geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: Geronimo security question
Date Thu, 30 Oct 2008 16:28:05 GMT

On Oct 30, 2008, at 3:32 AM, johnxmas wrote:

> Hi,
>
> I'm moving applications from Tomcat to Geronimo 2.1.3
>
> One of these apps had security constraints. I read the documentation  
> but, honestly, I didn't understand how I can achieve the same under  
> Geronimo
>
> Any help would be appreciated
>
> Jean-Noël
>
> Here is the tomcat configuration
>
> - tomcat-users.xml
>
> <?xml version='1.0' encoding='utf-8'?>
> <tomcat-users>
>  <role rolename="tomcat"/>
>  <role rolename="role1"/>
>  <role rolename="manager"/>
>  <role rolename="admin"/>
>  <role rolename="spadmin"/>
>  <user username="tomcat" password="tomcat" roles="tomcat"/>
>  <user username="both" password="tomcat" roles="tomcat,role1"/>
>  <user username="role1" password="tomcat" roles="role1"/>
>  <user username="scort" password="scort"  
> roles="manager,admin,spadmin"/>
> </tomcat-users>
>
> - the app web.xml had the following entries
>
>   <security-constraint>
>      <web-resource-collection>
>         <web-resource-name>Protected Area</web-resource-name>
> 	 <!-- Define the context-relative URL(s) to be protected -->
>         <url-pattern>/main</url-pattern>
>         <url-pattern>/jsp/customize.jsp</url-pattern>
>         <url-pattern>/jsp/editconnspec.jsp</url-pattern>
>         <url-pattern>/jsp/manageconnspec.jsp</url-pattern>
>         <url-pattern>/admin/config/*</url-pattern>
>         <url-pattern>/CreateConnection.srv</url-pattern>
>         <url-pattern>/ModifyConnection.srv</url-pattern>
>         <url-pattern>/EditConnection.srv</url-pattern>
>         <url-pattern>/DeleteConnection.srv</url-pattern>
>         <url-pattern>/ModifyRendering.srv</url-pattern>
> 	 <!-- If you list http methods, only those methods are protected -->
>         <http-method>GET</http-method>
>         <http-method>DELETE</http-method>
>         <http-method>POST</http-method>
> 	     <http-method>PUT</http-method>
>      </web-resource-collection>
>      <auth-constraint>
>         <role-name>spadmin</role-name>
>      </auth-constraint>
>    </security-constraint>
>
>    <login-config>
>      <auth-method>FORM</auth-method>
>      <form-login-config>
>        <form-login-page>/admin/login/login.jsp</form-login-page>
>        <form-error-page>/admin/login/error.jsp</form-error-page>
>      </form-login-config>
>    </login-config>
>
>    <security-role>
>      <description>Security role for Smart Pack</description>
>      <role-name>spadmin</role-name>
>    </security-role>
>
>

 From your security constraint I think this would be equivalent in  
terms of which pages are accessible:

<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
  <role rolename="spadmin"/>
   <user username="scort" password="scort" roles="spadmin"/>
</tomcat-users>

Anyway I think what you need to do is:

1. define a properties file login module based security realm, perhaps  
by using the admin console.  Lets say you call it my-realm
2. translate the data into property files:

my-users.properties:
scort=scort

my-groups.properties:
spadmin=scort

3. put the properties files in the correct location, I'd suggest var/ 
security

4. specify the my-realm security realm in the geronimo web app plan   
<security-realm>my-realm</security-realm>

5. Include the desired principal-role mapping that maps the spadmin  
group to the app-specific spadmin role.  There are some instructions  
on this at the end of http://cwiki.apache.org/GMOxDOC21/configuring-run-as-and-default-subjects-and-principal-role-mapping.html

hope this helps,
david jencks
Mime
View raw message