geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Dellert" <bdell...@rcn.com>
Subject Re: Custom LoginModule classloading issue in gernimo 2.0.2
Date Wed, 19 Dec 2007 21:40:36 GMT
David,

I followed your instructions, and things are now working.  Thanks for 
helping with this.  Now all I need to do is automate the described process 
as part of my build :)

Is there somewhere I should file a bug report for the underlying issue (IE, 
in the geronimo and/or Open EJB bug tracking systems), since any 
documentation I have read has stated that you should be able to define a 
security realm which uses a custom login module within an application ear?

- Brian


----- Original Message ----- 
From: "David Jencks" <david_jencks@yahoo.com>
To: <user@geronimo.apache.org>
Sent: Tuesday, December 18, 2007 7:15 PM
Subject: Re: Custom LoginModule classloading issue in gernimo 2.0.2


>
> On Dec 18, 2007, at 2:07 PM, Brian Dellert wrote:
>
>> Thanks for the prompt response.
>>
>> Could you elaborate a bit on how to "Deploy this plan into your  geronimo 
>> server", or point me to some documentation which describes  how to 
>> package and deploy a "config module"?  I'm relatively new to  geronimo, 
>> and haven't deployed artifacts other than ear files, war  files, etc. 
>> Thanks.
>
> Yup, my response was a bit hard to follow ... even the plan I told  you to 
> modify is hard to find in 2.0.2 unless you build geronimo  yourself.   I 
> tried this out using a new moduleId of o.a.g.configs/ 
> server-security-config2/2.0.2/car. Here's the plan with a few  comments 
> marked with "DAJ" about what to change:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <!--Licensed to the Apache Software Foundation (ASF) under one or more
>     contributor license agreements.  See the NOTICE file distributed  with
>     this work for additional information regarding copyright ownership.
>     The ASF licenses this file to You under the Apache License,  Version 
> 2.0
>     (the "License"); you may not use this file except in compliance  with
>     the License.  You may obtain a copy of the License at
>
>        http://www.apache.org/licenses/LICENSE-2.0
>
>     Unless required by applicable law or agreed to in writing, software
>     distributed under the License is distributed on an "AS IS" BASIS,
>     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 
> implied.
>     See the License for the specific language governing permissions and
>     limitations under the License.-->
> <!--$Rev: 554977 $ $Date: 2007-07-10 08:32:56 -0700 (Tue, 10 Jul  2007) 
> $-->
> <module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
>   <environment>
> <!--DAJ Change the module ID to something related to your project -->
>     <moduleId>
>       <groupId>org.apache.geronimo.configs</groupId>
>       <artifactId>server-security-config</artifactId>
>       <version>2.0.2</version>
>       <type>car</type>
>     </moduleId>
>     <dependencies>
>       <dependency>
>         <groupId>org.apache.geronimo.configs</groupId>
>         <artifactId>j2ee-security</artifactId>
>         <type>car</type>
>       </dependency>
> <!--DAJ include a dependency on your jar here; you'll need to put  your 
> jar somewhere in the geronimo repo so this will point to  something that 
> exists.  This would look just like what you tried in  the 
> geronimo-application.xml -->
>     </dependencies>
>     <hidden-classes/>
>     <non-overridable-classes/>
>   </environment>
>
> <!--DAJ include your security realm gbean here -->
>
>   <gbean name="CredentialStore" 
> class="org.apache.geronimo.security.credentialstore.SimpleCredentialStor 
> eImpl">
>     <xml-attribute name="credentialStore">
>       <credential-store xmlns="http://geronimo.apache.org/xml/ns/ 
> credentialstore-1.0">
>         <!--uncomment this and the default subject in the jettty  console 
> plan gives you admin console permissions-->
>         <!--<realm name="geronimo-admin">
>                     <subject>
>                         <id>default</id>
>                         <credential>
> 
> <type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</ 
> type>
>                             <value>system</value>
>                         </credential>
>                         <credential>
> 
> <type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandl 
> er</type>
>                             <value>manager</value>
>                         </credential>
>                     </subject>
>                 </realm>-->
>       </credential-store>
>     </xml-attribute>
>   </gbean>
>
> <!--DAJ you may want to replace this with something related to your 
> installation for non-toy admin console security -->
>   <!--Default security realm using properties files-->
>   <gbean name="properties-login" 
> class="org.apache.geronimo.security.jaas.LoginModuleGBean">
>     <attribute 
