geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Trygve Hardersen <try...@jotta.no>
Subject Re: webapp run-as problems
Date Mon, 01 Jun 2009 15:52:19 GMT
Using r779302 with jetty6 solves the problem.

FYI I also got a 404 on the j_security_check page when using jetty7. I did
not investigate this but it might be related.

Thanks again

Trygve

On Mon, Jun 1, 2009 at 4:11 PM, Trygve Hardersen <trygve@jotta.no> wrote:

> Great, thanks!
>
> Since I'm unable to build the current trunk I've checked our r779302 and
> it's building as we speak with jetty6 in pom.xml. Will let you know what I
> find.
>
> Trygve
>
>
> On Mon, Jun 1, 2009 at 4:07 PM, David Jencks <david_jencks@yahoo.com>wrote:
>
>> I'll try to look into this today or tomorrow.  If you want to switch back
>> to jetty6 it's easy.... in the root pom properties uncomment jetty6 and
>> comment jetty7 (around line 90)
>> I really appreciate the testing on jetty7 with a real app -- a lot has
>> changed and finding bugs now is waaaayy better than after we release!
>>
>> thanks
>> david jencks
>>
>> On Jun 1, 2009, at 9:55 AM, Trygve Hardersen wrote:
>>
>> Hello
>>
>> We have been building a relatively large and complex system using
>> Geronimo-2.2 for some time. We're now getting close to finishing the
>> project, and it's encouraging to see that the release of Geronimo 2.2 is
>> getting closer, and that branching is around the corner.
>>
>> However the latest Geronimo updates, I'm pretty sure it's the switch to
>> Jetty7, broke our security model. I've been trying to get make it work again
>> for some time, but with no luck. Hence this mail.
>>
>> First we have a realm and credential store plugin that is used by all
>> other parts of the application:
>>
>> # plan.xml
>> <?xml version="1.0" encoding="UTF-8"?>
>> <dep:module
>>     xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2<http://geronimo.apache.org/xml/ns/deployment-$%7BgeronimoSchemaVersion%7D>
>> "
>>     xmlns:nam="http://geronimo.apache.org/xml/ns/naming-1.2<http://geronimo.apache.org/xml/ns/naming-$%7BgeronimoSchemaVersion%7D>
>> "
>>     xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0<http://geronimo.apache.org/xml/ns/loginconfig-$%7BgeronimoLoginConfigSchemaVersion%7D>
>> "
>>     xmlns:cs="http://geronimo.apache.org/xml/ns/credentialstore-1.0<http://geronimo.apache.org/xml/ns/credentialstore-$%7BgeronimoCredentialStoreSchemaVersion%7D>
>> ">
>>     <dep:gbean name="jotta-realm"
>> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
>>         <dep:attribute name="realmName">jotta-realm</dep:attribute>
>>         <dep:attribute name="global">true</dep:attribute>
>>         <dep:xml-reference name="LoginModuleConfiguration">
>>             <log:login-config>
>>                 <!-- Allow administrator logins -->
>>                 <log:login-module control-flag="SUFFICIENT"
>> wrap-principals="false">
>>
>> <log:login-domain-name>jotta-admin</log:login-domain-name>
>>
>> <log:login-module-class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</log:login-module-class>
>>                     <log:option
>> name="usersURI">var/security/users.properties</log:option>
>>                     <log:option
>> name="groupsURI">var/security/groups.properties</log:option>
>>                 </log:login-module>
>>                 <!-- Then check the user DBs -->
>>                 <log:login-module control-flag="REQUIRED"
>> wrap-principals="false">
>>
>> <log:login-domain-name>jotta-users</log:login-domain-name>
>>
>> <log:login-module-class>no.jotta.backup.security.server.JottaLoginModule</log:login-module-class>
>>                 </log:login-module>
>>             </log:login-config>
>>         </dep:xml-reference>
>>         <dep:reference name="ServerInfo">
>>             <dep:name>ServerInfo</dep:name>
>>         </dep:reference>
>>     </dep:gbean>
>>     <dep:gbean name="JottaCredentialStore"
>> class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl">
>>         <dep:xml-attribute name="credentialStore">
>>             <cs:credential-store>
>>                 <cs:realm name="jotta-realm">
>>                     <cs:subject>
