geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [CONF] Apache Geronimo v2.2 > Basic Hints on Security Configuration
Date Mon, 17 May 2010 02:38:00 GMT
    <base href="">
            <link rel="stylesheet" href="/confluence/s/1810/9/1/_/styles/combined.css?spaceKey=GMOxDOC22&amp;forWysiwyg=true"
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="">Basic
Hints on Security Configuration</a></h2>
    <h4>Page <b>edited</b> by             <a href="">Runhua
                         <h4>Changes (1)</h4>
<div id="page-diffs">
            <table class="diff" cellpadding="0" cellspacing="0">
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" > <br>h2. Using a pluggable encryption
system <br></td></tr>
            <tr><td class="diff-changed-lines" >By default you get the old behavior
with <span class="diff-changed-words">&quot;<span class="diff-added-chars"style="background-color:
#dfd;">\</span>{Simple}&quot;</span> encryption with a hard-coded key.
If you want to have a fixed key generated by Geronimo, you can add this Gbean to the rmi-naming
module in {{config.xml}}: <br></td></tr>
            <tr><td class="diff-unchanged" > <br>{code} <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
</div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <style type='text/css'>/*<![CDATA[*/
table.ScrollbarTable  {border: none;padding: 3px;width: 100%;padding: 3px;margin: 0px;background-color:
table.ScrollbarTable td.ScrollbarPrevIcon {text-align: center;width: 16px;border: none;}
table.ScrollbarTable td.ScrollbarPrevName {text-align: left;border: none;}
table.ScrollbarTable td.ScrollbarParent {text-align: center;border: none;}
table.ScrollbarTable td.ScrollbarNextName {text-align: right;border: none;}
table.ScrollbarTable td.ScrollbarNextIcon {text-align: center;width: 16px;border: none;}

/*]]>*/</style><div class="Scrollbar"><table class='ScrollbarTable'><tr><td
class='ScrollbarPrevIcon'><a href="/confluence/display/GMOxDOC22/Administering+users+and+groups"><img
border='0' align='middle' src='/confluence/images/icons/back_16.gif' width='16' height='16'></a></td><td
width='33%' class='ScrollbarPrevName'><a href="/confluence/display/GMOxDOC22/Administering+users+and+groups">Administering
users and groups</a>&nbsp;</td><td width='33%' class='ScrollbarParent'><sup><a
href="/confluence/display/GMOxDOC22/Administering+Security"><img border='0' align='middle'
src='/confluence/images/icons/up_16.gif' width='8' height='8'></a></sup><a
href="/confluence/display/GMOxDOC22/Administering+Security">Administering Security</a></td><td
width='33%' class='ScrollbarNextName'>&nbsp;<a href="/confluence/display/GMOxDOC22/Certification+Authority">Certification
Authority</a></td><td class='ScrollbarNextIcon'><a href="/confluence/display/GMOxDOC22/Certification+Authority"><img
border='0' align='middle' src='/confluence/images/icons/forwd_16.gif' width='16' height='16'></a></td></tr></table></div>

<h2><a name="BasicHintsonSecurityConfiguration-Whereisthesecurityconfiguration%3F"></a>Where
is the security configuration?</h2>

<p>In a normal Geronimo server, the basic security configuration is divided into two
plugins, <b>j2ee-security</b> and <b>server-security-config</b>. 
The parts you are not too likely to want to change, such as the jacc provider and the keystore
manager, are in j2ee-security.  The parts that you are almost certain to want to change is
in server-security config.  For instance, the toy properties file security realm for the admin
console is in server-security-config.</p>

<h3><a name="BasicHintsonSecurityConfiguration-SoIhaveanenterprisewideauthenticationsystem....howdoIsetitupforallmyapps%3F"></a>So
I have an enterprise wide authentication system.... how do I set it up for all my apps?</h3>

<p>You want to replace server-security-config with your own Geronimo plugin (see <a
href="/confluence/display/GMOxDOC22/Administering+plugins" title="Administering plugins">Administering
plugins</a>) that contains a security realm customized for your security setup (e.g.
ldap) and includes whatever keystores you need. To replace all uses of server-security-config
with your plugin, include an artifact-alias element in your <tt>geronimo-plugin.xml</tt>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
&lt;artifact-alias key=<span class="code-quote">"org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car"</span>&gt;com.myco/myco-security-config/1.0/car&lt;/artifact-alias&gt;
&lt;artifact-alias key=<span class="code-quote">"org.apache.geronimo.framework/server-security-config<span
<p>Another option is to use maven with the car-maven-plugin. The above code would need
to be included in the car-maven-plugin configuration in <tt>pom.xml</tt>.</p>

