geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron Mulder" <ammul...@alumni.princeton.edu>
Subject Re: Security Realm Error
Date Wed, 08 Mar 2006 12:43:23 GMT
I think that UnsupportedCallbackException is kind of expected.  If I
remember right, we call the login module once just to establish what
callbacks it wants, and we call it a second time to do the actual
login.  So the fact that it gets called once and an exception is
thrown should be OK, just don't do anything hasty.  When it gets
called the second time the login should work.

Now, looking back at your web app plan, I see this:

    <security>
        <default-principal>
            <principal name="anonymous"
            class="com.ias.ibms.auth.IBMSRole"
            />
        </default-principal>
    </security>

That doesn't actually map any user to any J2EE roles.  In other words,
no logins are treated as members of the IBMS J2EE role, so even if the
login to the web app is valid, the user probably gets an access denied
error.  To fix, that, you need to list the login module principals
that should be members of the J2EE role named IBMS, like this:

    <security>
        <default-principal>
            <principal name="anonymous"
            class="com.ias.ibms.auth.IBMSRole"
            />
        </default-principal>
        <role-mapping>
          <role role-name="IBMS">
            <principal name="some-principal-name"
            class="com.ias.ibms.auth.IBMSRole"
            />
          </role>
        </role-mapping>
        </role>
    </security>

So the combination of the principal class (com...IBMSRole) and
principal name (some-principal-name) should uniquely identify a
principal returned by the login module.  (e.g. some modules return
both user principals and group principals and a particular login may
get some of both, and there could be users and groups with the same
name like 'administrator').  You can list more than one role in the
role-mapping section and more than one principal in each role section
if you want to do more extensive mapping (e.g. 2 users and 3 groups
should all count as members of the "IBMS" role).

For more details, you can look at:

http://chariotsolutions.com/geronimo/web-plan.html#web-plan-security

Particularly example 11.5.

