geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Trygve Hardersen <try...@jotta.no>
Subject Re: webapp run-as problems
Date Mon, 01 Jun 2009 14:11:39 GMT
Great, thanks!

Since I'm unable to build the current trunk I've checked our r779302 and
it's building as we speak with jetty6 in pom.xml. Will let you know what I
find.

Trygve

On Mon, Jun 1, 2009 at 4:07 PM, David Jencks <david_jencks@yahoo.com> wrote:

> I'll try to look into this today or tomorrow.  If you want to switch back
> to jetty6 it's easy.... in the root pom properties uncomment jetty6 and
> comment jetty7 (around line 90)
> I really appreciate the testing on jetty7 with a real app -- a lot has
> changed and finding bugs now is waaaayy better than after we release!
>
> thanks
> david jencks
>
> On Jun 1, 2009, at 9:55 AM, Trygve Hardersen wrote:
>
> Hello
>
> We have been building a relatively large and complex system using
> Geronimo-2.2 for some time. We're now getting close to finishing the
> project, and it's encouraging to see that the release of Geronimo 2.2 is
> getting closer, and that branching is around the corner.
>
> However the latest Geronimo updates, I'm pretty sure it's the switch to
> Jetty7, broke our security model. I've been trying to get make it work again
> for some time, but with no luck. Hence this mail.
>
> First we have a realm and credential store plugin that is used by all other
> parts of the application:
>
> # plan.xml
> <?xml version="1.0" encoding="UTF-8"?>
> <dep:module
>     xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2<http://geronimo.apache.org/xml/ns/deployment-$%7BgeronimoSchemaVersion%7D>
> "
>     xmlns:nam="http://geronimo.apache.org/xml/ns/naming-1.2<http://geronimo.apache.org/xml/ns/naming-$%7BgeronimoSchemaVersion%7D>
> "
>     xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0<http://geronimo.apache.org/xml/ns/loginconfig-$%7BgeronimoLoginConfigSchemaVersion%7D>
> "
>     xmlns:cs="http://geronimo.apache.org/xml/ns/credentialstore-1.0<http://geronimo.apache.org/xml/ns/credentialstore-$%7BgeronimoCredentialStoreSchemaVersion%7D>
> ">
>     <dep:gbean name="jotta-realm"
> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
>         <dep:attribute name="realmName">jotta-realm</dep:attribute>
>         <dep:attribute name="global">true</dep:attribute>
>         <dep:xml-reference name="LoginModuleConfiguration">
>             <log:login-config>
>                 <!-- Allow administrator logins -->
>                 <log:login-module control-flag="SUFFICIENT"
> wrap-principals="false">
>
> <log:login-domain-name>jotta-admin</log:login-domain-name>
>
> <log:login-module-class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</log:login-module-class>
>                     <log:option
> name="usersURI">var/security/users.properties</log:option>
>                     <log:option
> name="groupsURI">var/security/groups.properties</log:option>
>                 </log:login-module>
>                 <!-- Then check the user DBs -->
>                 <log:login-module control-flag="REQUIRED"
> wrap-principals="false">
>
> <log:login-domain-name>jotta-users</log:login-domain-name>
>
> <log:login-module-class>no.jotta.backup.security.server.JottaLoginModule</log:login-module-class>
>                 </log:login-module>
>             </log:login-config>
>         </dep:xml-reference>
>         <dep:reference name="ServerInfo">
>             <dep:name>ServerInfo</dep:name>
>         </dep:reference>
>     </dep:gbean>
>     <dep:gbean name="JottaCredentialStore"
> class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl">
>         <dep:xml-attribute name="credentialStore">
>             <cs:credential-store>
>                 <cs:realm name="jotta-realm">
>                     <cs:subject>
>                         <cs:id>anonymous</cs:id>
>                         <cs:credential>
>
> <cs:type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</cs:type>
>                             <cs:value>anonymous</cs:value>
>                         </cs:credential>
>                         <cs:credential>
>
> <cs:type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler</cs:type>
>                             <cs:value>${geronimoPasswd}</cs:value>
>                         </cs:credential>
>                     </cs:subject>
>                     <cs:subject>
>                         <cs:id>system</cs:id>
>                         <cs:credential>
>
> <cs:type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</cs:type>
>                             <cs:value>system</cs:value>
>                         </cs:credential>
>                         <cs:credential>
>
> <cs:type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler</cs:type>
>                             <cs:value>${geronimoPasswd}</cs:value>
>                         </cs:credential>
>                     </cs:subject>
>                 </cs:realm>
>             </cs:credential-store>
>         </dep:xml-attribute>
>         <dep:reference name="Realms">
>             <dep:name>jotta-realm</dep:name>
>         </dep:reference>
>        <dep:dependency>
>             <dep:name>jotta-realm</dep:name>
>         </dep:dependency>
>     </dep:gbean>
> </dep:module>
>
> I can use this security configuration later from other EJB modules, also
