Trying to use JACC and JAAS configuration
for ClearTrust (Access Manager) 5.5 in Geronimo 1.1 - looks like it should
work; but not sure where to start.
Is anyone already using ClearTrust (aka
RSA Access Manager)? I'm hoping that someone has already accomplished
configuring Geronimo to use ClearTrust using just config.xml - or if someone
could advise whether there is new code I need to implement, and what the
correct way is to deploy it (surely not in my application archive).
Having successfully implemented a web
application using a properties realm, the time has come for us to deploy
to a secured production environment. In preparation for this, our
ClearTrust administrator has provisioned our IDs and we have groups set
up that match the roles we need. Since the principals are named as
the application uses, no role mapping should be required (I think).
After perusing the general JAAS and
JACC documentation, as well as that which is specific to Geronimo on the
wiki (and the little bit of JAAS info provided for ClearTrust) - it is
not clear how to configure the GeronimoLoginConfiguration GBean for the
GeronimoSecurityRealm with JaasLoginService (or JaasLoginCoordinator) to
replace what we were doing with the properties realm.
From what I understand, there is no
login.conf in Geronimo because the configurations are identified in the
GBean; but the details of the deployment plan are unclear. For example,
where do I tell the configuration which ClearTrust JAAS class is the LoginModule?
Do I use LoginModuleGBean (or JaasLoginModuleUse) to do that? Do
I configure parameters such as the ClearTrust host name and port in the
options attribute? Is this all declarative or do I implement the
ConfigurationEntryFactory interface in a jar to be deployed apart from
the application? Can or should the <login-config> be used instead?
Chapter 15 of the Wrox book "Professional
Apache Geronimo" gives rather thorough coverage of JAAS and JACC and
discusses the theory of gbean configuation as it applies to JAAS, but it
doesn't give specifics that are similar enough to my needs for me to make
the mental connection. Having "just enough" information
I'm naively tempted to write some code; but it seems like its an administration
component that someone coulda/shoulda done by now and that could keep us
from complicating the deployment by adding custom code where it is not
required. Further, it seems to me that I could waste a lot of time
if I try to write a JACC adapter for the ClearTrust JAAS implementation
without asking the Geronimo community if this is the right thing to do.
If someone has already done this - great, I'm sure I'm not the only
one who would like to see your responses in the mail archives. If
not... cool, I get to write some code!
Although the primary and urgent need
is for basic web security of our application, it would be great to extend
this to Geronimo's web console admin access too.
If it matters in this context, our deployment
stack is Win2003/IBM Java 5/WAS CE 220.127.116.11/web app 2.4