geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache Geronimo v3.0 > Configuring JavaEE App Client Security
Date Mon, 31 Jan 2011 02:23:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2036/9/4/_/styles/combined.css?spaceKey=GMOxDOC30&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/GMOxDOC30/Configuring+JavaEE+App+Client+Security">Configuring
JavaEE App Client Security</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~maojia508">maojia</a>
    </h4>
        <br/>
                         <h4>Changes (4)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-unchanged" >h2. Overview <br> <br></td></tr>
            <tr><td class="diff-changed-lines" >{excerpt}Application client security
starts with specifying the CallbackHandler <span class="diff-added-words"style="background-color:
#dfd;">that</span> you want to use in the <span class="diff-changed-words">app<span
class="diff-added-chars"style="background-color: #dfd;">lication</span></span>
client deployment descriptor (in Geronimo) or in a similar element in the Geronimo deployment
plan.{excerpt}  In Geronimo, this callback handler is run as soon as the client is activated
<span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">
</span> and before the main class main method is called. <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-changed-lines" >For a CallbackHandler to work,
a security realm must be configured.  This must be defined on the client.  You can configure
this in any plugin that will be started before the client application itself <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">(due
to</span> <span class="diff-added-words"style="background-color: #dfd;">(because
of</span> being an ancestor of the client application) or in the client plan itself.
 The security realm configuration is exactly the same on the client and server, <span class="diff-added-words"style="background-color:
#dfd;">by</span> using the GenericSecurityRealm GBean. <br></td></tr>
            <tr><td class="diff-unchanged" > <br>h2. Logging &quot;in&quot;
to OpenEjb. <br> <br></td></tr>
            <tr><td class="diff-changed-lines" >One common use of application
clients is as ejb clients.  In this case, you will want to provide who the client is run by
to the openejb so that the openejb can apply the authentication rules properly.  You do this
by using the OpenejbRemoteLoginModule which uses the openejb protocol to log <span class="diff-changed-words">in<span
class="diff-added-chars"style="background-color: #dfd;"> </span>to</span> the
server and provide a token used in subsequent calls to the openejb.  Note that by default,
ejbd communication is unsecure and this token <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">may</span>
<span class="diff-added-words"style="background-color: #dfd;">might</span> be
eavesdropped and used by others. <br></td></tr>
            <tr><td class="diff-unchanged" > <br>Here&#39;s a typical
configuration for this scenario: <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >{code} <br> <br></td></tr>
            <tr><td class="diff-changed-lines" >Note that there are two options:
the server side security realm name to log <span class="diff-changed-words">in<span
class="diff-added-chars"style="background-color: #dfd;"> </span>to</span> server-side,
and the URI for the openejb listener. <br></td></tr>
            <tr><td class="diff-unchanged" > <br>By providing an appropriate
CallbackHandler and security realm such as this on the client, when the client is started
the callback handler will obtain the required user name and password and this login module
will log in to Geronimo over the openejb ejbd protocol.  The resulting token is stored in
the client side Subject for use in subsequent ejb related calls to openejb. <br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h2><a name="ConfiguringJavaEEAppClientSecurity-Overview"></a>Overview</h2>

<p>Application client security starts with specifying the CallbackHandler that you want
to use in the application client deployment descriptor (in Geronimo) or in a similar element
in the Geronimo deployment plan.  In Geronimo, this callback handler is run as soon as the
client is activated and before the main class main method is called.</p>

<p>For a CallbackHandler to work, a security realm must be configured.  This must be
defined on the client.  You can configure this in any plugin that will be started before the
client application itself (because of being an ancestor of the client application) or in the
client plan itself.  The security realm configuration is exactly the same on the client and
server, by using the GenericSecurityRealm GBean.</p>

<h2><a name="ConfiguringJavaEEAppClientSecurity-Logging%22in%22toOpenEjb."></a>Logging
"in" to OpenEjb.</h2>

<p>One common use of application clients is as ejb clients.  In this case, you will
want to provide who the client is run by to the openejb so that the openejb can apply the
authentication rules properly.  You do this by using the OpenejbRemoteLoginModule which uses
the openejb protocol to log in to the server and provide a token used in subsequent calls
to the openejb.  Note that by default, ejbd communication is unsecure and this token might
be eavesdropped and used by others.</p>

<p>Here's a typical configuration for this scenario:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
    &lt;gbean name=<span class="code-quote">"remote-openejb-realm"</span>
        class=<span class="code-quote">"org.apache.geronimo.security.realm.GenericSecurityRealm"</span>&gt;
        &lt;attribute name=<span class="code-quote">"realmName"</span>&gt;remote-openejb-realm&lt;/attribute&gt;
        &lt;xml-reference name=<span class="code-quote">"LoginModuleConfiguration"</span>&gt;
            &lt;lc:login-config xmlns:lc=<span class="code-quote">"http:<span
class="code-comment">//geronimo.apache.org/xml/ns/loginconfig-1.2"</span>&gt;
</span>                &lt;lc:login-module control-flag=<span class="code-quote">"REQUIRED"</span>&gt;
                    &lt;lc:login-domain-name&gt;remote-openejb-realm&lt;/lc:login-domain-name&gt;
                    &lt;lc:login-module-class&gt;org.apache.geronimo.openejb.OpenejbRemoteLoginModule&lt;/lc:login-module-class&gt;
                    &lt;lc:option name=<span class="code-quote">"RemoteSecurityRealm"</span>&gt;test-realm&lt;/lc:option&gt;
                    &lt;lc:option name=<span class="code-quote">"ServerURI"</span>&gt;ejbd:<span
class="code-comment">//localhost:4201&lt;/lc:option&gt;
</span>                &lt;/lc:login-module&gt;
            &lt;/lc:login-config&gt;
        &lt;/xml-reference&gt;
        &lt;reference name=<span class="code-quote">"ServerInfo"</span>&gt;
            &lt;name&gt;ServerInfo&lt;/name&gt;
        &lt;/reference&gt;
    &lt;/gbean&gt;
</pre>
</div></div>

<p>Note that there are two options: the server side security realm name to log in to
server-side, and the URI for the openejb listener.</p>

<p>By providing an appropriate CallbackHandler and security realm such as this on the
client, when the client is started the callback handler will obtain the required user name
and password and this login module will log in to Geronimo over the openejb ejbd protocol.
 The resulting token is stored in the client side Subject for use in subsequent ejb related
calls to openejb.</p>
    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/GMOxDOC30/Configuring+JavaEE+App+Client+Security">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=20645467&revisedVersion=2&originalVersion=1">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/GMOxDOC30/Configuring+JavaEE+App+Client+Security?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message