> name="loginModuleClass">org.apache.geronimo.security.realm.providers.Pro 
> pertiesFileLoginModule</attribute>
>     <attribute name="options">usersURI=var/security/users.properties
>             groupsURI=var/security/groups.properties</attribute>
>     <attribute name="loginDomainName">geronimo-admin</attribute>
>   </gbean>
>   <gbean name="geronimo-admin" 
> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
>     <attribute name="realmName">geronimo-admin</attribute>
>     <reference name="LoginModuleConfiguration">
>       <name>properties-login</name>
>     </reference>
>     <reference name="ServerInfo">
>       <name>ServerInfo</name>
>     </reference>
>   </gbean>
>   <gbean name="properties-login" 
> class="org.apache.geronimo.security.jaas.JaasLoginModuleUse">
>     <attribute name="controlFlag">REQUIRED</attribute>
>     <reference name="LoginModule">
>       <name>properties-login</name>
>     </reference>
>   </gbean>
>   <gbean name="geronimo-default" 
> class="org.apache.geronimo.security.keystore.FileKeystoreInstance">
>     <attribute name="keystoreName">geronimo-default</attribute>
>     <attribute name="keystorePath">var/security/keystores/geronimo- 
> default</attribute>
>     <attribute name="keystorePassword">secret</attribute>
>     <attribute name="keyPasswords">geronimo=secret</attribute>
>     <reference name="ServerInfo">
>       <name>ServerInfo</name>
>     </reference>
>   </gbean>
> </module>
>
> This will end up as a file named say mysecurity-plan.xml.
>
> Deploy this using the console "deploy new" page, unchecking the  "Start 
> app after install" checkbox.
>
> Stop geronimo.
> Edit var/config/config.xml so you  have:
> <module load="false" name="org.apache.geronimo.configs/server- 
> security-config/2.0.2/car"/>
> <!-- replace this with the actual moduleId you used in the plan -->
> <module name="org.apache.geronimo.configs/server-security- 
> config2/2.0.2/car"/>
>
> at the end.
>
> Edit var/config/artifact_aliases.properties to include lines
> org.apache.geronimo.configs/server-security-config// 
> car=org.apache.geronimo.configs/server-security-config2/2.0.2/car
> org.apache.geronimo.configs/server-security-config/2.0.2/ 
> car=org.apache.geronimo.configs/server-security-config2/2.0.2/car
>
> (again using the actual moduleId from your plan)
>
> Now you should be able to start geronimo and it will use your  security 
> config instead of the supplied one.
>
> You should be able to deploy the plan using the command line tool but  I 
> didn't try that.  Note that you can have only one of the original  config 
> and your replacement running at once since they have security  realms with 
> the same name (they are supposed to replace each other).
>
> Hope this helps and please ask if there are more problems
> david jencks
>
>
>>
>> - Brian
>>
>> ----- Original Message ----- From: "David Jencks" 
>> <david_jencks@yahoo.com>
>> To: <user@geronimo.apache.org>
>> Sent: Tuesday, December 18, 2007 4:38 PM
>> Subject: Re: Custom LoginModule classloading issue in gernimo 2.0.2
>>
>>
>>> My guess is that Aaron is right and this is an openejb bug.
>>>
>>> The only way I can think to fix it is to replace the server- security- 
>>> config module with one that is identical except also  including the  jar 
>>> containing your login module as a dependency  and the security  realm 
>>> configuration you want.  Deploy this plan  into your geronimo  server. 
>>> Also, while geronimo is stopped, add a  line like
>>>
>>> org.apache.geronimo.configs/server-security-config/2.0.2/ car=com.myco/ 
>>> myserver-security-config/1.0/car
>>>
>>> and another similar line without the 2.0.2 to var/config/ 
>>> artifact_aliases.properties (where com.myco/myserver-security- config/ 
>>> 1.0/car is the moduleId of your replacement plan).  When  you restart 
>>> geronimo the realm should work.
>>>
>>> I actually recommend doing this for any non-toy geronimo   installation. 
>>> The provided server-security-config is really an   example that's easy 
>>> to set up, but on a real installation you   probably want access to the 
>>> admin console controlled by your   enterprise security system, not a 
>>> couple of property files stuck  in a  geronimo directory.
>>>
>>> let us know how this works
>>> david jencks
>>>
>>> On Dec 18, 2007, at 12:46 PM, Aaron Mulder wrote:
>>>
>>>> It's curious that, from the error, it appears to be looking for the
>>>> security realm in the OpenEJB class loader (which I guess is  receiving
>>>> the remote call) instead of the application's class loader.  Perhaps
>>>> the context class loader should be set by e.g.
>>>> EjbDaemon.processAuthRequest?
>>>>
>>>> Thanks,
>>>>        Aaron
>>>>
>>>> On Dec 18, 2007 2:55 PM, Brian Dellert <bdellert@rcn.com> wrote:
>>>>> Hi.
>>>>>
>>>>> I have created a simple custom login module which uses the   principal

