geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: Custom LoginModule classloading issue in gernimo 2.0.2
Date Wed, 19 Dec 2007 00:15:09 GMT

On Dec 18, 2007, at 2:07 PM, Brian Dellert wrote:

> Thanks for the prompt response.
>
> Could you elaborate a bit on how to "Deploy this plan into your  
> geronimo server", or point me to some documentation which describes  
> how to package and deploy a "config module"?  I'm relatively new to  
> geronimo, and haven't deployed artifacts other than ear files, war  
> files, etc.  Thanks.

Yup, my response was a bit hard to follow ... even the plan I told  
you to modify is hard to find in 2.0.2 unless you build geronimo  
yourself.   I tried this out using a new moduleId of o.a.g.configs/ 
server-security-config2/2.0.2/car. Here's the plan with a few  
comments marked with "DAJ" about what to change:

<?xml version="1.0" encoding="UTF-8"?>
<!--Licensed to the Apache Software Foundation (ASF) under one or more
     contributor license agreements.  See the NOTICE file distributed  
with
     this work for additional information regarding copyright ownership.
     The ASF licenses this file to You under the Apache License,  
Version 2.0
     (the "License"); you may not use this file except in compliance  
with
     the License.  You may obtain a copy of the License at

        http://www.apache.org/licenses/LICENSE-2.0

     Unless required by applicable law or agreed to in writing, software
     distributed under the License is distributed on an "AS IS" BASIS,
     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or  
implied.
     See the License for the specific language governing permissions and
     limitations under the License.-->
<!--$Rev: 554977 $ $Date: 2007-07-10 08:32:56 -0700 (Tue, 10 Jul  
2007) $-->
<module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
   <environment>
<!--DAJ Change the module ID to something related to your project -->
     <moduleId>
       <groupId>org.apache.geronimo.configs</groupId>
       <artifactId>server-security-config</artifactId>
       <version>2.0.2</version>
       <type>car</type>
     </moduleId>
     <dependencies>
       <dependency>
         <groupId>org.apache.geronimo.configs</groupId>
         <artifactId>j2ee-security</artifactId>
         <type>car</type>
       </dependency>
<!--DAJ include a dependency on your jar here; you'll need to put  
your jar somewhere in the geronimo repo so this will point to  
something that exists.  This would look just like what you tried in  
the geronimo-application.xml -->
     </dependencies>
     <hidden-classes/>
     <non-overridable-classes/>
   </environment>

<!--DAJ include your security realm gbean here -->

   <gbean name="CredentialStore"  
class="org.apache.geronimo.security.credentialstore.SimpleCredentialStor 
eImpl">
     <xml-attribute name="credentialStore">
       <credential-store xmlns="http://geronimo.apache.org/xml/ns/ 
credentialstore-1.0">
         <!--uncomment this and the default subject in the jettty  
console plan gives you admin console permissions-->
         <!--<realm name="geronimo-admin">
                     <subject>
                         <id>default</id>
                         <credential>
                              
<type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</ 
type>
                             <value>system</value>
                         </credential>
                         <credential>
                              
<type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandl 
er</type>
                             <value>manager</value>
                         </credential>
                     </subject>
                 </realm>-->
       </credential-store>
     </xml-attribute>
   </gbean>