>>                         <cs:id>anonymous</cs:id>
>>                         <cs:credential>
>>
>> <cs:type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</cs:type>
>>                             <cs:value>anonymous</cs:value>
>>                         </cs:credential>
>>                         <cs:credential>
>>
>> <cs:type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler</cs:type>
>>                             <cs:value>${geronimoPasswd}</cs:value>
>>                         </cs:credential>
>>                     </cs:subject>
>>                     <cs:subject>
>>                         <cs:id>system</cs:id>
>>                         <cs:credential>
>>
>> <cs:type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</cs:type>
>>                             <cs:value>system</cs:value>
>>                         </cs:credential>
>>                         <cs:credential>
>>
>> <cs:type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler</cs:type>
>>                             <cs:value>${geronimoPasswd}</cs:value>
>>                         </cs:credential>
>>                     </cs:subject>
>>                 </cs:realm>
>>             </cs:credential-store>
>>         </dep:xml-attribute>
>>         <dep:reference name="Realms">
>>             <dep:name>jotta-realm</dep:name>
>>         </dep:reference>
>>        <dep:dependency>
>>             <dep:name>jotta-realm</dep:name>
>>         </dep:dependency>
>>     </dep:gbean>
>> </dep:module>
>>
>> I can use this security configuration later from other EJB modules, also
>> deployed as plugins:
>>
>> # plan.xml
>> <?xml version="1.0" encoding="UTF-8"?>
>> <application xmlns="
>> http://geronimo.apache.org/xml/ns/j2ee/application-2.0"
>>     xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2"
>>     xmlns:nam="http://geronimo.apache.org/xml/ns/naming-1.2"
>>     xmlns:sec="http://geronimo.apache.org/xml/ns/security-2.0">
>>     <module>
>>         <ejb>crm-ejb-${jottaVersion}.jar</ejb>
>>         <openejb-jar xmlns="
>> http://openejb.apache.org/xml/ns/openejb-jar-2.2">
>>             <dep:environment>
>>                 <dep:moduleId>
>>                     <dep:groupId>no.jotta.backup.crm</dep:groupId>
>>                     <dep:artifactId>crm-ejb</dep:artifactId>
>>                     <dep:version>${jottaVersion}</dep:version>
>>                     <dep:type>ejb</dep:type>
>>                 </dep:moduleId>
>>                 <dep:dependencies>
>>                     <dep:dependency>
>>
>> <dep:groupId>no.jotta.backup.security</dep:groupId>
>>                         <dep:artifactId>security-ejb</dep:artifactId>
>>                         <dep:version>${jottaVersion}</dep:version>
>>                         <dep:type>ejb</dep:type>
>>                     </dep:dependency>
>>                 </dep:dependencies>
>>             </dep:environment>
>>             <security use-context-handler="false">
>>                 <sec:credential-store-ref>
>>                     <dep:name>JottaCredentialStore</dep:name>
>>                 </sec:credential-store-ref>
>>                 <sec:role-mappings>
>>                     <sec:role role-name="admin">
>>                         <sec:principal name="admin"
>> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
>> />
>>                     </sec:role>
>>                     <sec:role role-name="anonymous">
>>                         <sec:principal name="anonymous"
>> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
>> />
>>                     </sec:role>
>>                     <sec:role role-name="customer">
>>                         <sec:principal name="customer"
>> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
>> />
>>                     </sec:role>
>>                     <sec:role role-name="system">
>>                         <sec:run-as-subject>
>>                             <sec:description>Allow internal components to
>> run as system</sec:description>
>>                             <sec:realm>jotta-realm</sec:realm>
>>                             <sec:id>system</sec:id>
