geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ivan <xhh...@gmail.com>
Subject Re: Replacing the server-security-config plugin
Date Wed, 16 Sep 2009 08:56:12 GMT
Hi, Quintin
    Any update for GERONIMO-4603 ?
2009/9/15 chi runhua <chirunhua@gmail.com>

> Hi, doc updated regarding this topic.
>
> http://cwiki.apache.org/GMOxDOC22/replacing-default-realm-in-geronimo.html
>
> See if there are any problems, please let me know.
>
> Jeff C
>
> On Sat, Sep 12, 2009 at 9:54 PM, chi runhua <chirunhua@gmail.com> wrote:
>
>> You may also refer to https://issues.apache.org/jira/browse/GERONIMO-4818.
>>
>> Doc for G2.2 on this topic will be updated soon.
>>
>> Jeff C
>>
>>
>>
>>
>> On Sat, Sep 12, 2009 at 6:40 PM, Quintin Beukes <quintin@skywalk.co.za>wrote:
>>
>>> Thanks. That helps. I'll see what I can do.
>>>
>>> Q
>>>
>>> On Sat, Sep 12, 2009 at 12:49 AM, David Jencks <david_jencks@yahoo.com>
>>> wrote:
>>> >
>>> > On Sep 11, 2009, at 3:16 PM, Quintin Beukes wrote:
>>> >
>>> >> OK. So I found the reference. It's like so:
>>> >>     <gbean name="PropertiesLoginManager"
>>> >> class
>>> >> =
>>> >> "org
>>> >> .apache.geronimo.console.core.security.PropertiesLoginModuleManager">
>>> >>       <reference name="ServerInfo">
>>> >>         <name>ServerInfo</name>
>>> >>       </reference>
>>> >>       <reference name="LoginModule">
>>> >>         <name>properties-login</name>
>>> >>       </reference>
>>> >>     </gbean>
>>> >>
>>> >> And it's in console-tomcat's plan.
>>> >>
>>> >> 1. How would I make it multivalued and wrap it in
>>> SingleElementCollection?
>>> >
>>> > You need to find the java code for PropertiesLoginModuleManager.  It
>>> should
>>> > have a reference to a login module.... you need to turn the reference
>>> into a
>>> > Collection<LoginModuleGBean>.  Hopefully it's a constructor arg.
>>>  Instead of
>>> > dealing with the Collection itself you can immediately wrap it in a
>>> > SingleElementCollection and use that instead.  Then you'll have to look
>>> at
>>> > the code in PropertiesLoginModuleManager and make sure it doesn't do
>>> > anything unfortunate if there is no login module in the collection.
>>> >>
>>> >>
>>> >> 2. How would I redeploy it?
>>> >
>>> > you'll need to have checked out geronimo to get this far.... the
>>> simplest is
>>> > to just build all of geronimo.  If you've built at least once, you can
>>> just
>>> > build the plugins/console and then assemblies.  (I'm assuming that my
>>> > recollection that this code is in plugins/console is correct).
