geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <>
Subject Re: JDBC Realms and geronimo-web.xml
Date Wed, 27 Dec 2006 17:48:28 GMT

On Dec 27, 2006, at 11:15 AM, wrote:

> Thanks for the response.  I'm using geronimo 1.1.1 so the password
> hashing will have to wait for now. That just leaves me with the  
> mapping
> in the geronimo-web.xml.
> Hopefully I'll get this right and won't have to step backward to stand
> alone Tomcat.
> So here goes.
> I have three roles defined in my web.xml: PublicAccessRole,
> RestrictedAccessRole, ApplicationAdministrativeRole.  The
> RestrictedAccessRole will expand to a more granular makeup over time.
> These roles have been utilized in the web.xml to define
> security-constraints on the specific URL patterns.
> I have a users table, with user names and passwords, along with a
> user_roles table that defines the user and role combination.  Do the
> roles defined in the SQL table need to be the same as the role names
> used in the web.xml, or is this the whole point of defining the role
> mappings in the geronimo.xml? (A layer of abstraction between the web
> app and the container)  I think this is what you are saying happens:)


> At that point I can easily define the mappings between my web app and
> tables.  Do I only need to do this role mapping for the
> GeronimoGroupPrincipal?


> The examples I've followed from DeveloperWorks
> also utilize GeronimoUserPrinicipal which is what initially  
> confused me.
>  I think they may have been defining hard coded users in the
> geronimo-web.xml at that point that circumvent the database table
> users.  Do I need to define any GeronimoUserPrincipal definitions in
> the geronimo-web.xml?
Not unless you want to give particular users particular app roles.

> Also, I presume that I should probably define my PublicAccessRole or a
> NoAccessRole as the default-principal.

that sounds reasonable.
> Where can I find documentation on the Group/User roles and there usage
> in the geronimo containers?

It's a bit difficult to figure out how to document in general since  
the principal-role mapping is completely generic and our provided  
login modules, while working fine, are not particularly  
sophisticated.  In particular there isn't very good management of the  
identity store in back of our login modules (e.g. the tables the jndi  
login module uses).  We've sort of assumed that most users will have  
a corporate identity management solution in place that comes with one  
or more login modules that provide non-geronimo-centric principals  
that need to be mapped to the app roles, so that's what the geronimo  
security principal-role mapping xml is for.

There's also (theoretically) an option to completely replace the jacc  
subsystem with another jacc provider.  I've been looking at adapting  
the apache directory triplesec project for this purpose.

> Thanks for the help.  I'd be interesting in putting together a public
> tutorial on this after I get it completely figured out.

All documentation is more than welcome!!

david jencks

>> -------- Original Message --------
>> Subject: Re: JDBC Realms and geronimo-web.xml
>> From: "Vamsavardhana Reddy" <>
>> Date: Tue, December 26, 2006 8:01 pm
>> To:
>> Hi Mark,
>>  Which version of Geronimo are you using?  The "digest=..." option  
>> is supported in 1.2 and not in any previous versions.
>>  Regarding the security constraints, you will typically define one  
>> group per role for each the roles defined in web.xml and use a  
>> GeronimoGroupPrincipal with the group name in the role-mapping  
>> section of geronimo-web.xml .  The role-mapping section in your  
>> geronimo-web.xml will look similar to the following:
>>    <security>
>>        <role-mappings>
>>            <role role-name="admin">  <!-- This role-name is  
>> defined in web.xml -->
>>                <principal  
>> class=" 
>> cipal" name="admin-group"/>  <!-- This value in the name attribute  
>> is from group mapping in your JDBC realm, i.e., from the entries  
>> in groups table. -->
>>            </role>
>>        </role-mappings>
>>    </security>
>>  Let me know if this helps or if you need more details.
>>  Vamsi
>> On 12/27/06, <> wrote: Hi  
>> All.  A relatively novice geronimo user here.  i'm woking on using a
>> security realm to define access in a web application. I've  
>> successfully
>> installed geronimo (tomcat web container), configured a database  
>> pool to
>> a MySQL database, and configured a JDBC Realm to the databse pool  
>> that
>> succesfully authenticated at the completion of the security realm
>>  wizard.
>> I have my Security Roles and Constraints along with the Login-Config
>> defined in my web.xml.  I'm kind of lost on how the app roles defined
>> in the web.xml and the roles defined in the user role table get tied
>> together in the geronimo-web.xml.  Can someone point me to a
>> tutorial/documentation on this?  I've looked in the geronimo
>> docmentation without success.  Also, I've been following the IBM
>> DeveloperWorks articles on this, but they don't cover this aspect.
>> Additionally, what's the appropriate method to turn on password  
>> digest
>> hashing when using the JDBC Realm wizard?  I presume that a
>> configuration option property like digest=MD5 might work?
>> Thanks to all!  I'm really enjoying working with Geronimo.
>> Mark Aufdencamp

View raw message