<p>Note that if you want the admin console and MEJB to continue working without redeployment,
you have to include a security realm named <em>geronimo-admin</em>.  geronimo-admin
should supply supply appropriate users with principals of class
and names of (as appropriate) admin (for console and MEJB read access) and mejbadmin (for
MEJB write access).</p>

<p>As with any geronimo plugin, you can include any jars in the plugin's classloader
by installing the jars in the geronimo repository and listing them as dependencies in the
geronimo plan. The car-maven-plugin can be used to make the geronimo dependencies the same
as the maven dependencies and to have plugin installation also install all the needed jars.</p>

<h3><a name="BasicHintsonSecurityConfiguration-I%27mstilldoingexperimentsandamnotreadytowriteaplugin...howdoIusearealmIcreatedintheadminconsole%3F"></a>I'm
still doing experiments and am not ready to write a plugin... how do I use a realm I created
in the admin console?</h3>

<p>While getting all your configuration into plugins with source code in scm and built
by maven provides a completely reproducible environment, you might want to experiment with
a security realm you set up using the admin console.  In this case you need to, while geronimo
is stopped, edit the <tt>var/config/</tt> file by hand.
 Assuming that you named the configuration <em>geronimo-admin</em> the console
will come up with a plugin id of console.realm/geronimo-admin/1.0/car.  You need to put lines

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
org.apache.geronimo.framework/server-security-config<span class="code-comment">//car=console.realm/geronimo-admin/1.0/car</span>
<p>where you've replaced <em>2.2-SNAPSHOT</em> with the actual version of
geronimo you are using.</p>

<h3><a name="BasicHintsonSecurityConfiguration-Whoneedsenterprisewide%3FIwantmyapptoincludeitsownsecuritysetup%21"></a>Who
needs enterprise-wide?  I want my app to include its own security setup!</h3>

<p>You can also include security realm configuration, keystores, and credential stores
in your geronimo plan for your application.  Just put the gbean configurations at the end
after the javaee specific configuration.  In this case you may not want to remove the standard
server-security-config as removing it would prevent the admin console or mejb from starting.</p>

<h3><a name="BasicHintsonSecurityConfiguration-ForWebapplicationsusingSpringSecurity"></a>For
Web applications using Spring Security</h3>

<p>Spring security may secure spring applications but it won't relate to container managed
authorization in Geronimo unless you do something to hook it up.  You need some code that
looks vaguely like this:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
Subject subject = getSpringAuthenticatedSubject();
ContextManager.registerSubject(subject); <span class="code-comment">//<span class="code-keyword">if</span>
the subject is cached in a session <span class="code-keyword">this</span> should
only happen once when the subject is first authenticated/constructed.
<span class="code-comment">//the following should happen on every request
</span>ContextManager.setCallers(subject, subject);
<span class="code-keyword">try</span> {
<span class="code-comment">//process request
</span>} <span class="code-keyword">finally</span> {

<h2><a name="BasicHintsonSecurityConfiguration-Usingapluggableencryptionsystem"></a>Using
a pluggable encryption system</h2>
<p>By default you get the old behavior with "{Simple}" encryption with a hard-coded
key. If you want to have a fixed key generated by Geronimo, you can add this Gbean to the
rmi-naming module in <tt>config.xml</tt>:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
&lt;gbean name=<span class="code-quote">"org.apache.geronimo.configs/rmi-naming/2.2-SNAPSHOT/car?name=ConfiguredEncryption,j2eeType=GBean"</span>
gbeanInfo=<span class="code-quote">"org.apache.geronimo.system.util.ConfiguredEncryption"</span>&gt;
&lt;attribute name=<span class="code-quote">"path"</span>&gt;<span
&lt;reference name=<span class="code-quote">"ServerInfo"</span>&gt;&lt;pattern&gt;&lt;name&gt;ServerInfo&lt;/name&gt;&lt;/pattern&gt;&lt;/reference&gt;

<p>This will create a key the first time the server started, after that it will keep
using the saved key at the location specified. If you put a serialized SecretKeySpec there
it will use it instead.</p>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href=""
class="grey">Change Notification Preferences</a>
        <a href="">View
        <a href="">View
        <a href=";showCommentArea=true#addcomment">Add

View raw message