>>                         </sec:run-as-subject>
>>                         <sec:login-domain-principal
>>                             name="system"
>>                             domain-name="jotta-admin"
>>
>> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
>> />
>>                         <sec:principal
>>                             name="system"
>>
>> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
>> />
>>                     </sec:role>
>>                 </sec:role-mappings>
>>             </security>
>>             <enterprise-beans>
>>                 <session>
>>                     <ejb-name>jotta.crm.CustomerService</ejb-name>
>>                     <ejb-ref>
>>                         <!-- Reference to security service -->
>>
>> <nam:ref-name>no.jotta.backup.crm.ejb.CustomerServiceImpl/userService</nam:ref-name>
>>                         <nam:pattern>
>>                             <nam:artifactId>security-ejb</nam:artifactId>
>>
>> <nam:name>jotta.security.UserService</nam:name>
>>                         </nam:pattern>
>>                     </ejb-ref>
>>                 </session>
>>             </enterprise-beans>
>>         </openejb-jar>
>>     </module>
>> </application>
>>
>> When the "jotta.crm.CustomerService" EJB calls the
>> "jotta.security.UserService" it always runs as the "system" role, which is
>> what it is supposed to do. I also have a testsuite using remote EJB, and
>> from it I can log in manually using either the PropertiesFileLoginModule or
>> the JottaLoginModule. In other words the security configuration works as I
>> expect it to.
>>
>> The problem comes when using this security setup from a WAR module. I have
>> a very simple web application that has a single servlet responsible for
>> gather the email addresses of interested customers. This servlet is supposed
>> to run as "system":
>>
>> # web.xml
>> <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
>>     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>     xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>> http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
>>     metadata-complete="false">
>>     <description>
>>         Web application resposible for providing the Web Beta
>>         for customers of Jotta Backup.
>>     </description>
>>     <display-name>Jotta Web Beta</display-name>
>>     <!-- Can be run in a cluster, but does not require session replication
>> -->
>>     <distributable/>
>>     <welcome-file-list>
>>         <welcome-file>welcome</welcome-file>
>>     </welcome-file-list>
>>    .....
>>     <servlet>
>>         <description>Servlet providing interested customer
>> functionality</description>
>>         <display-name>Interested Customer Servlet</display-name>
>>         <servlet-name>InterestedCustomerServlet</servlet-name>
>>         <servlet-class>no.jotta.backup.
>> web.gui.pub..servlets.InterestedCustomerServlet<http://web.gui.pub.servlets.InterestedCustomerServlet>
>> </servlet-class>
>>         <run-as>
>>             <description>Runs as system</description>
>>             <role-name>system</role-name>
>>         </run-as>
>>     </servlet>
>>     <servlet-mapping>
>>         <servlet-name>InterestedCustomerServlet</servlet-name>
>>         <url-pattern>/welcome</url-pattern>
>>     </servlet-mapping>
>>     <servlet-mapping>
>>         <servlet-name>InterestedCustomerServlet</servlet-name>
>>         <url-pattern>/welcome/</url-pattern>
>>     </servlet-mapping>
>>     <servlet-mapping>
>>         <servlet-name>InterestedCustomerServlet</servlet-name>
>>         <url-pattern>/register</url-pattern>
>>     </servlet-mapping>
>>     <servlet-mapping>
>>         <servlet-name>InterestedCustomerServlet</servlet-name>
>>         <url-pattern>/register/</url-pattern>
>>     </servlet-mapping>
>>     <!-- EJB Mappings -->
>>     <ejb-local-ref>
>>         <description>Reference to the Customer Service</description>
>>         <ejb-ref-name>customerService</ejb-ref-name>
>>         <ejb-ref-type>Session</ejb-ref-type>
>>         <local>no.jotta.backup.crm.intf.CustomerServiceLocal</local>
>>     </ejb-local-ref>