>>>>> created
>>>>> by the standard PropertiesFileLoginModule and adds a principal 
>>>>> containing a
>>>>> group (which is looked up in a DB).  I have configured a  security 
>>>>> realm in
>>>>> the geronimo-application.xml contained in my application ear  file 
>>>>> including
>>>>> both of these login modules as follows:
>>>>>
>>>>>     <gbean name="my-realm"
>>>>> class="org.apache.geronimo.security.realm.GenericSecurityRealm"
>>>>>            xsi:type="dep:gbeanType"
>>>>> xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2"
>>>>>            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>>>>>         <attribute name="realmName">my-realm</attribute>
>>>>>         <reference name="ServerInfo">
>>>>>             <name>ServerInfo</name>
>>>>>         </reference>
>>>>>         <xml-reference name="LoginModuleConfiguration">
>>>>>             <log:login-config
>>>>> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
>>>>>                 <log:login-module control-flag="REQUISITE"
>>>>> wrap-principals="false">
>>>>>                     <log:login-domain-name>my-properties-file</

>>>>> log:login-domain-name>
>>>>>                     <log:login-module- 
>>>>> class>org.apache.geronimo.security.realm.providers.PropertiesFileLo
gi 
>>>>> nModule</log:login-module-class>
>>>>>                     <log:option
>>>>> name="usersURI">var/security/users.properties</log:option>
>>>>>                     <log:option
>>>>> name="groupsURI">var/security/groups.properties</log:option>
>>>>>                 </log:login-module>
>>>>>                 <log:login-module control-flag="OPTIONAL"
>>>>> wrap-principals="false">
>>>>>                     <log:login-domain-name>my-sql-role</ log:login-

>>>>> domain-name>
>>>>>                     <log:login-module- 
>>>>> class>my.company.security.realm.providers.SqlRoleLoginModule</

>>>>> log:login-module-class>
>>>>>                     <log:option name="roleSelect">SELECT username,
>>>>> group_name FROM user_groups WHERE username=?</log:option>
>>>>>                     <log:option
>>>>> name="dataSourceApplication">null</log:option>
>>>>>                     <log:option name="dataSourceName">MyPool</

>>>>> log:option>
>>>>>                 </log:login-module>
>>>>>             </log:login-config>
>>>>>         </xml-reference>
>>>>>     </gbean>
>>>>>
>>>>> Further, I have packaged the
>>>>> "my.company.security.realm.providers.SqlRoleLoginModule" class  in  a

>>>>> jar file
>>>>> (my-login-module-1.0.jar).  I have tried the following  approaches  to

>>>>> get
>>>>> this login module to load:
>>>>>
>>>>>    - Added my-login-module-1.0.jar to the root of my ear file.
>>>>>
>>>>>    - Added my-login-module-1.0.jar to the root of my ear file  and 
>>>>> added this
>>>>> jar file to the MANIFEST classpath of an ejb-jar file which is   also

>>>>> in the
>>>>> ear file.
>>>>>
>>>>>    - Added my-login-module-1.0.jar to the geronimo repository by 
>>>>> placing it
>>>>> in the repository/my/company/my-login-module/1.0/my-login- 
>>>>> module-1.0.jar
>>>>>      and added the following dependency to the dependency list  in the
>>>>> environment section of my geronimo-application.xml file:
>>>>>
>>>>>            <dependency>
>>>>>                 <groupId>my.company</groupId>
>>>>>                 <artifactId>my-login-module</artifactId>
>>>>>                 <version>1.0</version>
>>>>>                 <type>jar</type>
>>>>>             </dependency>
>>>>>
>>>>> I am attempting to connect/authenicate in a remote JVM by  setting  up

