geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: Geronimo role security
Date Wed, 18 Jul 2007 07:57:36 GMT
run-as handling is completely different in 2.0.  Instead of  
constructing a subject out of xml, the run-as subject comes from  
logging into a login module just like any other subject.  You have to  
do several things:

-- set up a security realm so the desired subject can in fact be  
created by logging in as someone
-- set up a gbean that describes how to login as this subject, such as 

     <gbean name="CredentialStore"  
class="org.apache.geronimo.security.credentialstore.SimpleCredentialStor 
eImpl">
         <xml-attribute name="credentialStore">
             <credential-store xmlns="http://geronimo.apache.org/xml/ 
ns/credentialstore-1.0">
                 <!-- uncomment this and the default subject in the  
jettty console plan gives you admin console permissions -->
                 <realm name="geronimo-admin">
                     <subject>
                         <id>default</id>
                         <credential>
                              
<type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</ 
type>
                             <value>system</value>
                         </credential>
                         <credential>
                              
<type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandl 
er</type>
                             <value>manager</value>
                         </credential>
                     </subject>
                 </realm>
             </credential-store>
         </xml-attribute>
     </gbean>

Note that you have to supply the password here.  You can override the  
existing CredentialStore gbean in server-security-config in  
config.xml or create your own, perhaps in the geronimo plan for your  
app.

-- in the geronimo security configuration for the role, indicate the  
run-as subject (and default subject if you want one) by its realm and  
id as indicated in the CredentialStore gbean:

     <security>
         <credential-store>
             <pattern>
                 <name xmlns="http://geronimo.apache.org/xml/ns/ 
deployment-1.2">MyCredentialStore</name>
             </pattern>
         </credential-store>
         <!--<default-subject>-->
             <!--<realm>geronimo-admin</realm>-->
             <!--<id>default</id>-->
         <!--</default-subject>-->
         <role-mappings>
             <role role-name="admin">
                 <run-as-subject>
                     <realm>geronimo-admin</realm>
                     <id>default</id>
                 </run-as-subject>
                 <realm realm-name="geronimo-admin">
                     <principal  
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincip 
al" name="admin"/>
                 </realm>
             </role>
         </role-mappings>
     </security>

I think that other than myself you are the first person to try this  
out so your comments would be definitely appreciated.

See also https://issues.apache.org/jira/browse/GERONIMO-2687

thanks
david jencks

On Jul 17, 2007, at 8:15 PM, Aman Nanner/MxI Technologies wrote:

> It would appear that the TomcatGeronimoRealm.hasResourcePermission 
> (...)
> method does not apply the <run-as> role if one is defined.  If this  
> indeed
> the case, then I believe this is a bug....
>
> Aman Nanner/MxI Technologies <aman.nanner@mxi.com> wrote on 07-17-2007
> 10:55:23 PM:
>
>>
>> Hi,
>>
>> I'm using the latest Geronimo 2.0 snapshot from the codebase.  I
> understand
>> that security has changed somewhat from Geronimo 1.2.  I'm running  
>> into
> an
>> issue where I have a JSP with a specific "run-as" role calling a  
>> secured
>> EJB.  This JSP has its run-as role defined in the web.xml as follows:
>>
>> ----
>>    <servlet>
>>       <servlet-name>MessagePage</servlet-name>
>>       <jsp-file>/common/Message.jsp</jsp-file>
>>       <run-as>
>>          <role-name>TESTSYSTEM</role-name>
>>       </run-as>
>>    </servlet>
>> ----
>>
>>
>>  I have a default run-as role mapped in my geronimo- 
>> application.xml in my
>> EAR as follows:
>>
>> ----
>>    <security:security>
>>       <security:default-principal>
>>          <security:principal
>>
> class="org.apache.geronimo.security.realm.providers.GeronimoUserPrinci 
> pal"
>> name="" />
>>       </security:default-principal>
>>       <security:role-mappings>
>>          <security:role role-name="TESTSYSTEM">
>>             <security:principal
>>
> class="org.apache.geronimo.security.realm.providers.GeronimoUserPrinci 
> pal"
>> name="test-system" designated-run-as="true" />
>>          </security:role>
>>       </security:role-mappings>
>>    </security:security>
>> ----
>>
>> This used to work in Geronimo 1.2, but it appears now that the JSP  
>> does
> not
>> run with the run-as principal; rather it seems that it runs with no
>> principals.  Therefore, the call to the secured EJB causes a security
>> access exception.  Is this supposed to work the same way in  
>> Geronimo 2.0?
>> If so, then maybe this is a problem in Tomcat ....
>>
>> Thanks,
>> Aman
>>
>>
> ______________________________________________________________________ 
> ____________
>
>> * This message is intended only for the use of the individual or
>> entity to which it is addressed, and may contain information that is
>> privileged, confidential and exempt from disclosure under applicable
>> law. Unless you are the addressee (or authorized to receive for the
>> addressee), you may not use, copy or disclose the message or any
>> information contained in the message. If you have received this
>> message in error, please advise the sender by reply e-mail , and
>> delete the message, or call (collect) 001 613 747 4698. *
>>
>
> ______________________________________________________________________ 
> ____________
> * This message is intended only for the use of the individual or  
> entity to which it is addressed, and may contain information that  
> is privileged, confidential and exempt from disclosure under  
> applicable law. Unless you are the addressee (or authorized to  
> receive for the addressee), you may not use, copy or disclose the  
> message or any information contained in the message. If you have  
> received this message in error, please advise the sender by reply e- 
> mail , and delete the message, or call (collect) 001 613 747 4698. *
>


Mime
View raw message