geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jochen Zink <jochenl...@web.de>
Subject Re: Re: Security and WebServices
Date Thu, 08 Jan 2009 11:20:50 GMT
Hello David,

Thanks for your Response.

It runs with the following constellation:
1.	Create an own Securityrealm called myRealm
2.	using myRealm in geronimo-web.xml
3.	Using LoginContext and a custom CallbackHandler which knows the required username and password


MyCallbackHandler handler = new MyCallbackHandler();			
handler.setUsername( req.getUser() );
handler.setPassword( req.getPass() );			
LoginContext loginCtx = new LoginContext("myRealm", handler);			
loginCtx.login();			
Subject s = loginCtx.getSubject();
Set<Principal> principals = s.getPrincipals();


This works fine. But I am wondering about the rolemapping part in geronimo-web.xml. I expected,
that the principal “users”, defined in myRealms Database would be mapped to “test1” (See
the end of my text for geronimo-web.xml). The GroupPrincipal of the Subject is named users
and not test1, as I expected. Does this mechanism only works in combination with security
configuration in web.xml? Or is an error in my Configuration?


security part in geronimo-web.xml
<security-realm-name>myrealm</security-realm-name>
	
	<security>
    <default-principal realm-name="myrealm">
      <principal name="anonymous" class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"/>
    </default-principal>
    <role-mappings>
    
      <role role-name="test1">
        <realm realm-name="myrealm">
          <principal name="users" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/>
        </realm>      
      </role>
      
      <role role-name="test2">
        <realm realm-name="myrealm">
          <principal name="admins" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/>
        </realm>        
      </role>
      
      <role role-name="test3">
        <realm realm-name="myrealm">
          <principal name="superadmins" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/>
        </realm>        
      </role>
    </role-mappings>
  </security>



Regards and thanks a lot!!
Jochen







> -----Ursprüngliche Nachricht-----
> Von: "David Jencks" <david_jencks@yahoo.com>
> Gesendet: 08.01.09 00:37:51
> An: user@geronimo.apache.org
> Betreff: Re: Security and WebServices


> 
> On Jan 7, 2009, at 5:03 AM, Jochen Zink wrote:
> 
> > Hello,
> >
> > I want to use geronimos securitysystem together with a JAX-WS 2.1  
> > WebService (WAR-File).
> >
> > My vision ;):
> > -	standard security configuration: all URLs like /services/* are  
> > secure
> > -	Using a standard LoginModule (A Geronimo one or a self written for  
> > BinarySecurityTokens)
> >
> > Is it possible to secure a WebService with the standard  
> > Securitymechanism or must the application handle the ws-security  
> > header? If the application has to handle it, is it possible to get  
> > access to a LoginModule and how does this work?
> 
> Can i check that you want to send the credentials inside the xml  
> message?  At the moment we don't have any support for that.  In the  
> future it may be possible to handle this with a JASPI authentication  
> module.
> 
> You can get the credentials yourself and log in to a JAAS realm using  
> org.apache.geronimo.security.ContextManager.login(realmName,  
> callbackHandler) where realmName is the name of a security realm  
> you've set up in geronimo and callbackHandler is a callback handler  
> you've stuffed the credentials into.  This will log in and install the  
> user in the geronimo security framework.  However if your code to do  
> this is in the application (such as a filter or servlet) you can't use  
> javaee web security constraints because they will have already been  
> evaluated by the time control gets to your auth code.  You ought to be  
> able to use javaee ejb security with the logged in Subject although I  
> haven't tested this for problems I haven't thought of.
> 
> hope this helps. please supply more details if appropriate.  I'm  
> running into several similar situations recently and more info on what  
> people would like to be able to do would be great to figure out how to  
> support this.
> 
> thanks
> david jencks
> 
> >
> >
> > Thanks a lot!
> > Regards
> > Jochen
> >
> > __________________________________________________________________
> > Deutschlands größte Online-Videothek schenkt Ihnen 12.000 Videos!*
> > http://entertainment.web.de/de/entertainment/maxdome/index.html
> >
> 
> 


____________________________________________________________________
Psssst! Schon vom neuen WEB.DE MultiMessenger gehört? 
Der kann`s mit allen: http://www.produkte.web.de/messenger/?did=3123


Mime
View raw message