>At this point you have configured this new security realm, the next step i to test
it and then deploy it. Click on <b>Test a Login</b>.</p>

<p>Enter a valid user name and password to be retrieved from the database and click
<b>Next</b>.</p>

<p><img src="/confluence/download/attachments/93427/consoleSecurityUserTest.png"
align="absmiddle" border="0" /></p>

<p>You should receive a confirmation message that the login succeeded, click on <b>Deploy
Realm</b> to load this configuration to the server.</p>

<p><img src="/confluence/download/attachments/93427/consoleSecurityUserTestSuccess.png"
align="absmiddle" border="0" /></p>

<p>Now you have a new, fully configured, security realm that retrieves user names and
passwords from the build in Derby database.</p>

<div class='panelMacro'><table class='noteMacro'><colgroup><col width='24'><col></colgroup><tr><td
valign='top'><img src="/confluence/images/icons/emoticons/warning.gif" width="16" height="16"
align="absmiddle" alt="" border="0"></td><td>If you get an error the first
time you try to validate this realm, you will very likely see the <b><tt>SQL Exception:
Failed to start database ...</tt></b> error in the terminal and logs. This is
a know issue with Derby, you will need to restart Geronimio so the new database can communicate
properly.</td></tr></table></div>

<p>The following example shows the deployment plan for this security realm. As an alternative
to the Geronimo Administration Console, you can save this example to a file (i.e. derby_security_realm.xml)
and deploy it with the <a href="/confluence/display/GMOxDOC22/Tools+and+commands#Toolsandcommands-Deployertool">Deployer
tool</a> by running the following command:</p>

<p><b><tt>&lt;geronimo_home&gt;\bin\deploy --user system --password
manager deploy &lt;realm_path&gt;\derby_security_realm.xml</tt></b></p>