>>     <security-role>
>>         <role-name>anonymous</role-name>
>>     </security-role>
>>     <security-role>
>>         <role-name>system</role-name>
>>     </security-role>
>> </web-app>
>>
>> Now I've been trying a lot of different plan.xml configurations to make
>> this work, but the one that we've been using for quite some time looked like
>> this:
>>
>> # plan.xml
>> <?xml version="1.0" encoding="UTF-8"?>
>> <application xmlns="
>> http://geronimo.apache.org/xml/ns/j2ee/application-2.0"
>>     xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2"
>>     xmlns:nam="http://geronimo.apache.org/xml/ns/naming-1.2"
>>     xmlns:sec="http://geronimo.apache.org/xml/ns/security-2.0">
>>     <module>
>>         <web>web-beta.war</web>
>>         <web-app xmlns="
>> http://geronimo.apache.org/xml/ns/j2ee/web/jetty-2.0.2">
>>             <context-root>/beta</context-root>
>>             <security-realm-name>jotta-realm</security-realm-name>
>>             <security use-context-handler="false">
>>                 <sec:credential-store-ref>
>>                     <dep:name>JottaCredentialStore</dep:name>
>>                 </sec:credential-store-ref>
>>                 <sec:default-subject>
>>                     <sec:realm>jotta-realm</sec:realm>
>>                     <sec:id>anonymous</sec:id>
>>                 </sec:default-subject>
>>                 <sec:role-mappings>
>>                     <sec:role role-name="anonymous">
>>                         <sec:login-domain-principal name="anonymous"
>> domain-name="jotta-admin"
>> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
>> />
>>                     </sec:role>
>>                     <sec:role role-name="system">
>>                         <sec:run-as-subject>
>>                             <sec:description>Allow internal components to
>> run as system</sec:description>
>>                             <sec:realm>jotta-realm</sec:realm>
>>                             <sec:id>system</sec:id>
>>                         </sec:run-as-subject>
>>                         <sec:login-domain-principal name="system"
>> domain-name="jotta-admin"
>> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
>> />
>>                         <sec:principal name="system"
>> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
>> />
>>                     </sec:role>
>>                 </sec:role-mappings>
>>             </security>
>>         </web-app>
>>     </module>
>> </application>
>>
>>
>> This used to work but no longer so. The servlet does not run as "system"
>> and access to the EJB is denied:
>>
>> javax.ejb.EJBAccessException: Unauthorized Access by Principal Denied
>> at
>> org.apache.openejb.core.stateless.StatelessContainer.invoke(StatelessContainer.java:153)
>> at
>> org.apache.openejb.core.ivm.EjbObjectProxyHandler.businessMethod(EjbObjectProxyHandler.java:217)
>> at
>> org.apache.openejb.core.ivm.EjbObjectProxyHandler._invoke(EjbObjectProxyHandler.java:77)
>> at
>> org.apache.openejb.core.ivm.BaseEjbProxyHandler.invoke(BaseEjbProxyHandler..java:281)
>>
>> The Geronimo source I'm running against is trunk from sometime on Thursday
>> last week (28th). I'm unable to build the current Geronimo trunk because of
>> the following error:
>>
>> [INFO]
>> ------------------------------------------------------------------------
>> [ERROR] BUILD ERROR
>> [INFO]
>> ------------------------------------------------------------------------
>> [INFO] Error assembling WAR: Deployment descriptor:
>> /home/jotta/dailybuild/geronimo/trunk/server_clean/plugins/activemq/activemq-webconsole/target/activemq-webconsole-2.2-SNAPSHOT/WEB-INF/web.xml
>> does not exist.
>>
>> Does anyone have an idea what is going wrong here, or how I can make this
>> work again? I'll try to create a simple application that illustrates the
>> webapp run-as problem. Our application is rather complex and many things can
>> go wrong. It's probably also possible to switch back to Jetty6, any idea if
>> that would help?
>>
>> Your help and work is much appreciated!
>>
>> Trygve Hardersen
>> Jotta AS
>>
>>
>>
>

Mime
View raw message