geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject RE: JDBC Realms and geronimo-web.xml
Date Wed, 27 Dec 2006 16:15:20 GMT
Thanks for the response.  I'm using geronimo 1.1.1 so the password
hashing will have to wait for now. That just leaves me with the mapping
in the geronimo-web.xml.  

Hopefully I'll get this right and won't have to step backward to stand
alone Tomcat.

So here goes.

I have three roles defined in my web.xml: PublicAccessRole,
RestrictedAccessRole, ApplicationAdministrativeRole.  The
RestrictedAccessRole will expand to a more granular makeup over time. 
These roles have been utilized in the web.xml to define
security-constraints on the specific URL patterns.

I have a users table, with user names and passwords, along with a
user_roles table that defines the user and role combination.  Do the
roles defined in the SQL table need to be the same as the role names
used in the web.xml, or is this the whole point of defining the role
mappings in the geronimo.xml? (A layer of abstraction between the web
app and the container)  I think this is what you are saying happens:)

At that point I can easily define the mappings between my web app and
tables.  Do I only need to do this role mapping for the
GeronimoGroupPrincipal?  The examples I've followed from DeveloperWorks
also utilize GeronimoUserPrinicipal which is what initially confused me.
 I think they may have been defining hard coded users in the
geronimo-web.xml at that point that circumvent the database table
users.  Do I need to define any GeronimoUserPrincipal definitions in
the geronimo-web.xml?

Also, I presume that I should probably define my PublicAccessRole or a
NoAccessRole as the default-principal.

Where can I find documentation on the Group/User roles and there usage
in the geronimo containers?

Thanks for the help.  I'd be interesting in putting together a public
tutorial on this after I get it completely figured out.

> -------- Original Message --------
> Subject: Re: JDBC Realms and geronimo-web.xml
> From: "Vamsavardhana Reddy" <>
> Date: Tue, December 26, 2006 8:01 pm
> To:
> Hi Mark,
>  Which version of Geronimo are you using?  The "digest=..." option is supported in 1.2
and not in any previous versions.
>  Regarding the security constraints, you will typically define one group per role for
each the roles defined in web.xml and use a GeronimoGroupPrincipal with the group name in
the role-mapping section of geronimo-web.xml .  The role-mapping section in your geronimo-web.xml
will look similar to the following:
>    <security>
>        <role-mappings>
>            <role role-name="admin">  <!-- This role-name is defined in web.xml
>                <principal class=""
name="admin-group"/>  <!-- This value in the name attribute is from group mapping in
your JDBC realm, i.e., from the entries in groups table. -->
>            </role>
>        </role-mappings>
>    </security>
>  Let me know if this helps or if you need more details.
>  Vamsi
> On 12/27/06, <> wrote: Hi All.  A relatively
novice geronimo user here.  i'm woking on using a
> security realm to define access in a web application. I've successfully 
> installed geronimo (tomcat web container), configured a database pool to
> a MySQL database, and configured a JDBC Realm to the databse pool that
> succesfully authenticated at the completion of the security realm
>  wizard.
> I have my Security Roles and Constraints along with the Login-Config
> defined in my web.xml.  I'm kind of lost on how the app roles defined
> in the web.xml and the roles defined in the user role table get tied 
> together in the geronimo-web.xml.  Can someone point me to a
> tutorial/documentation on this?  I've looked in the geronimo
> docmentation without success.  Also, I've been following the IBM
> DeveloperWorks articles on this, but they don't cover this aspect. 
> Additionally, what's the appropriate method to turn on password digest
> hashing when using the JDBC Realm wizard?  I presume that a
> configuration option property like digest=MD5 might work?
> Thanks to all!  I'm really enjoying working with Geronimo. 
> Mark Aufdencamp

View raw message