From user-return-12703-apmail-geronimo-user-archive=geronimo.apache.org@geronimo.apache.org Tue Feb 24 23:56:43 2009 Return-Path: Delivered-To: apmail-geronimo-user-archive@www.apache.org Received: (qmail 80584 invoked from network); 24 Feb 2009 23:56:43 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 24 Feb 2009 23:56:43 -0000 Received: (qmail 29178 invoked by uid 500); 24 Feb 2009 23:56:43 -0000 Delivered-To: apmail-geronimo-user-archive@geronimo.apache.org Received: (qmail 28650 invoked by uid 500); 24 Feb 2009 23:56:42 -0000 Mailing-List: contact user-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: user@geronimo.apache.org List-Id: Delivered-To: mailing list user@geronimo.apache.org Received: (qmail 28641 invoked by uid 99); 24 Feb 2009 23:56:41 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 24 Feb 2009 15:56:41 -0800 X-ASF-Spam-Status: No, hits=2.4 required=10.0 tests=HTML_MESSAGE,SPF_PASS,WHOIS_MYPRIVREG X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [98.136.44.57] (HELO smtp102.prem.mail.sp1.yahoo.com) (98.136.44.57) by apache.org (qpsmtpd/0.29) with SMTP; Tue, 24 Feb 2009 23:56:33 +0000 Received: (qmail 27823 invoked from network); 24 Feb 2009 23:56:12 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Received:X-Yahoo-Newman-Property:Message-Id:From:To:In-Reply-To:Content-Type:Mime-Version:Subject:Date:References:X-Mailer; b=ppedOZjPJuUVqxrPUPM/X5aF58KSFrb45hlJBbMximaJ9su6JDx3e/9F7dCzBGIzMxw0i5cjnqnrhw//fYJ907vIP2UqDjIc9MeBD/fkUMFqucAhLTLrE+FmhcztcUp23dHn2gC3ydkWmgMuem93lh+j1VZCiRdN1po4pb8YH1o= ; Received: from unknown (HELO ?10.11.55.10?) (david_jencks@76.76.148.215 with plain) by smtp102.prem.mail.sp1.yahoo.com with SMTP; 24 Feb 2009 23:56:10 -0000 X-Yahoo-Newman-Property: ymail-3 Message-Id: <92AABDE6-40B4-4FB7-91DB-6F22CAA84E9F@yahoo.com> From: David Jencks To: user@geronimo.apache.org In-Reply-To: <22181064.post@talk.nabble.com> Content-Type: multipart/alternative; boundary=Apple-Mail-70--485468032 Mime-Version: 1.0 (Apple Message framework v930.3) Subject: Re: Admin Console Access and Security Realm Date: Tue, 24 Feb 2009 15:56:09 -0800 References: <22093927.post@talk.nabble.com> <25b884430902190117v1f9a0e80g5ae45f90bb64acb6@mail.gmail.com> <22100434.post@talk.nabble.com> <22172803.post@talk.nabble.com> <22181064.post@talk.nabble.com> X-Mailer: Apple Mail (2.930.3) X-Virus-Checked: Checked by ClamAV on apache.org --Apple-Mail-70--485468032 Content-Type: text/plain; charset=WINDOWS-1252; format=flowed; delsp=yes Content-Transfer-Encoding: quoted-printable Hi Michael2, I tried out a couple of things this morning and got distracted before =20= replying. First of all I expect you got a stack trace in the console when you =20 started your new security realm from the admin console.... for some =20 reason this error is not showing up in the admin console. See = https://issues.apache.org/jira/browse/GERONIMO-4553 As long as you know the admin console is not reflecting reality here =20 you should be able to work around this bug. Anyway, you have to assure that there is only one security realm named =20= geronimo-admin trying to start at any one time. So for yours to =20 start, you need to shut off the built-in one. However there are =20 several essential services configured in the security-config plugin so =20= unless you actually copy the security-config project and build a =20 plugin you should keep the security-config plugin running and just =20 turn off the security-realm gbean. I did this by editing the var/config/config.xml file so it looked like: (you will have to use the correct version, IIRC 2.1.2 rather than 2.2-=20= SNAPSHOT) The last module in config.xml is since the admin console tried to start the module. For quick testing I set up a new properties file realm using the admin =20= console with a new "admin" user rather than "system" and verified that =20= "admin" could log in but "system" could not, so I think it is working =20= OK. I do recommend that for production use you set up a maven project to =20 build a complete replacement security-config plugin with your security =20= realm in it. Hope this helps and that I haven't left out too many steps this time :-) david jencks On Feb 24, 2009, at 6:45 AM, Michael2 wrote: > > Hello David: > > Yes, I still have problems. > > First of all, I appreciate your help very much. Please bear with me. =20= > I just > want to learn from the Geronimo experts like you to see