>>> >
>>> > hope this helps
>>> > david jencks
>>> >
>>> >
>>> >>
>>> >> Q
>>> >>
>>> >> On Fri, Sep 11, 2009 at 11:15 PM, Joe Dente <
>>> jdente@21technologies.com>
>>> >> wrote:
>>> >>>
>>> >>> I'm going to be busy for the rest of the day, but here's the
>>> deployment
>>> >>> plan I use in my replacement server-security-config plugin:
>>> >>>
>>> >>> <?xml version="1.0" encoding="UTF-8"?>
>>> >>> <module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
>>> >>>  <environment>
>>> >>>   <moduleId>
>>> >>>     <groupId>com.mycode.geronimo</groupId>
>>> >>>     <artifactId>delegating-login-module</artifactId>
>>> >>>     <version>1.0</version>
>>> >>>     <type>car</type>
>>> >>>   </moduleId>
>>> >>>   <dependencies>
>>> >>>     <dependency>
>>> >>>       <groupId>org.apache.geronimo.framework</groupId>
>>> >>>       <artifactId>j2ee-security</artifactId>
>>> >>>       <version>2.1.4</version>
>>> >>>       <type>car</type>
>>> >>>     </dependency>
>>> >>>   </dependencies>
>>> >>>   <hidden-classes/>
>>> >>>   <non-overridable-classes/>
>>> >>>  </environment>
>>> >>>
>>> >>>  <gbean name="CredentialStore"
>>> >>>
>>> class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl"/>
>>> >>>
>>> >>>  <!-- Default Security Realm Using Delegate Login Module -->
>>> >>>  <gbean name="admin-login"
>>> >>> class="org.apache.geronimo.security.jaas.LoginModuleGBean">
>>> >>>   <attribute
>>> >>>
>>> name="loginModuleClass">com.mycode.geronimo.authorization.login.DelegatingLoginModule</attribute>
>>> >>>   <attribute name="options">delegateRealm=delegate-realm
>>> >>>       groupName=delegate-admin</attribute>
>>> >>>   <attribute name="loginDomainName">geronimo-admin</attribute>
>>> >>>  </gbean>
>>> >>>  <gbean name="geronimo-admin"
>>> >>> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
>>> >>>   <attribute name="realmName">geronimo-admin</attribute>
>>> >>>   <reference name="LoginModuleConfiguration">
>>> >>>     <name>admin-login</name>
>>> >>>   </reference>
>>> >>>   <reference name="ServerInfo">
>>> >>>     <name>ServerInfo</name>
>>> >>>   </reference>
>>> >>>  </gbean>
>>> >>>  <gbean name="admin-login"
>>> >>> class="org.apache.geronimo.security.jaas.JaasLoginModuleUse">
>>> >>>   <attribute name="controlFlag">REQUIRED</attribute>
>>> >>>   <reference name="LoginModule">
>>> >>>     <name>admin-login</name>
>>> >>>   </reference>
>>> >>>  </gbean>
>>> >>>
>>> >>>  <!--
>>> >>>  <gbean name="properties-login"
>>> >>> class="org.apache.geronimo.security.jaas.LoginModuleGBean">
>>> >>>   <attribute
>>> >>>
>>> name="loginModuleClass">org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</attribute>
>>> >>>   <attribute name="options">usersURI=var/security/users.properties
>>> >>>           groupsURI=var/security/groups.properties</attribute>
>>> >>>   <attribute name="loginDomainName">geronimo-admin</attribute>
>>> >>>  </gbean>
>>> >>>  -->
>>> >>>
>>> >>>  <gbean name="geronimo-default"
>>> >>> class="org.apache.geronimo.security.keystore.FileKeystoreInstance">
>>> >>>   <attribute name="keystoreName">geronimo-default</attribute>
>>> >>>   <attribute
>>> >>>
>>> name="keystorePath">var/security/keystores/geronimo-default</attribute>
>>> >>>   <attribute name="keystorePassword">secret</attribute>
>>> >>>   <attribute name="keystoreType">JKS</attribute>
>>> >>>   <attribute name="keyPasswords">geronimo=secret</attribute>
>>> >>>   <reference name="ServerInfo">
>>> >>>     <name>ServerInfo</name>
>>> >>>   </reference>
>>> >>>  </gbean>
>>> >>> </module>
>>> >>>
>>> >>> You can see the configuration for my custom login module. The
>>> important
>>> >>> piece for this problem is the "properties-login" gbean that I have
>>> commented
>>> >>> out. Without this GBean, Geronimo is unable to startup due to the
bug
>>> >>> originally discussed in this thread (GERONIMO-4603). If you enable
>>> this
>>> >>> GBean, then Geronimo can startup correctly (granted everything else
>>> is
>>> >>> configured appropriately). Because of the hardwired issue discussed
>>> in issue
>>> >>> 4603, I have to put the dummy "properties-login" gbean in place
even
>>> though
>>> >>> I'm not using a "properties-login" gbean in my configuration.