<!--DAJ you may want to replace this with something related to your  
installation for non-toy admin console security -->
   <!--Default security realm using properties files-->
   <gbean name="properties-login"  
class="org.apache.geronimo.security.jaas.LoginModuleGBean">
     <attribute  
name="loginModuleClass">org.apache.geronimo.security.realm.providers.Pro 
pertiesFileLoginModule</attribute>
     <attribute name="options">usersURI=var/security/users.properties
             groupsURI=var/security/groups.properties</attribute>
     <attribute name="loginDomainName">geronimo-admin</attribute>
   </gbean>
   <gbean name="geronimo-admin"  
class="org.apache.geronimo.security.realm.GenericSecurityRealm">
     <attribute name="realmName">geronimo-admin</attribute>
     <reference name="LoginModuleConfiguration">
       <name>properties-login</name>
     </reference>
     <reference name="ServerInfo">
       <name>ServerInfo</name>
     </reference>
   </gbean>
   <gbean name="properties-login"  
class="org.apache.geronimo.security.jaas.JaasLoginModuleUse">
     <attribute name="controlFlag">REQUIRED</attribute>
     <reference name="LoginModule">
       <name>properties-login</name>
     </reference>
   </gbean>
   <gbean name="geronimo-default"  
class="org.apache.geronimo.security.keystore.FileKeystoreInstance">
     <attribute name="keystoreName">geronimo-default</attribute>
     <attribute name="keystorePath">var/security/keystores/geronimo- 
default</attribute>
     <attribute name="keystorePassword">secret</attribute>
     <attribute name="keyPasswords">geronimo=secret</attribute>
     <reference name="ServerInfo">
       <name>ServerInfo</name>
     </reference>
   </gbean>
</module>

This will end up as a file named say mysecurity-plan.xml.

Deploy this using the console "deploy new" page, unchecking the  
"Start app after install" checkbox.

Stop geronimo.
Edit var/config/config.xml so you  have:
<module load="false" name="org.apache.geronimo.configs/server- 
security-config/2.0.2/car"/>
<!-- replace this with the actual moduleId you used in the plan -->
<module name="org.apache.geronimo.configs/server-security- 
config2/2.0.2/car"/>

at the end.

Edit var/config/artifact_aliases.properties to include lines
org.apache.geronimo.configs/server-security-config// 
car=org.apache.geronimo.configs/server-security-config2/2.0.2/car
org.apache.geronimo.configs/server-security-config/2.0.2/ 
car=org.apache.geronimo.configs/server-security-config2/2.0.2/car

(again using the actual moduleId from your plan)

Now you should be able to start geronimo and it will use your  
security config instead of the supplied one.

You should be able to deploy the plan using the command line tool but  
I didn't try that.  Note that you can have only one of the original  
config and your replacement running at once since they have security  
realms with the same name (they are supposed to replace each other).

Hope this helps and please ask if there are more problems
david jencks


>
> - Brian
>
> ----- Original Message ----- From: "David Jencks"  
> <david_jencks@yahoo.com>
> To: <user@geronimo.apache.org>
> Sent: Tuesday, December 18, 2007 4:38 PM
> Subject: Re: Custom LoginModule classloading issue in gernimo 2.0.2
>
>
>> My guess is that Aaron is right and this is an openejb bug.
>>
>> The only way I can think to fix it is to replace the server- 
>> security- config module with one that is identical except also  
>> including the  jar containing your login module as a dependency  
>> and the security  realm configuration you want.  Deploy this plan  
>> into your geronimo  server. Also, while geronimo is stopped, add a  
>> line like
>>
>> org.apache.geronimo.configs/server-security-config/2.0.2/ 
>> car=com.myco/ myserver-security-config/1.0/car
>>
>> and another similar line without the 2.0.2 to var/config/  
>> artifact_aliases.properties (where com.myco/myserver-security- 
>> config/ 1.0/car is the moduleId of your replacement plan).  When  
>> you restart geronimo the realm should work.
>>
>> I actually recommend doing this for any non-toy geronimo   
>> installation. The provided server-security-config is really an   
>> example that's easy to set up, but on a real installation you   
>> probably want access to the admin console controlled by your   
>> enterprise security system, not a couple of property files stuck  
>> in a  geronimo directory.
>>
>> let us know how this works
>> david jencks
>>
>> On Dec 18, 2007, at 12:46 PM, Aaron Mulder wrote:
>>
>>> It's curious that, from the error, it appears to be looking for the
>>> security realm in the OpenEJB class loader (which I guess is  
>>> receiving
>>> the remote call) instead of the application's class loader.  Perhaps
>>> the context class loader should be set by e.g.
>>> EjbDaemon.processAuthRequest?
>>>
>>> Thanks,
>>>        Aaron
>>>
>>> On Dec 18, 2007 2:55 PM, Brian Dellert <bdellert@rcn.com> wrote:
>>>> Hi.
>>>>
>>>> I have created a simple custom login module which uses the   
>>>> principal created
>>>> by the standard PropertiesFileLoginModule and adds a principal  
>>>> containing a
>>>> group (which is looked up in a DB).  I have configured a  
>>>> security  realm in
>>>> the geronimo-application.xml contained in my application ear  
>>>> file including
>>>> both of these login modules as follows:
>>>>
>>>>     <gbean name="my-realm"
>>>> class="org.apache.geronimo.security.realm.GenericSecurityRealm"
>>>>            xsi:type="dep:gbeanType"
>>>> xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2"
>>>>            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>>>>         <attribute name="realmName">my-realm</attribute>
>>>>         <reference name="ServerInfo">
>>>>             <name>ServerInfo</name>
>>>>         </reference>
>>>>         <xml-reference name="LoginModuleConfiguration">
>>>>             <log:login-config
>>>> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
>>>>                 <log:login-module control-flag="REQUISITE"
>>>> wrap-principals="false">
>>>>                     <log:login-domain-name>my-properties-file</
 
