geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: How to integrate custom JACC provider into Geronimo?
Date Mon, 25 Aug 2008 20:24:04 GMT

On Aug 25, 2008, at 11:43 AM, Karel Gardas wrote:

>
> Thank you both for your answers pointing to JACC guide. To be honest  
> I've
> already gone thorough it, but it looked more like how to implement  
> JACC
> provider than how to integrate already existing JACC provider into  
> Geronimo.

thats why I said there were a few hints rather than actual  
instructions :-/
>
> What puzzles me most is sentence ``So now your JACC provider is  
> installed
> and configured and your app is running ...'' in ``Runtime permissions
> decisions'' paragraph when before it it was not discussed how to  
> install and
> configure the JACC.
>
> The kind of information I'm looking forward to reading is like: set  
> system
> property x.y.z to your Policy implementation and a.b.c to your
> PolicyConfigurationFactory implementation. Put your JACC jars and
> dependencies into lib XXX and restart Geronimo. Or start Geronimo,  
> log into
> the admin console, go to the node XYZ and add new JACC provider  
> there and
> your JACC jars into lib AAAA.
>
> That's what I'm looking for, since my JACC provider is already  
> working with
> GlassFish and WebLogic and now I just need to configure it for  
> Geronimo.

In the absence of actual documentation and time to write any today....

The policy and jacc setup are done in SecurityServiceImpl.  Here's how  
to configure them in a geronimo plan:
     <gbean name="SecurityService"  
class="org.apache.geronimo.security.SecurityServiceImpl">
         <reference name="ServerInfo"><name>ServerInfo</name></ 
reference>
         <attribute  
name 
= 
"policyConfigurationFactory 
"> 
org 
.apache 
.geronimo 
.security.jacc.mappingprovider.GeronimoPolicyConfigurationFactory</ 
attribute>
         <attribute  
name 
= 
"policyProvider 
">org.apache.geronimo.security.jacc.mappingprovider.GeronimoPolicy</ 
attribute>
     </gbean>

Probably the easiest way to get your jacc implementation in is to copy  
the j2ee-security config from framework/configs, rename it (maybe the  
groupId?), include your jacc implementation jars as dependencies, set  
the properties as needed, and include a line so your plugin replaces  
the normal one. You'll need to build this with maven2.  The car-maven- 
plugin configuration would look something like this (this is modified  
from our j2ee-security configuration):

             <plugin>
                 <groupId>org.apache.geronimo.buildsupport</groupId>
                 <artifactId>car-maven-plugin</artifactId>
                 <configuration>
                     <category>Security</category>
                     <instance>
                         <plugin-artifact>
                             <config-xml-content>
                                 <gbean name="JMXService">
                                     <attribute name="protocol">rmi</ 
attribute>
                                     <attribute  
name="host">#{ServerHostname}</attribute>
                                     <attribute name="port">#{JMXPort  
+ PortOffset}</attribute>
                                     <attribute name="urlPath">/jndi/ 
rmi://#{ServerHostname}:#{NamingPort + PortOffset}/JMXConnector</ 
attribute>
                                 </gbean>
                              </config-xml-content>
                             <config-substitution key="JMXPort">9999</ 
config-substitution>
                             <artifact-alias  
key="org.apache.geronimo.framework/j2ee-security//car">org.karel// 
replacement-security/${pom.version}/car</artifact-alias>
                             <artifact-alias  
key="org.apache.geronimo.framework/j2ee-security/2.1.2/car">org.karel// 
replacement-security/${pom.version}/car</artifact-alias>
                         </plugin-artifact>
                     </instance>
                 </configuration>
             </plugin>

You'll also need to turn off the standard j2ee-security which can be  
done in other ways but unless you need automated installation you can  
just manually edit var/config/config.xml and add the attribute  
load='false" to the entry for j2ee-security.

You'll almost certainly need to do something so that the identity to  
role association can be installed, but without knowing what your jacc  
implementation expects I can't give much advice.  This part is not  
covered by the jacc spec and is not standardized.  In geronimo we have  
an explicit principal to (application) role mapping in the geronimo  
plans that is pushed into the jacc system through a geronimo specific  
interface.  You may be able to adapt your jacc provider to accept the  
same information in which case you only need to implement this  
interface and make it available.  Otherwise we'll have to talk about  
what to do.

thanks
david jencks

>
> Thanks!
> Karel
>
>
> djencks wrote:
>>
>> This has been done successfully before :-).  I recommend working with
>> geronimo 2.1.2; things may change a bit in trunk.
>>
>> There are a few hints at http://cwiki.apache.org/GMOxDEV/jacc-guide.html
>>
>> You may well have lots of questions after reading this, and please
>> feel free to ask.  In particular it may not be clear how to provide
>> the identity to role association to your jacc implementation.
>>
>> Hopefully I will have time to improve the docs as your questions get
>> answered :-)
>>
>> thanks
>> david jencks
>>
>> On Aug 25, 2008, at 10:51 AM, Karel Gardas wrote:
>>
>>>
>>> Hello,
>>> I do have custom JACC provider which is working well with GlassFish
>>> and
>>> WebLogic and I would like to port it to Geronimo too. I've tried to
>>> search
>>> internet for hint/howto do this, but have not found any. Is there
>>> any such
>>> document available?
>>> Thanks!
>>> Karel
>>> -- 
>>> View this message in context:
>>> http://www.nabble.com/How-to-integrate-custom-JACC-provider-into-Geronimo--tp19148519s134p19148519.html
>>> Sent from the Apache Geronimo - Users mailing list archive at
>>> Nabble.com.
>>>
>>
>>
>>
>
> -- 
> View this message in context: http://www.nabble.com/How-to-integrate-custom-JACC-provider-into-Geronimo--tp19148519s134p19149382.html
> Sent from the Apache Geronimo - Users mailing list archive at  
> Nabble.com.
>


Mime
View raw message