>>> >>>
>>> >>> Joe
>>> >>>
>>> >>> ===========================
>>> >>> I also tried creating a realm through the console, then exporting
it
>>> >>> as a plugin, undeploying the original, deploying as a plugin and
>>> >>> restarting the server after doing the config.xml changes.
>>> >>>
>>> >>> Doesn't work either. Complains about:
>>> >>> org.omg.CORBA.COMM_FAILURE: socket() failed: Unable to create server
>>> >>> SSL socket factory: Keystore 'geronimo-default' is locked; please
use
>>> >>> the keystore page in the admin console to unlock it:  vmcid: Apache
>>> >>> minor code: 0x5  completed: No
>>> >>>
>>> >>> Q
>>> >>>
>>> >>> On Fri, Sep 11, 2009 at 10:16 PM, Quintin Beukes <
>>> quintin@skywalk.co.za>
>>> >>> wrote:
>>> >>>>
>>> >>>> No. This isn't working right. I don't know what I'm doing wrong.
>>> >>>>
>>> >>>> I take the exported plugin. Extract it to directory "x".
>>> >>>>
>>> >>>> Then I change only the groupId everywhere in the plugin frmo
>>> >>>> "org.apache.geronimo.framework" to "test" and version from
>>> >>>> "2.2-SNAPSHOT" to "2.2". Then I jar it again.
>>> >>>>
>>> >>>> Then I start geronimo and deploy this with deploy.sh install-plugin.
>>> >>>> Successfully installed: test/server-security-config/2.2/car
>>> >>>>
>>> >>>> I stop the server, and then edit artifact_aliases.properties
and
>>> change:
>>> >>>>
>>> >>>>
>>> org.apache.geronimo.framework/server-security-config//car=org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car
>>> >>>> test/server-security-config//car=test/server-security-config/2.2/car
>>> >>>>
>>> >>>> TO
>>> >>>>
>>> >>>>
>>> org.apache.geronimo.framework/server-security-config//car=test/server-security-config/2.2/car
>>> >>>>
>>> >>>>
>>> org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car=test/server-security-config/2.2/car
>>> >>>> test/server-security-config//car=test/server-security-config/2.2/car
>>> >>>>
>>> >>>> And config.xml from:
>>> >>>>   <module
>>> >>>>
>>> name="org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car"/>
>>> >>>>   <module name="test/server-security-config/2.2/car"/>
>>> >>>>
>>> >>>> TO:
>>> >>>>   <module
>>> >>>>
>>> name="org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car"
>>> >>>> load="false"/>
>>> >>>>   <module name="test/server-security-config/2.2/car"/>
>>> >>>>
>>> >>>> Then I try and start the server, and all I get is this, ie.
it
>>> starts
>>> >>>> and right after loading my plugin stops the server without an
error.
>>> >>>> 2009-09-11 22:14:37,642 INFO  [Log4jService]
>>> >>>> ----------------------------------------------
>>> >>>> 2009-09-11 22:14:37,643 INFO  [Log4jService] Started Logging
Service
>>> >>>> 2009-09-11 22:14:37,643 INFO  [Log4jService] Runtime Information:
>>> >>>> 2009-09-11 22:14:37,644 INFO  [Log4jService]   Install Directory
=
>>> >>>> /opt/testkms/server/geronimo-2.2-20090908
>>> >>>> 2009-09-11 22:14:37,645 INFO  [JvmVendor] Sun JVM 1.5.0_17
>>> >>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   JVM in use  
     =
>>> Sun
>>> >>>> JVM 1.5.0_17
>>> >>>> 2009-09-11 22:14:37,645 INFO  [Log4jService] Java Information:
>>> >>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>>> >>>> [java.runtime.name]     = Java(TM) 2 Runtime Environment, Standard
>>> >>>> Edition
>>> >>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>>> >>>> [java.runtime.version]  = 1.5.0_17-b04
>>> >>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>>> >>>> [os.name]               = Linux
>>> >>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>>> >>>> [os.version]            = 2.6.24-24-generic
>>> >>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>>> >>>> [sun.os.patch.level]    = unknown
>>> >>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>>> >>>> [os.arch]               = i386
>>> >>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>>> >>>> [java.class.version]    = 49.0
>>> >>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>>> >>>> [locale]                = en_ZA
>>> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>> >>>> [unicode.encoding]      = UnicodeLittle
>>> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>> >>>> [file.encoding]         = UTF-8
>>> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>> >>>> [java.vm.name]          = Java HotSpot(TM) Client VM
>>> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>> >>>> [java.vm.vendor]        = Sun Microsystems Inc.
