geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <>
Subject Re: JACC and JAAS configuration for ClearTrust
Date Mon, 12 Feb 2007 16:56:52 GMT

On Feb 12, 2007, at 4:52 AM, wrote:

> Trying to use JACC and JAAS configuration for ClearTrust (Access  
> Manager) 5.5 in Geronimo 1.1 - looks like it should work; but not  
> sure where to start.
> Is anyone already using ClearTrust (aka RSA Access Manager)?  I'm  
> hoping that someone has already accomplished configuring Geronimo  
> to use ClearTrust using just config.xml - or if someone could  
> advise whether there is new code I need to implement, and what the  
> correct way is to deploy it (surely not in my application archive).
> Having successfully implemented a web application using a  
> properties realm, the time has come for us to deploy to a secured  
> production environment.  In preparation for this, our ClearTrust  
> administrator has provisioned our IDs and we have groups set up  
> that match the roles we need.  Since the principals are named as  
> the application uses, no role mapping should be required (I think).
> After perusing the general JAAS and JACC documentation, as well as  
> that which is specific to Geronimo on the wiki (and the little bit  
> of JAAS info provided for ClearTrust) - it is not clear how to  
> configure the GeronimoLoginConfiguration GBean for the  
> GeronimoSecurityRealm with JaasLoginService (or  
> JaasLoginCoordinator) to replace what we were doing with the  
> properties realm.
> From what I understand, there is no login.conf in Geronimo because  
> the configurations are identified in the GBean; but the details of  
> the deployment plan are unclear.  For example, where do I tell the  
> configuration which ClearTrust JAAS class is the LoginModule?  Do I  
> use LoginModuleGBean (or JaasLoginModuleUse) to do that?  Do I  
> configure parameters such as the ClearTrust host name and port in  
> the options attribute?  Is this all declarative or do I implement  
> the ConfigurationEntryFactory interface in a jar to be deployed  
> apart from the application?  Can or should the <login-config> be  
> used instead?
> Chapter 15 of the Wrox book "Professional Apache Geronimo" gives  
> rather thorough coverage of JAAS and JACC and discusses the theory  
> of gbean configuation as it applies to JAAS, but it doesn't give  
> specifics that are similar enough to my needs for me to make the  
> mental connection.  Having "just enough" information I'm naively  
> tempted to write some code; but it seems like its an administration  
> component that someone coulda/shoulda done by now and that could  
> keep us from complicating the deployment by adding custom code  
> where it is not required.  Further, it seems to me that I could  
> waste a lot of time if I try to write a JACC adapter for the  
> ClearTrust JAAS implementation without asking the Geronimo  
> community if this is the right thing to do.  If someone has already  
> done this - great, I'm sure I'm not the only one who would like to  
> see your responses in the mail archives.  If not... cool, I get to  
> write some code!
> Although the primary and urgent need is for basic web security of  
> our application, it would be great to extend this to Geronimo's web  
> console admin access too.
> If it matters in this context, our deployment stack is Win2003/IBM  
> Java 5/WAS CE app 2.4

I'm not familiar with ClearTrust, but from your description it sounds  
like it provides one or more login modules where the result of using  
them is that you get a Subject populated with principals each of  
whose name represents a role ClearTrust knows about.

If this is the case you should not need to write any code, just  

Lets assume you only need one login module, of class  
com.ct.LoginModule, and the principals are of class  
com.ct.RolePrincipal.  Lets further assume that the possible options  
for the login module are host and port.

To set up a security realm that uses ClearTrust you'd include  
something like this to an appropriate geronimo plan, either a web app  
plan if you use only one web app, or a separate security module if  
you plan to use this for more than one application (as it appears you  
do from the comment about the admin console):

     <gbean name="cleartrust-realm"
         <attribute name="realmName">cleartrust-realm</attribute>
         <xml-reference name="LoginModuleConfiguration">
             <lc:login-config xmlns:lc=" 
                 <lc:login-module control-flag="REQUIRED" server- 
                     <lc:option name="host">localhost</lc:option>
                     <lc:option name="port">9999</lc:option>
         <reference name="ServerInfo">
         <reference name="LoginService">

At the moment in geronimo you always have to supply a principal-role  
mapping, even when it is trivial and obvious such as the principals  
directly representing the roles.  So, in the geronimo plan for your  
application, you need a <security..> element which will look  
something like this, assuming there are roles USER and ADMIN

       <security xmlns="">
         <default-principal realm-name="cleartrust-realm">
           <principal class="com.ct.RolePrincipal" name="USER"/>
           <role role-name="ADMIN">
             <realm realm-name="cleartrust-realm">
               <principal class="com.ct.RolePrincipal" name="ADMIN"/>
           <role role-name="USER">
             <realm realm-name="cleartrust-realm">
               <principal class="com.ct.RolePrincipal" name="USER"/>

The <realm....> elements are not necessary but they provide an extra  
measure of security that the principals are coming from the specified  
realm and not some other login module that happens to  produce  
ClearTrust principals.

You will also need to get the ClearTrust classes available to the  
login module configuration.  I advise installing the appropriate  
ClearTrust jars into the geronimo repository and using a dependency  
from your new login configuration module to those jars.  You can also  
put the jars in the shared/lib directory and make that a parent  
configuration of your login configuration.

 From your description it sounds like cleartrust provides role  
information rather than permission information.  In this case there's  
no need to implement a jacc provider.  If ClearTrust does provide  
finer grained permission information you might want to implement  
JACC, but you would have to use at least geronimo 2.0 (not yet  
released) for truly pluggable jacc.  (1.2 might also work if you  
don't use any run-as or default roles).

When you get this working would you consider contributing working  
sample plans?  It might also be great to have a plugin for this at, the non-apache geronimo plugin site I know about.

david jencks

>         - Lee

View raw message