<div class="code panel" style="border-style: solid;border-width: 1px;"><div class="codeHeader
panelHeader" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>derby_security_realm</b></div><div
class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;module xmlns=<span class="code-quote">"http://geronimo.apache.org/xml/ns/deployment-1.2"</span>&gt;</span>
    <span class="code-tag">&lt;environment&gt;</span>
        <span class="code-tag">&lt;moduleId&gt;</span>
            <span class="code-tag">&lt;groupId&gt;</span>console.realm<span
class="code-tag">&lt;/groupId&gt;</span>
            <span class="code-tag">&lt;artifactId&gt;</span>derby_security_realm<span
class="code-tag">&lt;/artifactId&gt;</span>
            <span class="code-tag">&lt;version&gt;</span>1.0<span class="code-tag">&lt;/version&gt;</span>
            <span class="code-tag">&lt;type&gt;</span>car<span class="code-tag">&lt;/type&gt;</span>
        <span class="code-tag">&lt;/moduleId&gt;</span>
        <span class="code-tag">&lt;dependencies&gt;</span>
            <span class="code-tag">&lt;dependency&gt;</span>
                <span class="code-tag">&lt;groupId&gt;</span>org.apache.geronimo.framework<span
class="code-tag">&lt;/groupId&gt;</span>
                <span class="code-tag">&lt;artifactId&gt;</span>j2ee-security<span
class="code-tag">&lt;/artifactId&gt;</span>
                <span class="code-tag">&lt;type&gt;</span>car<span
class="code-tag">&lt;/type&gt;</span>
            <span class="code-tag">&lt;/dependency&gt;</span>
            <span class="code-tag">&lt;dependency&gt;</span>
                <span class="code-tag">&lt;groupId&gt;</span>console.dbpool<span
class="code-tag">&lt;/groupId&gt;</span>
                <span class="code-tag">&lt;artifactId&gt;</span>SecurityDatabasePool<span
class="code-tag">&lt;/artifactId&gt;</span>
                <span class="code-tag">&lt;version&gt;</span>1.0<span
class="code-tag">&lt;/version&gt;</span>
                <span class="code-tag">&lt;type&gt;</span>rar<span
class="code-tag">&lt;/type&gt;</span>
            <span class="code-tag">&lt;/dependency&gt;</span>
        <span class="code-tag">&lt;/dependencies&gt;</span>
    <span class="code-tag">&lt;/environment&gt;</span>
    &lt;gbean name=<span class="code-quote">"derby_security_realm"</span>
class=<span class="code-quote">"org.apache.geronimo.security.realm.GenericSecurityRealm"</span>
xsi:type=<span class="code-quote">"dep:gbeanType"</span>
           <span class="code-keyword">xmlns:dep</span>=<span class="code-quote">"http://geronimo.apache.org/xml/ns/deployment-1.2"</span>
<span class="code-keyword">xmlns:xsi</span>=<span class="code-quote">"http://www.w3.org/2001/XMLSchema-instance"</span>&gt;
        <span class="code-tag">&lt;attribute name=<span class="code-quote">"realmName"</span>&gt;</span>derby_security_realm<span
class="code-tag">&lt;/attribute&gt;</span>
        <span class="code-tag">&lt;reference name=<span class="code-quote">"ServerInfo"</span>&gt;</span>
            <span class="code-tag">&lt;name&gt;</span>ServerInfo<span
class="code-tag">&lt;/name&gt;</span>
        <span class="code-tag">&lt;/reference&gt;</span>
        <span class="code-tag">&lt;xml-reference name=<span class="code-quote">"LoginModuleConfiguration"</span>&gt;</span>
            <span class="code-tag">&lt;log:login-config <span class="code-keyword">xmlns:log</span>=<span
class="code-quote">"http://geronimo.apache.org/xml/ns/loginconfig-2.0"</span>&gt;</span>
                <span class="code-tag">&lt;log:login-module control-flag=<span
class="code-quote">"REQUIRED"</span> wrap-principals=<span class="code-quote">"false"</span>&gt;</span>
                    <span class="code-tag">&lt;log:login-domain-name&gt;</span>derby_security_realm<span
class="code-tag">&lt;/log:login-domain-name&gt;</span>
                    <span class="code-tag">&lt;log:login-module-class&gt;</span>org.apache.geronimo.security.realm.providers.SQLLoginModule<span
class="code-tag">&lt;/log:login-module-class&gt;</span>
                    <span class="code-tag">&lt;log:option name=<span class="code-quote">"dataSourceName"</span>&gt;</span>SecurityDatabasePool<span
class="code-tag">&lt;/log:option&gt;</span>
                    <span class="code-tag">&lt;log:option name=<span class="code-quote">"dataSourceApplication"</span>&gt;</span>null<span
class="code-tag">&lt;/log:option&gt;</span>
                    <span class="code-tag">&lt;log:option name=<span class="code-quote">"groupSelect"</span>&gt;</span>select
username, groupname from groups where username=?<span class="code-tag">&lt;/log:option&gt;</span>
                    <span class="code-tag">&lt;log:option name=<span class="code-quote">"userSelect"</span>&gt;</span>select
username, password from users where username=?<span class="code-tag">&lt;/log:option&gt;</span>
                <span class="code-tag">&lt;/log:login-module&gt;</span>
                <span class="code-tag">&lt;log:login-module control-flag=<span
class="code-quote">"OPTIONAL"</span> wrap-principals=<span class="code-quote">"false"</span>&gt;</span>
                    <span class="code-tag">&lt;log:login-domain-name&gt;</span>derby_security_realm-Audit<span
class="code-tag">&lt;/log:login-domain-name&gt;</span>
                    <span class="code-tag">&lt;log:login-module-class&gt;</span>org.apache.geronimo.security.realm.providers.FileAuditLoginModule<span
class="code-tag">&lt;/log:login-module-class&gt;</span>
                    <span class="code-tag">&lt;log:option name=<span class="code-quote">"file"</span>&gt;</span>var/log/derby_security_realm.log<span
class="code-tag">&lt;/log:option&gt;</span>
                <span class="code-tag">&lt;/log:login-module&gt;</span>
                <span class="code-tag">&lt;log:login-module control-flag=<span
class="code-quote">"REQUISITE"</span> wrap-principals=<span class="code-quote">"false"</span>&gt;</span>
                    <span class="code-tag">&lt;log:login-domain-name&gt;</span>derby_security_realm-Lockout<span
class="code-tag">&lt;/log:login-domain-name&gt;</span>
                    <span class="code-tag">&lt;log:login-module-class&gt;</span>org.apache.geronimo.security.realm.providers.RepeatedFailureLockoutLoginModule<span
class="code-tag">&lt;/log:login-module-class&gt;</span>
                    <span class="code-tag">&lt;log:option name=<span class="code-quote">"failureCount"</span>&gt;</span>3<span
class="code-tag">&lt;/log:option&gt;</span>
                    <span class="code-tag">&lt;log:option name=<span class="code-quote">"failurePeriodSecs"</span>&gt;</span>10<span
class="code-tag">&lt;/log:option&gt;</span>
                    <span class="code-tag">&lt;log:option name=<span class="code-quote">"lockoutDurationSecs"</span>&gt;</span>60<span
class="code-tag">&lt;/log:option&gt;</span>
                <span class="code-tag">&lt;/log:login-module&gt;</span>
            <span class="code-tag">&lt;/log:login-config&gt;</span>
        <span class="code-tag">&lt;/xml-reference&gt;</span>
    <span class="code-tag">&lt;/gbean&gt;</span>
<span class="code-tag">&lt;/module&gt;</span>
</pre>
</div></div>

<p>Once the security realm has been created, you can use the <b>usage</b>
link to view samples of how to use the new realm in your applications.</p>
     </div>
     <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href="http://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
       </div>

       <a href="http://cwiki.apache.org/confluence/display/GMOxDOC22/Database+%28SQL%29+Realm">View
Online</a>
       |
       <a href="http://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=93427&revisedVersion=6&originalVersion=5">View
Change</a>
              |
       <a href="http://cwiki.apache.org/confluence/display/GMOxDOC22/Database+%28SQL%29+Realm?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message