how to =20 > replace the > default Properties File Realm with the Database (SQL) Realm. =20 > Following your > suggestions, I created a Derby SQL Realm with the same name as the =20 > default > Realm =93geronimo-admin=94, I tested it successfully and deployed it. =20= > Now I can > see two =93geronimo-admin=94 Realms listed on the Security Realms = list. =20 > Then I > stopped the Geronimo server and modified the =20 > =93artifact_aliases.properties=94 > file on the Geronimo \var\config directory as: > =85=85 > org.apache.geronimo.framework/server-security-config//=20 > car=3Dconsole.realm/geronimo-admin/1.0/car > =85=85 > org.apache.geronimo.framework/server-security-config/2.1.2/=20 > car=3Dconsole.realm/geronimo-admin/1.0/car > =85=85 > org.apache.geronimo.framework/server-security-config/2.1/=20 > car=3Dconsole.realm/geronimo-admin/1.0/car > =85=85 > org.apache.geronimo.framework/server-security-config/2.1.1/=20 > car=3Dconsole.realm/geronimo-admin/1.0/car > =85=85 > After that, I re-started Geronimo server and tried to log into the =20 > admin > console with the user name/password I had tested in the SQL Realm, I =20= > got a > =93Invalided Username and/or Password!=94 error. The system default = user =20 > name > and password is still working. > > I am using Geronimo 2.1.3, is it an issue or is there something else =20= > I need > to do to make it work? > > Thanks. > > Michael > > > djencks wrote: >> >> Hi Michael, >> >> I guess the documentation wasn't too clear about what to do if you >> aren't building your security realm as a plugin. Generally you never >> want to update an installed plugin in place (in repository). I've >> updated the docs here >> >> = http://cwiki.apache.org/confluence/display/GMOxDOC22/Basic+Hints+on+Securi= ty+Configuration >> >> (should get to >> = http://cwiki.apache.org/GMOxDOC22/basic-hints-on-security-configuration.ht= ml >> soon) >> >> Please let us know if this is still not clear or you still have =20 >> problems >> >> thanks! >> david jencks >> >> >> On Feb 23, 2009, at 3:44 PM, Michael2 wrote: >> >>> >>> Hi David: >>> >>> I followed your suggestion and created a new SQL security realm =20 >>> named >>> "geronimo-admin". I also updated the geronimo-plugin.xml under the >>> C:\Geronimo-2.1.3\repository\org\apache\geronimo\framework\server- >>> security-config\2.1.3\server-security-config-2.1.3.car\META-INF >>> directory from >>> >>> >> key=3D"org.apache.geronimo.framework/server-security-config// >>> car">org.apache.geronimo.framework/server-security-config/2.1.3/=20 >>> car>> artifact-alias> >>> >> key=3D"org.apache.geronimo.framework/server-security-config/2.1.2/ >>> car">org.apache.geronimo.framework/server-security-config/2.1.3/=20 >>> car>> artifact-alias> >>> >> key=3D"org.apache.geronimo.framework/server-security-config/2.1.1/ >>> car">org.apache.geronimo.framework/server-security-config/2.1.3/=20 >>> car>> artifact-alias> >>> >> key=3D"org.apache.geronimo.framework/server-security-config/2.1/ >>> car">org.apache.geronimo.framework/server-security-config/2.1.3/=20 >>> car>> artifact-alias> >>> >>> to: >>> >> key=3D"org.apache.geronimo.framework/server-security-config// >>> car">console.realm/geronimo-admin/1.0/car >>> >> key=3D"org.apache.geronimo.framework/server-security-config/2.1.2/ >>> car">console.realm/geronimo-admin/1.0/car >>> >> key=3D"org.apache.geronimo.framework/server-security-config/2.1.1/ >>> car">console.realm/geronimo-admin/1.0/car >>> >> key=3D"org.apache.geronimo.framework/server-security-config/2.1/ >>> car">console.realm/geronimo-admin/1.0/car >>> >>> >>> When I re-start the Geronimo server, I still cannot log into the =20 >>> Admin >>> console with the new user id and password I created in the database >>> and have >>> to use the default system/manager to get in. Do I miss anything? >>> >>> Thanks. >>> >>> Michael >>> --=20 >>> View this message in context: >>> = http://www.nabble.com/Admin-Console-Access-and-Security-Realm-tp22093927s1= 34p22172803.html >>> Sent from the Apache Geronimo - Users mailing list archive at >>> Nabble.com. >>> >> >> >> > > --=20 > View this message in context: = http://www.nabble.com/Admin-Console-Access-and-Security-Realm-tp22093927s1= 34p22181064.html > Sent from the Apache Geronimo - Users mailing list archive at =20 > Nabble.com. > --Apple-Mail-70--485468032 Content-Type: text/html; charset=WINDOWS-1252 Content-Transfer-Encoding: quoted-printable Hi = Michael2,