Thanks,
    Aaron


On 3/8/06, Yeray Cabrera <yeray.cabrera@integraas.com> wrote:
>  Hi,
>
>  I'm still having trouble deploying the security realm. The realm itself is
> now deployed, but when trying to authenticate a user at the webapp I'm
> getting an UnsupportedCallbackException.
>
>  Actually I'm tracing it and it calls the LoginModule's login() method
> twice. The first time it throws the exception but the second one it does
> pass back the username and password through the callbacks.
>
>  The module and the webapp are working fine inside a stand-alone Tomcat. Any
> directions?
>
>  Thanks,
>
>      Yeray Cabrera
>
>
>
>  Yeray Cabrera escribió:
>  Thanks Vamsavardhana!
>
>  It's running fine.
>
>  But I had trying to deploy the security realm configuration plan by command
> line and it did not run. Now I deploy the security realm configuration plan
> by web console.
>
>  Thanks
>
>         Yeray Cabrera
>
>  Vamsavardhana Reddy escribió:
> Hi Yeray,
>
>  The dependency you have included in geronimo-web.xml needs to go into this
> security realm configuration plan.  You do not need that dependency tag in
> geronimo-web.xml
>
>  Uninstall the configuration "SecurityRealm-ibms" from application
> management portlets.  Create a security realm plan xml separately.  You can
> simply add the dependency tag to the security realm plan you have sent
> earlier and deploy this newly created plan.
>
>  Vamsi
>
>
> On 3/7/06, Yeray Cabrera <yeray.cabrera@integraas.com> wrote:
> >
> > This is the deployment plan:
> >
> > <configuration configId="SecurityRealm-ibms"
> xmlns="http://geronimo.apache.org/xml/ns/deployment-1.0">
> >     <gbean name="ibms"
> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
> >         <attribute name="realmName">ibms</attribute>
> >         <reference name="ServerInfo">
> >
> <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-system/1.0/car,J2EEServer=geronimo,j2eeType=GBean,name=ServerInfo</gbean-name>
> >         </reference>
> >         <reference name="LoginService">
> >
> <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-security/1.0/car,J2EEServer=geronimo,j2eeType=JaasLoginService,name=JaasLoginService</gbean-name>
> >         </reference>
> >         <xml-reference name="LoginModuleConfiguration">
> >             <log:login-config
> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-1.0">
> >                 <log:login-module control-flag="REQUIRED"
> server-side="true" wrap-principals="false">
> >
> <log:login-domain-name>ibms</log:login-domain-name>
> >
> <log:login-module-class>com.ias.ibms.auth.nullauth.NullAuthLogin</log:login-module-class>
> >                 </log:login-module>
> >             </log:login-config>
> >         </xml-reference>
> >     </gbean>
> > </configuration>
> >
> >
> > Vamsavardhana Reddy escribió:
> >
> > Yeray,
> >
> > Can you copy paste the plan for the security realm.  To see the plan,
> access the Security Realms portlet in Admin Console, Click on "edit" for the
> realm and click on "Show plan" button in the next page.
> >
> > -Vamsi
> >
> > On 3/7/06, Yeray Cabrera <yeray.cabrera@integraas.com> wrote:
> > >
> > > Hi Vamsavardhana,
> > >
> > > I used the wizard in Geronimo console and I see it´s "running" in
> Security Realms menu
> > >
> > > I deployed with the following web.xml :
> > >
> > > <web-app>
> > > .....
> > >      <login-config>
> > >         <auth-method>FORM</auth-method>
> > >           <realm-name>Example Form-Based Authentication
> Area</realm-name>
> > >           <form-login-config>
> > >
> <form-login-page>/login.vm</form-login-page>
> > >
> <form-error-page>/error.vm</form-error-page>
> > >          </form-login-config>
> > >     </login-config>
> > >
> > >     <security-role>
> > >       <role-name>IBMS</role-name>
> > >      </security-role>
> > >
> > >     <security-constraint>
> > >         <display-name>IBMS
> Security-Constraint</display-name>
> > >         <web-resource-collection>
> > >             <web-resource-name>Protected Area</web-resource-name>
> > >             <url-pattern>administration/*</url-pattern>
> > >                <url-pattern>backoffice/*</url-pattern>
> > >                <url-pattern>hotel/*</url-pattern>
> > >                <url-pattern>maintenance/*</url-pattern>
> > >                <url-pattern>management/*</url-pattern>
> > >                <url-pattern>index/*</url-pattern>
> > >                <url-pattern>*.do</url-pattern>
> > >             <http-method>DELETE</http-method>
> > >             <http-method>GET</http-method>
> > >             <http-method>POST</http-method>
> > >             <http-method>PUT</http-method>
> > >         </web-resource-collection>
> > >         <auth-constraint>
> > >             <role-name>IBMS</role-name>
> > >         </auth-constraint>
> > >     </security-constraint>
> > >
> > > </web-app>
> > >
> > > Thanks,
> > >
> > >     Yeray Cabrera
> > >
> > >
> > >
> > > Vamsavardhana Reddy escribió:
> > >