> deployed as plugins:
>
> # plan.xml
> <?xml version="1.0" encoding="UTF-8"?>
> <application xmlns="http://geronimo.apache.org/xml/ns/j2ee/application-2.0
> "
>     xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2"
>     xmlns:nam="http://geronimo.apache.org/xml/ns/naming-1.2"
>     xmlns:sec="http://geronimo.apache.org/xml/ns/security-2.0">
>     <module>
>         <ejb>crm-ejb-${jottaVersion}.jar</ejb>
>         <openejb-jar xmlns="
> http://openejb.apache.org/xml/ns/openejb-jar-2.2">
>             <dep:environment>
>                 <dep:moduleId>
>                     <dep:groupId>no.jotta.backup.crm</dep:groupId>
>                     <dep:artifactId>crm-ejb</dep:artifactId>
>                     <dep:version>${jottaVersion}</dep:version>
>                     <dep:type>ejb</dep:type>
>                 </dep:moduleId>
>                 <dep:dependencies>
>                     <dep:dependency>
>                         <dep:groupId>no.jotta.backup.security</dep:groupId>
>                         <dep:artifactId>security-ejb</dep:artifactId>
>                         <dep:version>${jottaVersion}</dep:version>
>                         <dep:type>ejb</dep:type>
>                     </dep:dependency>
>                 </dep:dependencies>
>             </dep:environment>
>             <security use-context-handler="false">
>                 <sec:credential-store-ref>
>                     <dep:name>JottaCredentialStore</dep:name>
>                 </sec:credential-store-ref>
>                 <sec:role-mappings>
>                     <sec:role role-name="admin">
>                         <sec:principal name="admin"
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> />
>                     </sec:role>
>                     <sec:role role-name="anonymous">
>                         <sec:principal name="anonymous"
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> />
>                     </sec:role>
>                     <sec:role role-name="customer">
>                         <sec:principal name="customer"
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> />
>                     </sec:role>
>                     <sec:role role-name="system">
>                         <sec:run-as-subject>
>                             <sec:description>Allow internal components to
> run as system</sec:description>
>                             <sec:realm>jotta-realm</sec:realm>
>                             <sec:id>system</sec:id>
>                         </sec:run-as-subject>
>                         <sec:login-domain-principal
>                             name="system"
>                             domain-name="jotta-admin"
>
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> />
>                         <sec:principal
>                             name="system"
>
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> />
>                     </sec:role>
>                 </sec:role-mappings>
>             </security>
>             <enterprise-beans>
>                 <session>
>                     <ejb-name>jotta.crm.CustomerService</ejb-name>
>                     <ejb-ref>
>                         <!-- Reference to security service -->
>
> <nam:ref-name>no.jotta.backup.crm.ejb.CustomerServiceImpl/userService</nam:ref-name>
>                         <nam:pattern>
>                             <nam:artifactId>security-ejb</nam:artifactId>
>                             <nam:name>jotta.security.UserService</nam:name>
>                         </nam:pattern>
>                     </ejb-ref>
>                 </session>
>             </enterprise-beans>
>         </openejb-jar>
>     </module>
> </application>
>
> When the "jotta.crm.CustomerService" EJB calls the
> "jotta.security.UserService" it always runs as the "system" role, which is
> what it is supposed to do. I also have a testsuite using remote EJB, and
> from it I can log in manually using either the PropertiesFileLoginModule or
> the JottaLoginModule. In other words the security configuration works as I
> expect it to.
>
> The problem comes when using this security setup from a WAR module. I have
> a very simple web application that has a single servlet responsible for
> gather the email addresses of interested customers. This servlet is supposed
> to run as "system":
>
> # web.xml
> <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
>     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>     xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
> http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
>     metadata-complete="false">
>     <description>
>         Web application resposible for providing the Web Beta
>         for customers of Jotta Backup.
>     </description>
>     <display-name>Jotta Web Beta</display-name>
>     <!-- Can be run in a cluster, but does not require session replication
> -->
>     <distributable/>
>     <welcome-file-list>
>         <welcome-file>welcome</welcome-file>
>     </welcome-file-list>
>    .....
>     <servlet>
>         <description>Servlet providing interested customer
> functionality</description>
>         <display-name>Interested Customer Servlet</display-name>
>         <servlet-name>InterestedCustomerServlet</servlet-name>