I tried out a couple of things this morning = and got distracted before replying.

First of = all I expect you got a stack trace in the console when you started your = new security realm from the admin console.... for some reason this error = is not showing up in the admin console.  See https://issue= s.apache.org/jira/browse/GERONIMO-4553

As = long as you know the admin console is not reflecting reality here you = should be able to work around this bug.

Anyway, = you have to assure that there is only one security realm named = geronimo-admin trying to start at any one time.  So for yours to = start, you need to shut off the built-in one.  However there are = several essential services configured in the security-config plugin so = unless you actually copy the security-config project and build a plugin = you should keep the security-config plugin running and just turn off the = security-realm gbean.

I did this by editing the = var/config/config.xml file so it looked = like:

    <module = name=3D"org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/= car">
<gbean name=3D"geronimo-admin" = load=3D"false"/>
   =  </module>

(you will have to use the = correct version, IIRC 2.1.2 rather than = 2.2-SNAPSHOT)

The last module in config.xml = is 

    <module = name=3D"console.realm/geronimo-admin/1.0/car"/>

s= ince the admin console tried to start the = module.

For quick testing I set up a new = properties file realm using the admin console with a new "admin" user = rather than "system" and verified that "admin" could log in but "system" = could not, so I think it is working OK.

I do = recommend that for production use you set up a maven project to build a = complete replacement security-config plugin with your security realm in = it.

Hope this helps and that I haven't left out = too many steps this time :-)
david = jencks



=
On Feb 24, 2009, at 6:45 AM, Michael2 wrote:


Hello David:

Yes, I still have = problems.

First of all, I appreciate your help very much. Please = bear with me. I just
want to learn from the Geronimo experts like you = to see how to replace the
default Properties File Realm with the = Database (SQL) Realm. Following your
suggestions, I created a Derby = SQL Realm with the same name as the default
Realm =93geronimo-admin=94,= I tested it successfully and deployed it. Now I can
see two = =93geronimo-admin=94 Realms listed on the Security Realms list. Then = I
stopped the Geronimo server and modified the = =93artifact_aliases.properties=94
file on the Geronimo \var\config = directory = as:
=85=85
org.apache.geronimo.framework/server-security-config//car= =3Dconsole.realm/geronimo-admin/1.0/car
=85=85
org.apache.geronimo.f= ramework/server-security-config/2.1.2/car=3Dconsole.realm/geronimo-admin/1= .0/car
=85=85
org.apache.geronimo.framework/server-security-config/2= .1/car=3Dconsole.realm/geronimo-admin/1.0/car
=85=85
org.apache.gero= nimo.framework/server-security-config/2.1.1/car=3Dconsole.realm/geronimo-a= dmin/1.0/car
=85=85
After that, I re-started Geronimo server and = tried to log into the admin
console with the user name/password I had = tested in the SQL Realm, I got a
=93Invalided Username and/or = Password!=94 error. The system default user name
and password is = still working.

