geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <>
Subject Re: proxy session w/ built-in dbcp + openjpa
Date Tue, 12 Feb 2008 21:34:20 GMT

On Feb 12, 2008, at 12:35 PM, Brian Gregory wrote:

> Ok, this might clear things up a bit:


> // This needs to happen when a connection is pulled from the pool
> // and before the connection is used.
> // The "<username>" could be pulled from the GeronimoUserPrincipal()
> //      in the current session (?) if available
> java.util.Properties prop = new java.util.Properties();
> prop.put(OracleConnection.PROXY_USER_NAME, "<username>");
> ((OracleConnection)conn).openProxySession 
> (OracleConnection.PROXYTYPE_USER_NAME,
> prop);
> // This nees to happen when a connection is returned to the pool
> ((OracleConnection)conn).close(OracleConnection.PROXY_SESSION);
> And that's pretty much it. The LoginModule for the security realm  
> is pretty
> much a standard JDBC Realm (with a little code to calculate Oracle  
> password
> hashes) that populates the GeronimoUserPrincipal() and
> GeronimoGroupPrincipal(). The "proxy" part is just a way to let  
> oracle know
> who the "real" user is for the audit trail and any user-bound security
> policies.


every oracle connection will be created using a fixed user/pw  
combination you configure somewhere, and in addition the actual  
user's username will be used to set up the proxy session?

I looked into this a bit more and don't think there's a way to write  
a app server independent connector that can deal with this.  I think  
what you can do is:

leave your login module setup alone
specify container-manage-security in your connector  plan

modify the tranql oracle wrapper so that in the MCFs:

add a method to set up the oracle proxy session given the Subject  
(from which you extract the GeronimoUserPrincipal) and the physical  

  you override:

by copying the superclass code and calling the openProxySession  
method after getting the physical connection and creating your own  
ManagedConnection implementation (see below)


by calling super and then calling the openProxySession method.

  (the base methods are in AbstractLocalDataSourceMCF and  

You also need to override the ManagedConnection implementations so  
that the cleanup() method can end the oracle proxy session.

Hope this is enough of a hint.... feel free to ask for more info.

Maybe we'd could add a tranql login module that set up an oracle  
specific principal to transfer the user name?  Then we could include  
this work in tranql and it wouldn't really be tied to  geronimo.

david jencks

> Note from before: RARs ah. That's a new one for me. Learning curves  
> are a
> bitch sometimes. And I'm still trying to catch up with learning  
> maven (and
> the 6 million things it does). As you can probably tell, geronimo is a
> pretty new beast to me too.
> No problem about the help, I've got to work through it anyway.
> -- 
> View this message in context: 
> w--built-in-dbcp-%2B-openjpa-tp15404731s134p15442349.html
> Sent from the Apache Geronimo - Users mailing list archive at  

View raw message