> > > How is the Security Realm deployed?  I don't see it is part of the web
> application.
> > >
> > > -Vamsi
> > >
> > >
> > > On 3/7/06, Yeray Cabrera <yeray.cabrera@integraas.com> wrote:
> > > >
> > > > Hi,
> > > >
> > > > I´m trying to deploy a War in Geronimo with my own Security Realm.
> > > >
> > > > First, I add an entry in Common libraries (the jar containing my
> classes)
> > > >
> > > > Next, I add a security realm.
> > > >
> > > > And finally, I deploy my a web app with the following deployment plan:
> > > >
> > > >
> ----------------------------------------------------------------------------------------------------------
> > > > <?xml version="1.0" encoding="UTF-8"?>
> > > > <web-app
> > > >     xmlns="http://geronimo.apache.org/xml/ns/web"
> > > >
> xmlns:naming="http://geronimo.apache.org/xml/ns/naming"
> > > >     configId="ibms"
> > > >     parentId="geronimo/j2ee-server/1.0/car">
> > > >
> > > >     <dependency>
> > > >         <uri>ibms/ibmsauth/0.9.1/jar</uri>
> > > >     </dependency>
> > > >
> > > >     <context-root>/ibms</context-root>
> > > >
> <context-priority-classloader>true</context-priority-classloader>
> > > >
> > > >     <security-realm-name>ibms</security-realm-name>
> > > >     <security>
> > > >         <default-principal>
> > > >             <principal name="anonymous"
> > > >             class="com.ias.ibms.auth.IBMSRole"
> > > >             />
> > > >         </default-principal>
> > > >     </security>
> > > > </web-app>
> > > >
> ----------------------------------------------------------------------------------------------------------
> > > >
> > > > The deploy is correct but when I try to access to my application ,
> occurs the following exception:
> > > >
> > > >
> ----------------------------------------------------------------------------------------------------------
> > > > 10:40:09,241 WARN  [TomcatGeronimoRealm] Login exception
> authenticating username "pancho"
> > > > javax.security.auth.login.LoginException:
> org.apache.geronimo.common.GeronimoSecurityException:
> Unable to instantiate login module
> > > >         at
> org.apache.geronimo.security.jaas.server.JaasLoginModuleConfiguration.getLoginModule(JaasLoginModuleConfiguration.java:71)
> > > >         at
> org.apache.geronimo.security.jaas.server.JaasSecuritySession.<init>(JaasSecuritySession.java:64)
> > > >         at
> org.apache.geronimo.security.jaas.server.JaasLoginService.initializeClient(JaasLoginService.java:353)
> > > >         at
> org.apache.geronimo.security.jaas.server.JaasLoginService.connectToRealm(JaasLoginService.java:169)
> > > >         at
> org.apache.geronimo.security.jaas.server.JaasLoginService$$FastClassByCGLIB$$95b84fc9.invoke(<generated>)
> > > >         at
> net.sf.cglib.reflect.FastMethod.invoke(FastMethod.java:53)
> > > >         at
> org.apache.geronimo.gbean.runtime.FastMethodInvoker.invoke(FastMethodInvoker.java:38)
> > > >         at
> org.apache.geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:118)
> > > >         at
> org.apache.geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:800)
> > > >         at
> org.apache.geronimo.gbean.runtime.RawInvoker.invoke(RawInvoker.java:57)
> > > >         at
> org.apache.geronimo.kernel.basic.RawOperationInvoker.invoke(RawOperationInvoker.java:36)
> > > >         at
> org.apache.geronimo.kernel.basic.ProxyMethodInterceptor.intercept(ProxyMethodInterceptor.java:96)
> > > >         at
> org.apache.geronimo.security.jaas.server.JaasLoginServiceMBean$$EnhancerByCGLIB$$901db4a3.connectToRealm(<generated>)
> > > >         at
> org.apache.geronimo.security.jaas.client.JaasLoginCoordinator.login(JaasLoginCoordinator.java:95)
> > > > ...
> > > > Caused by: java.lang.ClassNotFoundException:
> com.ias.ibms.auth.nullauth.NullAuthLogin
> > > >         at java.net.URLClassLoader$1.run(URLClassLoader.java:200)
> > > >         at
> java.security.AccessController.doPrivileged(Native Method)
> > > >         at
> java.net.URLClassLoader.findClass(URLClassLoader.java:188)
> > > >         at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
> > > >         at
> org.apache.geronimo.kernel.config.MultiParentClassLoader.loadClass(MultiParentClassLoader.java:209)
> > > >         at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
> > > >         at
> org.apache.geronimo.security.jaas.server.JaasLoginModuleConfiguration.getLoginModule(JaasLoginModuleConfiguration.java:69)
> > > >         ... 44 more
> > > >
> ----------------------------------------------------------------------------------------------------------
> > > >
> > > > Have somebody an idea,why the class is not found? I see it in common
> libraries
> > > >
> > > > Thanks,
> > > >
> > > >
> > > >     Yeray Cabrera
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
>
> --
>  Yeray Cabrera Santana
>  Integra Soluciones Avanzadas, S.L.
>  Tlf: +34928465203
>  C/ Juan Domínguez Pérez 28, Urb El Sebadal
>  Las Palmas de Gran Canaria (35008)
>  SPAIN
>
>

Mime
View raw message