>>>> log:login-domain-name>
>>>>                     <log:login-module-  
>>>> class>org.apache.geronimo.security.realm.providers.PropertiesFileLo 
>>>> gi nModule</log:login-module-class>
>>>>                     <log:option
>>>> name="usersURI">var/security/users.properties</log:option>
>>>>                     <log:option
>>>> name="groupsURI">var/security/groups.properties</log:option>
>>>>                 </log:login-module>
>>>>                 <log:login-module control-flag="OPTIONAL"
>>>> wrap-principals="false">
>>>>                     <log:login-domain-name>my-sql-role</ 
>>>> log:login- domain-name>
>>>>                     <log:login-module-  
>>>> class>my.company.security.realm.providers.SqlRoleLoginModule</  
>>>> log:login-module-class>
>>>>                     <log:option name="roleSelect">SELECT username,
>>>> group_name FROM user_groups WHERE username=?</log:option>
>>>>                     <log:option
>>>> name="dataSourceApplication">null</log:option>
>>>>                     <log:option name="dataSourceName">MyPool</ 

>>>> log:option>
>>>>                 </log:login-module>
>>>>             </log:login-config>
>>>>         </xml-reference>
>>>>     </gbean>
>>>>
>>>> Further, I have packaged the
>>>> "my.company.security.realm.providers.SqlRoleLoginModule" class  
>>>> in  a jar file
>>>> (my-login-module-1.0.jar).  I have tried the following  
>>>> approaches  to get
>>>> this login module to load:
>>>>
>>>>    - Added my-login-module-1.0.jar to the root of my ear file.
>>>>
>>>>    - Added my-login-module-1.0.jar to the root of my ear file  
>>>> and  added this
>>>> jar file to the MANIFEST classpath of an ejb-jar file which is   
>>>> also in the
>>>> ear file.
>>>>
>>>>    - Added my-login-module-1.0.jar to the geronimo repository by  
>>>> placing it
>>>> in the repository/my/company/my-login-module/1.0/my-login-  
>>>> module-1.0.jar
>>>>      and added the following dependency to the dependency list  
>>>> in the
>>>> environment section of my geronimo-application.xml file:
>>>>
>>>>            <dependency>
>>>>                 <groupId>my.company</groupId>
>>>>                 <artifactId>my-login-module</artifactId>
>>>>                 <version>1.0</version>
>>>>                 <type>jar</type>
>>>>             </dependency>
>>>>
>>>> I am attempting to connect/authenicate in a remote JVM by  
>>>> setting  up the
>>>> JNDI context and performing an EJB lookup as follows:
>>>>
>>>>   Properties p = new Properties();
>>>>   p.put(Context.INITIAL_CONTEXT_FACTORY,
>>>>   "org.openejb.client.RemoteInitialContextFactory");
>>>>   p.put(Context.PROVIDER_URL, "ejbd://localhost:4201");
>>>>   p.put("openejb.authentication.realmName", "my-realm");
>>>>   p.put(Context.SECURITY_PRINCIPAL, "my_username");
>>>>   p.put(Context.SECURITY_CREDENTIALS, "my_password");
