geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ltha...@aep.com
Subject JACC and JAAS configuration for ClearTrust
Date Mon, 12 Feb 2007 12:52:21 GMT
Trying to use JACC and JAAS configuration for ClearTrust (Access Manager) 
5.5 in Geronimo 1.1 - looks like it should work; but not sure where to 
start.

Is anyone already using ClearTrust (aka RSA Access Manager)?  I'm hoping 
that someone has already accomplished configuring Geronimo to use 
ClearTrust using just config.xml - or if someone could advise whether 
there is new code I need to implement, and what the correct way is to 
deploy it (surely not in my application archive).

Having successfully implemented a web application using a properties 
realm, the time has come for us to deploy to a secured production 
environment.  In preparation for this, our ClearTrust administrator has 
provisioned our IDs and we have groups set up that match the roles we 
need.  Since the principals are named as the application uses, no role 
mapping should be required (I think).

After perusing the general JAAS and JACC documentation, as well as that 
which is specific to Geronimo on the wiki (and the little bit of JAAS info 
provided for ClearTrust) - it is not clear how to configure the 
GeronimoLoginConfiguration GBean for the GeronimoSecurityRealm with 
JaasLoginService (or JaasLoginCoordinator) to replace what we were doing 
with the properties realm.

>From what I understand, there is no login.conf in Geronimo because the 
configurations are identified in the GBean; but the details of the 
deployment plan are unclear.  For example, where do I tell the 
configuration which ClearTrust JAAS class is the LoginModule?  Do I use 
LoginModuleGBean (or JaasLoginModuleUse) to do that?  Do I configure 
parameters such as the ClearTrust host name and port in the options 
attribute?  Is this all declarative or do I implement the 
ConfigurationEntryFactory interface in a jar to be deployed apart from the 
application?  Can or should the <login-config> be used instead?

Chapter 15 of the Wrox book "Professional Apache Geronimo" gives rather 
thorough coverage of JAAS and JACC and discusses the theory of gbean 
configuation as it applies to JAAS, but it doesn't give specifics that are 
similar enough to my needs for me to make the mental connection.  Having 
"just enough" information I'm naively tempted to write some code; but it 
seems like its an administration component that someone coulda/shoulda 
done by now and that could keep us from complicating the deployment by 
adding custom code where it is not required.  Further, it seems to me that 
I could waste a lot of time if I try to write a JACC adapter for the 
ClearTrust JAAS implementation without asking the Geronimo community if 
this is the right thing to do.  If someone has already done this - great, 
I'm sure I'm not the only one who would like to see your responses in the 
mail archives.  If not... cool, I get to write some code!

Although the primary and urgent need is for basic web security of our 
application, it would be great to extend this to Geronimo's web console 
admin access too.

If it matters in this context, our deployment stack is Win2003/IBM Java 
5/WAS CE 1.1.0.1/web app 2.4

        - Lee
Mime
View raw message