I am using Geronimo 2.1.3, is it an issue or is = there something else I need
to do to make it = work?

Thanks.

Michael


djencks = wrote:

Hi Michael,

I guess the = documentation wasn't too clear about what to do if you =  
aren't building your = security realm as a plugin.  Generally you never =  
want to update an = installed plugin in place (in repository).  I've =  
updated the docs = here

http://cwiki.apache.org/confluence/display/GMOxD= OC22/Basic+Hints+on+Security+Configuration

(should get to =
http://cwiki.apache.org/GMOxDOC22/basic-hints-on-security-conf= iguration.html
soon)

Please let us = know if this is still not clear or you still have = problems

thanks!
david = jencks


On Feb 23, = 2009, at 3:44 PM, Michael2 wrote:


Hi = David:

I followed your suggestion and = created a new SQL security realm = named
"geronimo-admin". I also updated the geronimo-plugin.xml = under the
C:\Geronimo-2.1.3\repository\org\apache\geronimo\framework\s= erver-
security-config\2.1.3\server-security-config-2.1.3.car\META-= INF
directory from

=       <artifact-alias
key=3D"org.apache.geronimo.framework/server-security-config/= /
car">org.apache.geronimo.framework/server-security-config/2.= 1.3/car</
artifact-alias>
=       <artifact-alias
key=3D"org.apache.geronimo.framework/server-security-config/= 2.1.2/
car">org.apache.geronimo.framework/server-security-config/2.= 1.3/car</
artifact-alias>
=       <artifact-alias
key=3D"org.apache.geronimo.framework/server-security-config/= 2.1.1/
car">org.apache.geronimo.framework/server-security-config/2.= 1.3/car</
artifact-alias>
=       <artifact-alias
key=3D"org.apache.geronimo.framework/server-security-config/= 2.1/
car">org.apache.geronimo.framework/server-security-config/2.= 1.3/car</
artifact-alias>

to:
=       <artifact-alias
key=3D"org.apache.geronimo.framework/server-security-config/= /
car">console.realm/geronimo-admin/1.0/car</artifact-alias= >
=       <artifact-alias
key=3D"org.apache.geronimo.framework/server-security-config/= 2.1.2/
car">console.realm/geronimo-admin/1.0/car</artifact-alias= >
=       <artifact-alias
key=3D"org.apache.geronimo.framework/server-security-config/= 2.1.1/
car">console.realm/geronimo-admin/1.0/car</artifact-alias= >
=       <artifact-alias
key=3D"org.apache.geronimo.framework/server-security-config/= 2.1/
car">console.realm/geronimo-admin/1.0/car</artifact-alias= >


When I re-start the Geronimo = server, I still cannot log into the = Admin
console with the new user id and password I created in the = database  
and = have
to use the default system/manager to get in. Do I miss = anything?

Thanks.

Michael
-- =
View this message in = context:
http://www.nabble.com/Admin-Console-Access-and-S= ecurity-Realm-tp22093927s134p22172803.html
Sent from the = Apache Geronimo - Users mailing list archive at =  
Nabble.com.





--
View this message in context: = http://www.nabble.com/Admin-Console-Access-and-S= ecurity-Realm-tp22093927s134p22181064.html
Sent from the Apache = Geronimo - Users mailing list archive at = Nabble.com.


= --Apple-Mail-70--485468032--