geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: [RESOLVED]Re: Geronimo not found at login subject for Jackrabbit JCA.
Date Mon, 10 Nov 2008 18:39:49 GMT

On Nov 10, 2008, at 9:28 AM, Markku Saarela wrote:

> After removing <container-managed-security />  from geronimo-ra.xml  
> and res-auth element from jackrabbit resource-ref in web.xml it works.

Excellent!

>
>
> jackrabbit in my case is running in-vm so i remove any pooling.
>
> Thanks to all for help.
>
> - markku
>
> ps. still my ultimate goal is to go for container managed security,  
> so i look for code to realize that.

I'm happy to provide advice but I'm not subscribed to the jackrabbit  
lists (and can't deal with any more mailing lists).  If you ask  
questions here on the g. user list I'll do my best to answer.

My impression from the link you gave earlier was that jackrabbit  
currently uses the supplied username and password to log into a JAAS  
realm to get a Subject which is then used for authorization.  If this  
is correct then you ought to be able to simply pass the Subject from  
container managed security directly through to the authorization  
code.  This is not exactly what is envisaged by the J2CA spec but I  
expect it would work better than what is normally done.  In this case  
you wouldn't need to set up the special ManagedConnectionFactory-aware  
login module.

The other possibility I can see is to use the spec-recommended  
approach and extract the username/password from the MCF-specific  
Credential in the container-managed-security Subject.

thanks
david jencks


>
>
> David Jencks wrote:
>>
>> On Nov 8, 2008, at 2:27 AM, Markku Saarela wrote:
>>
>>> Here is configuration documentation:
>>> http://jackrabbit.apache.org/jackrabbit-configuration.html#JackrabbitConfiguration-Securityconfiguration
>>>
>>> After read this documentation i thought that i do not need to use  
>>> jaas, but now i realize that there is jaas available and in  
>>> geronimo-ra.xml i found element <container-managed-security /> so  
>>> i'm actually using container managed security.
>>>
>>> So how to configure that (geronimo documentation is little bit  
>>> confusing)?
>>
>> I looked around the somewhat confusingly organized jackrabbit svn  
>> (j2ca stuff seems to be present only in branches???) and found http://svn.eu.apache.org/viewvc/jackrabbit/branches/1.5/jackrabbit-jca

>>  which seems like it might bear some resemblance to the code you  
>> are using.  This code does not support container managed security  
>> at all.  Unless you want to add this capability to jackrabbit you  
>> need to stop configuring container managed security in your  
>> geronimo plan.
>>
>> If you do want to add this capability to jackrabbit, the place to  
>> start is in http://svn.eu.apache.org/viewvc/jackrabbit/branches/1.5/jackrabbit-jca/src/main/java/org/apache/jackrabbit/jca/JCAManagedConnectionFactory.java?annotate=703899
>>
>> 162 :                  public ManagedConnection  
>> createManagedConnection(Subject subject, ConnectionRequestInfo cri)
>> 163 :                 throws ResourceException {
>> 164 :     dpfister     510465    165 :                 if (cri ==  
>> null) {
>> 166 :                 return new AnonymousConnection();
>> 167 :                 }
>> 168 :     dpfister     230772     return  
>> createManagedConnection((JCAConnectionRequestInfo) cri);
>> 169 :                 }
>>
>>
>> and
>>
>> 182 :                  public ManagedConnection  
>> matchManagedConnections(Set set, Subject subject,  
>> ConnectionRequestInfo cri)
>> 183 :                 throws ResourceException {
>> 184 :                 for (Iterator i = set.iterator();  
>> i.hasNext();) {
>> 185 :                 Object next = i.next();
>> 186 :                187 :                 if (next instanceof  
>> JCAManagedConnection) {
>> 188 :                 JCAManagedConnection mc =  
>> (JCAManagedConnection) next;
>> 189 :                 if (equals(mc.getManagedConnectionFactory())) {
>> 190 :                 JCAConnectionRequestInfo otherCri =  
>> mc.getConnectionRequestInfo();
>> 191 :                 if (equals(cri, otherCri)) {
>> 192 :                 return mc;
>> 193 :                 }
>> 194 :                 }
>> 195 :                 }
>> 196 :                 }
>> 197 :                198 :                 return null;
>> 199 :                 }
>>
>>
>> where the Subject supplied from container managed security is  
>> ignored.
>>
>> Out of curiousity, does jackrabbit run in-vm or are connections to  
>> a remote server?  If in-vm it might be better to run with pooling  
>> turned off as it is likely that creating a new managed connection  
>> is lighter weight than the synchronization involved in pooling  
>> existing connections.
>>
>> thanks
>> david jencks
>>
>>
>>
>>>
>>>
>>> - markku
>>>
>>> David Jencks wrote:
>>>> Could you point to some documentation on the JCARepositoryHandle   
>>>> and the ra.xml for this connector?
>>>>
>>>> For container managed security you need to use something like the  
>>>> plugins/connector/geronimo-connector/src/main/java/org/apache/ 
>>>> geronimo/connector/outbound/security/ 
>>>> CallerIdentityPasswordCredentialLoginModule.java which you can  
>>>> deploy in a JAAS configuration using the  
>>>> PasswordCredentialLoginModuleWrapperGBean.java
>>>>
>>>> Since you are trying to supply the credentials in what appears to  
>>>> be a "get connection" call I wonder if you actually want  
>>>> container managed security?
>>>>
>>>> thanks
>>>> david jencks
>>>>
>>>>
>>>> On Nov 7, 2008, at 11:17 PM, Markku Saarela wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> Jackrabbit 1.4 (1.4.1 core)  JCA deployed to Geronimo 2.1.1. Web  
>>>>> application or ejb session bean  failed with repository login.  
>>>>> InitialContext lookup find Repository but calling  
>>>>> repository.login( new SimpleCredentials( "system",  
>>>>> "manager".toCharArray() ) ); method results exception:
>>>>>
>>>>> Caused by: javax.resource.ResourceException: No subject for  
>>>>> container managed security
>>>>>    at  
>>>>> org 
>>>>> .apache 
>>>>> .geronimo 
>>>>> .connector 
>>>>> .outbound.SubjectInterceptor.getConnection(SubjectIntercepto
>>>>> r.java:51)
>>>>>    at  
>>>>> org 
>>>>> .apache 
>>>>> .geronimo 
>>>>> .connector 
>>>>> .outbound.ConnectionHandleInterceptor.getConnection(Connecti
>>>>> onHandleInterceptor.java:43)
>>>>>    at  
>>>>> org 
>>>>> .apache 
>>>>> .geronimo 
>>>>> .connector 
>>>>> .outbound.TCCLInterceptor.getConnection(TCCLInterceptor.java
>>>>> :39)
>>>>>    at  
>>>>> org 
>>>>> .apache 
>>>>> .geronimo 
>>>>> .connector 
>>>>> .outbound.ConnectionTrackingInterceptor.getConnection(Connec
>>>>> tionTrackingInterceptor.java:66)
>>>>>    at  
>>>>> org 
>>>>> .apache 
>>>>> .geronimo 
>>>>> .connector 
>>>>> .outbound.AbstractConnectionManager.allocateConnection(Abstr
>>>>> actConnectionManager.java:87)
>>>>>    at  
>>>>> org 
>>>>> .apache 
>>>>> .jackrabbit 
>>>>> .jca.JCARepositoryHandle.login(JCARepositoryHandle.java:98)
>>>>>
>>>>> So how to configure Geronimo to provide subject to connector?
>>>>>
>>>>> rgds,
>>>>>
>>>>> Markku
>>>>
>>>
>>
>


Mime
View raw message