>>>>> the
>>>>> JNDI context and performing an EJB lookup as follows:
>>>>>
>>>>>   Properties p = new Properties();
>>>>>   p.put(Context.INITIAL_CONTEXT_FACTORY,
>>>>>   "org.openejb.client.RemoteInitialContextFactory");
>>>>>   p.put(Context.PROVIDER_URL, "ejbd://localhost:4201");
>>>>>   p.put("openejb.authentication.realmName", "my-realm");
>>>>>   p.put(Context.SECURITY_PRINCIPAL, "my_username");
>>>>>   p.put(Context.SECURITY_CREDENTIALS, "my_password");
>>>>>   InitialContext ctx = new InitialContext(p);
>>>>>   Object obj = ctx.lookup("MyBusinessBeanRemote");
>>>>>
>>>>> In all cases, I get the following error:
>>>>>
>>>>> Caused by: javax.security.auth.login.LoginException: unable to find
>>>>> LoginModule class: 
>>>>> my.company.security.realm.providers.SqlRoleLoginModule in
>>>>> classloader org.apache.geronimo.configs/openejb/2.0.2/car
>>>>> [INFO]  at
>>>>> javax.security.auth.login.LoginContext.invoke(LoginContext.java: 808)
>>>>> [INFO]  at
>>>>> javax.security.auth.login.LoginContext.access$000 
>>>>> (LoginContext.java:186)
>>>>> [INFO]  at
>>>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
>>>>> [INFO]  at java.security.AccessController.doPrivileged(Native  Method)
>>>>> [INFO]  at
>>>>> javax.security.auth.login.LoginContext.invokePriv 
>>>>> (LoginContext.java:680)
>>>>> [INFO]  at
>>>>> javax.security.auth.login.LoginContext.login(LoginContext.java:579)
>>>>> [INFO]  at
>>>>> org.apache.geronimo.security.ContextManager.login 
>>>>> (ContextManager.java:77)
>>>>> [INFO]  at
>>>>> org.apache.geronimo.openejb.GeronimoSecurityService.login 
>>>>> (GeronimoSecurityService.java:52)
>>>>> [INFO]  at
>>>>> org.apache.openejb.server.ejbd.AuthRequestHandler.processRequest 
>>>>> (AuthRequestHandler.java:56)
>>>>> [INFO]  at
>>>>> org.apache.openejb.server.ejbd.EjbDaemon.processAuthRequest 
>>>>> (EjbDaemon.java:172)
>>>>> [INFO]  at
>>>>> org.apache.openejb.server.ejbd.EjbDaemon.service(EjbDaemon.java: 130)
>>>>> [INFO]  at
>>>>> org.apache.openejb.server.ejbd.EjbDaemon.service(EjbDaemon.java:84)
>>>>> [INFO]  at
>>>>> org.apache.openejb.server.ejbd.EjbServer.service(EjbServer.java:60)
>>>>> [INFO]  at
>>>>> org.apache.openejb.server.ServiceLogger.service (ServiceLogger.java:

>>>>> 73)
>>>>> [INFO]  at
>>>>> org.apache.openejb.server.ServiceAccessController.service 
>>>>> (ServiceAccessController.java:55)
>>>>> [INFO]  at
>>>>> org.apache.openejb.server.ServiceDaemon$1.run(ServiceDaemon.java: 117)
>>>>> [INFO]  at java.lang.Thread.run(Thread.java:619)
>>>>>
>>>>> I know that the dependency is getting at least recognized at ear 
>>>>> deployment
>>>>> time since, if I remove the login module jar file from the geronimo
>>>>> repository, the deployment of the ear fails.
>>>>>
>>>>> The only way I have been able to get the class to load is by   placing

>>>>> it in
>>>>> the lib/ext directory of my JRE installation, which doesn't  seem 
>>>>> like the
>>>>> correct approach.  I am using geronimo 2.0.2 on Windows XP and  the 
>>>>> 1.6.0_03
>>>>> Sun JVM.  Any help with resolving this issue, and getting  geronimo to
>>>>> correctly load this login module class, would be greatly 
>>>>> appreciated. If
>>>>> any additional information is needed, please let me know.  Thanks.
>>>>>
>>>>> - Brian 

Mime
View raw message