>>>>   InitialContext ctx = new InitialContext(p);
>>>>   Object obj = ctx.lookup("MyBusinessBeanRemote");
>>>>
>>>> In all cases, I get the following error:
>>>>
>>>> Caused by: javax.security.auth.login.LoginException: unable to find
>>>> LoginModule class:  
>>>> my.company.security.realm.providers.SqlRoleLoginModule in
>>>> classloader org.apache.geronimo.configs/openejb/2.0.2/car
>>>> [INFO]  at
>>>> javax.security.auth.login.LoginContext.invoke(LoginContext.java: 
>>>> 808)
>>>> [INFO]  at
>>>> javax.security.auth.login.LoginContext.access$000  
>>>> (LoginContext.java:186)
>>>> [INFO]  at
>>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
>>>> [INFO]  at java.security.AccessController.doPrivileged(Native  
>>>> Method)
>>>> [INFO]  at
>>>> javax.security.auth.login.LoginContext.invokePriv  
>>>> (LoginContext.java:680)
>>>> [INFO]  at
>>>> javax.security.auth.login.LoginContext.login(LoginContext.java:579)
>>>> [INFO]  at
>>>> org.apache.geronimo.security.ContextManager.login  
>>>> (ContextManager.java:77)
>>>> [INFO]  at
>>>> org.apache.geronimo.openejb.GeronimoSecurityService.login  
>>>> (GeronimoSecurityService.java:52)
>>>> [INFO]  at
>>>> org.apache.openejb.server.ejbd.AuthRequestHandler.processRequest  
>>>> (AuthRequestHandler.java:56)
>>>> [INFO]  at
>>>> org.apache.openejb.server.ejbd.EjbDaemon.processAuthRequest  
>>>> (EjbDaemon.java:172)
>>>> [INFO]  at
>>>> org.apache.openejb.server.ejbd.EjbDaemon.service(EjbDaemon.java: 
>>>> 130)
>>>> [INFO]  at
>>>> org.apache.openejb.server.ejbd.EjbDaemon.service(EjbDaemon.java:84)
>>>> [INFO]  at
>>>> org.apache.openejb.server.ejbd.EjbServer.service(EjbServer.java:60)
>>>> [INFO]  at
>>>> org.apache.openejb.server.ServiceLogger.service 
>>>> (ServiceLogger.java: 73)
>>>> [INFO]  at
>>>> org.apache.openejb.server.ServiceAccessController.service  
>>>> (ServiceAccessController.java:55)
>>>> [INFO]  at
>>>> org.apache.openejb.server.ServiceDaemon$1.run(ServiceDaemon.java: 
>>>> 117)
>>>> [INFO]  at java.lang.Thread.run(Thread.java:619)
>>>>
>>>> I know that the dependency is getting at least recognized at ear  
>>>> deployment
>>>> time since, if I remove the login module jar file from the geronimo
>>>> repository, the deployment of the ear fails.
>>>>
>>>> The only way I have been able to get the class to load is by   
>>>> placing it in
>>>> the lib/ext directory of my JRE installation, which doesn't  
>>>> seem  like the
>>>> correct approach.  I am using geronimo 2.0.2 on Windows XP and  
>>>> the 1.6.0_03
>>>> Sun JVM.  Any help with resolving this issue, and getting  
>>>> geronimo to
>>>> correctly load this login module class, would be greatly   
>>>> appreciated. If
>>>> any additional information is needed, please let me know.  Thanks.
>>>>
>>>> - Brian


Mime
View raw message