geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: EJB Authentication Problem
Date Mon, 24 Sep 2007 19:23:25 GMT

On Sep 24, 2007, at 2:17 PM, Kory Markevich wrote:

> I've been doing some research into using Geronimo 2.0.1 to host some
> EJB3 session beans, interacting with a stand-alone client.  I can
> connect to the server and call methods fine, but I've encountered some
> difficulties with security.  Specifically I've tried using
> Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS when
> creating the InitialContext, but this seems to be broken.  After some
> tracing it seems that
> org.apache.geronimo.openejb.GeronimoSecurityService.login( ) tries to
> create a LoginContext with a null security realm, which throws an
> exception and prevents authentication.  I noticed that the latest
> version of OpenEJB has added the key openejb.authentication.realmName,
> but this is not available in 2.0.1 (and it seems a bit backward having
> to have the client specify the security realm.)
>
> I have been able to use
> org.apache.openejb.client.ClientSecurity.directAuthentication( ) to
> successfully authenticate, but it seems a bit hacky and is very  
> OpenEJB
> specific (and also requires the client to provide the realm name.)
>
> Is there something I'm missing or doing wrong?  I'm fairly new to EE
> stuff so hopefully it's just some newbie mistake.

I think this is what you need to do.  With openejb standalone the  
login-by-getting-jndi might work better.  We could fix it in geronimo  
by having you supply a realm name :-)

If you have a better idea I'm all ears.  The problem I see with  
configuring the realm name in the server is that you are getting a  
global jndi tree containing all ejbs.  I think we need to support  
each ejb app being deployed to a different security realm, but all of  
them accessing the ejbs through the same global jndi tree and network  
port.  I haven't figured out how to resolve these conflicting needs  
without having the client supply the realm name it intends to use to  
log in.


>
> BTW, a couple other things I noticed:
>
> - EJB security is disabled if the geronimo-application.xml doesn't at
> least have an empty <security/> entry.  This means any security
> annotations are completely ignored, which surprised me.

I think this is a bug.  For web apps we won't deploy them if they  
have security in the spec dd but no geronimo security configured.   
Want to open a jira?

> - EJB3 EAR's will not deploy using the Eclipse plugin unless they
> contain an application.xml file.  Renaming the ZIP file to an EAR and
> manually deploying works fine.
> - When creating new EJB3 projects in Eclipse, all geronimo-*.xml files
> reference the old schemas.  If the schemas are changed to the 2.0.1
> versions, then the editors fail (I'm assuming this is due to the EMF
> JIRA entry?)
> - When starting Eclipse, there are 3 warnings in the log compaining
> about 'org.apache.geronimo.deployment.model' and
> 'org.apache.geronimo.v11.deployment.model'.  I tried to disable the  
> 1.0
> and 1.1 features to get rid of the warnings (since I didn't need those
> versions,) but then Geronimo 2.0 wouldn't be listed as an option when
> creating new projects.  The feature wasn't flagged as being broken
> however.

Sorry I know nothing about eclipse.

thanks!
david jencks

>
> ________________________________
>
>
> Kory Markevich
> Tech Lead
> ACL Services Ltd.
>
> 1550 Alberni Street | Vancouver | BC | V6G 1A5
> Tel: 604 669 4225
> Email: kory_markevich@acl.com  | Web: www.acl.com
>
> ________________________________
>
> The contents of this email are confidential and are for the intended
> recipient(s) named above only. If you are not the intended recipient,
> any copying, distribution or use of this email is prohibited. If you
> have received this email in error, please notify the sender and delete
> the email.
>


Mime
View raw message