>         <servlet-class>no.jotta.backup.
> web.gui.pub..servlets.InterestedCustomerServlet<http://web.gui.pub.servlets.InterestedCustomerServlet>
> </servlet-class>
>         <run-as>
>             <description>Runs as system</description>
>             <role-name>system</role-name>
>         </run-as>
>     </servlet>
>     <servlet-mapping>
>         <servlet-name>InterestedCustomerServlet</servlet-name>
>         <url-pattern>/welcome</url-pattern>
>     </servlet-mapping>
>     <servlet-mapping>
>         <servlet-name>InterestedCustomerServlet</servlet-name>
>         <url-pattern>/welcome/</url-pattern>
>     </servlet-mapping>
>     <servlet-mapping>
>         <servlet-name>InterestedCustomerServlet</servlet-name>
>         <url-pattern>/register</url-pattern>
>     </servlet-mapping>
>     <servlet-mapping>
>         <servlet-name>InterestedCustomerServlet</servlet-name>
>         <url-pattern>/register/</url-pattern>
>     </servlet-mapping>
>     <!-- EJB Mappings -->
>     <ejb-local-ref>
>         <description>Reference to the Customer Service</description>
>         <ejb-ref-name>customerService</ejb-ref-name>
>         <ejb-ref-type>Session</ejb-ref-type>
>         <local>no.jotta.backup.crm.intf.CustomerServiceLocal</local>
>     </ejb-local-ref>
>     <security-role>
>         <role-name>anonymous</role-name>
>     </security-role>
>     <security-role>
>         <role-name>system</role-name>
>     </security-role>
> </web-app>
>
> Now I've been trying a lot of different plan.xml configurations to make
> this work, but the one that we've been using for quite some time looked like
> this:
>
> # plan.xml
> <?xml version="1.0" encoding="UTF-8"?>
> <application xmlns="http://geronimo.apache.org/xml/ns/j2ee/application-2.0
> "
>     xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2"
>     xmlns:nam="http://geronimo.apache.org/xml/ns/naming-1.2"
>     xmlns:sec="http://geronimo.apache.org/xml/ns/security-2.0">
>     <module>
>         <web>web-beta.war</web>
>         <web-app xmlns="
> http://geronimo.apache.org/xml/ns/j2ee/web/jetty-2.0.2">
>             <context-root>/beta</context-root>
>             <security-realm-name>jotta-realm</security-realm-name>
>             <security use-context-handler="false">
>                 <sec:credential-store-ref>
>                     <dep:name>JottaCredentialStore</dep:name>
>                 </sec:credential-store-ref>
>                 <sec:default-subject>
>                     <sec:realm>jotta-realm</sec:realm>
>                     <sec:id>anonymous</sec:id>
>                 </sec:default-subject>
>                 <sec:role-mappings>
>                     <sec:role role-name="anonymous">
>                         <sec:login-domain-principal name="anonymous"
> domain-name="jotta-admin"
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> />
>                     </sec:role>
>                     <sec:role role-name="system">
>                         <sec:run-as-subject>
>                             <sec:description>Allow internal components to
> run as system</sec:description>
>                             <sec:realm>jotta-realm</sec:realm>
>                             <sec:id>system</sec:id>
>                         </sec:run-as-subject>
>                         <sec:login-domain-principal name="system"
> domain-name="jotta-admin"
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> />
>                         <sec:principal name="system"
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> />
>                     </sec:role>
>                 </sec:role-mappings>
>             </security>
>         </web-app>
>     </module>
> </application>
>
>
> This used to work but no longer so. The servlet does not run as "system"
> and access to the EJB is denied:
>
> javax.ejb.EJBAccessException: Unauthorized Access by Principal Denied
> at
> org.apache.openejb.core.stateless.StatelessContainer.invoke(StatelessContainer.java:153)
> at
> org.apache.openejb.core.ivm.EjbObjectProxyHandler.businessMethod(EjbObjectProxyHandler.java:217)
> at
> org.apache.openejb.core.ivm.EjbObjectProxyHandler._invoke(EjbObjectProxyHandler.java:77)
> at
> org.apache.openejb.core.ivm.BaseEjbProxyHandler.invoke(BaseEjbProxyHandler..java:281)
>
> The Geronimo source I'm running against is trunk from sometime on Thursday
> last week (28th). I'm unable to build the current Geronimo trunk because of
> the following error:
>
> [INFO]
> ------------------------------------------------------------------------
> [ERROR] BUILD ERROR
> [INFO]
> ------------------------------------------------------------------------
> [INFO] Error assembling WAR: Deployment descriptor:
> /home/jotta/dailybuild/geronimo/trunk/server_clean/plugins/activemq/activemq-webconsole/target/activemq-webconsole-2.2-SNAPSHOT/WEB-INF/web.xml
> does not exist.
>
> Does anyone have an idea what is going wrong here, or how I can make this
> work again? I'll try to create a simple application that illustrates the
> webapp run-as problem. Our application is rather complex and many things can
> go wrong. It's probably also possible to switch back to Jetty6, any idea if
> that would help?
>
> Your help and work is much appreciated!
>
> Trygve Hardersen
> Jotta AS
>
>
>

Mime
View raw message