geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Donald Woods <dwo...@apache.org>
Subject Re: Geronimo security question
Date Tue, 18 Nov 2008 18:21:14 GMT
Seems like it would be a great feature to add support for using an 
existing tomcat-users.xml in Geronimo without having to convert it to a 
properties file, so I opened GERONIMO-4419 as a placeholder.


-Donald


David Jencks wrote:
> 
> On Oct 30, 2008, at 3:32 AM, johnxmas wrote:
> 
>> Hi,
>>
>> I'm moving applications from Tomcat to Geronimo 2.1.3
>>
>> One of these apps had security constraints. I read the documentation 
>> but, honestly, I didn't understand how I can achieve the same under 
>> Geronimo
>>
>> Any help would be appreciated
>>
>> Jean-Noël
>>
>> Here is the tomcat configuration
>>
>> - tomcat-users.xml
>>
>> <?xml version='1.0' encoding='utf-8'?>
>> <tomcat-users>
>>  <role rolename="tomcat"/>
>>  <role rolename="role1"/>
>>  <role rolename="manager"/>
>>  <role rolename="admin"/>
>>  <role rolename="spadmin"/>
>>  <user username="tomcat" password="tomcat" roles="tomcat"/>
>>  <user username="both" password="tomcat" roles="tomcat,role1"/>
>>  <user username="role1" password="tomcat" roles="role1"/>
>>  <user username="scort" password="scort" roles="manager,admin,spadmin"/>
>> </tomcat-users>
>>
>> - the app web.xml had the following entries
>>
>>   <security-constraint>
>>      <web-resource-collection>
>>         <web-resource-name>Protected Area</web-resource-name>
>>      <!-- Define the context-relative URL(s) to be protected -->
>>         <url-pattern>/main</url-pattern>
>>         <url-pattern>/jsp/customize.jsp</url-pattern>
>>         <url-pattern>/jsp/editconnspec.jsp</url-pattern>
>>         <url-pattern>/jsp/manageconnspec.jsp</url-pattern>
>>         <url-pattern>/admin/config/*</url-pattern>
>>         <url-pattern>/CreateConnection.srv</url-pattern>
>>         <url-pattern>/ModifyConnection.srv</url-pattern>
>>         <url-pattern>/EditConnection.srv</url-pattern>
>>         <url-pattern>/DeleteConnection.srv</url-pattern>
>>         <url-pattern>/ModifyRendering.srv</url-pattern>
>>      <!-- If you list http methods, only those methods are protected -->
>>         <http-method>GET</http-method>
>>         <http-method>DELETE</http-method>
>>         <http-method>POST</http-method>
>>          <http-method>PUT</http-method>
>>      </web-resource-collection>
>>      <auth-constraint>
>>         <role-name>spadmin</role-name>
>>      </auth-constraint>
>>    </security-constraint>
>>
>>    <login-config>
>>      <auth-method>FORM</auth-method>
>>      <form-login-config>
>>        <form-login-page>/admin/login/login.jsp</form-login-page>
>>        <form-error-page>/admin/login/error.jsp</form-error-page>
>>      </form-login-config>
>>    </login-config>
>>
>>    <security-role>
>>      <description>Security role for Smart Pack</description>
>>      <role-name>spadmin</role-name>
>>    </security-role>
>>
>>
> 
>  From your security constraint I think this would be equivalent in terms 
> of which pages are accessible:
> 
> <?xml version='1.0' encoding='utf-8'?>
> <tomcat-users>
>  <role rolename="spadmin"/>
>   <user username="scort" password="scort" roles="spadmin"/>
> </tomcat-users>
> 
> Anyway I think what you need to do is:
> 
> 1. define a properties file login module based security realm, perhaps 
> by using the admin console.  Lets say you call it my-realm
> 2. translate the data into property files:
> 
> my-users.properties:
> scort=scort
> 
> my-groups.properties:
> spadmin=scort
> 
> 3. put the properties files in the correct location, I'd suggest 
> var/security
> 
> 4. specify the my-realm security realm in the geronimo web app plan  
> <security-realm>my-realm</security-realm>
> 
> 5. Include the desired principal-role mapping that maps the spadmin 
> group to the app-specific spadmin role.  There are some instructions on 
> this at the end of 
> http://cwiki.apache.org/GMOxDOC21/configuring-run-as-and-default-subjects-and-principal-role-mapping.html

> 
> 
> hope this helps,
> david jencks

Mime
View raw message