>>> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>> >>>> [java.vm.version]       = 1.5.0_17-b04
>>> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>> >>>> [java.vm.info]          = mixed mode
>>> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>> >>>> [java.home]             = /opt/kms/java/sun-jdk1.5.0_17/jre
>>> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>> >>>> [java.classpath]        = null
>>> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>> >>>> [java.library.path]     =
>>> >>>>
>>> >>>>
>>> /opt/kms/java/sun-jdk1.5.0_17/jre/lib/i386/client:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/i386:/opt/kms/java/sun-jdk1.5.0_17/jre/../lib/i386
>>> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>> >>>> [java.endorsed.dirs]    =
>>> >>>>
>>> >>>>
>>> /opt/testkms/server/geronimo-2.2-20090908/lib/endorsed:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/endorsed
>>> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>> >>>> [java.ext.dirs]         =
>>> >>>>
>>> >>>>
>>> /opt/testkms/server/geronimo-2.2-20090908/lib/ext:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/ext
>>> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>> >>>> [sun.boot.class.path]   =
>>> >>>>
>>> >>>>
>>> /opt/testkms/server/geronimo-2.2-20090908/lib/endorsed/yoko-spec-corba-1.0.jar:/opt/testkms/server/geronimo-2.2-20090908/lib/endorsed/yoko-rmi-spec-1.0.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/rt.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/i18n.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/sunrsasign.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/jsse.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/jce.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/charsets.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/classes
>>> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]
>>> >>>> ----------------------------------------------
>>> >>>> 2009-09-11 22:14:39,041 INFO  [KernelContextGBean] bound gbean
>>> >>>>
>>> >>>>
>>> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=JavaCompContext
>>> >>>> at name java:comp
>>> >>>> 2009-09-11 22:14:39,043 INFO  [KernelContextGBean] bound gbean
>>> >>>>
>>> >>>>
>>> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=JavaContext
>>> >>>> at name java:
>>> >>>> 2009-09-11 22:14:39,043 INFO  [KernelContextGBean] bound gbean
>>> >>>>
>>> >>>>
>>> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=GeronimoContext
>>> >>>> at name ger:
>>> >>>> 2009-09-11 22:14:40,086 INFO  [SystemProperties] Setting
>>> >>>> Property=javax.xml.soap.MetaFactory to
>>> >>>> Value=org.apache.geronimo.webservices.saaj.GeronimoMetaFactory
>>> >>>> 2009-09-11 22:14:40,086 INFO  [SystemProperties] Setting
>>> >>>> Property=javax.xml.soap.MessageFactory to
>>> >>>> Value=org.apache.geronimo.webservices.saaj.GeronimoMessageFactory
>>> >>>> 2009-09-11 22:14:40,086 INFO  [SystemProperties] Setting
>>> >>>> Property=java.net.preferIPv4Stack to Value=true
>>> >>>> 2009-09-11 22:14:40,086 INFO  [SystemProperties] Setting
>>> >>>> Property=javax.xml.soap.SOAPConnectionFactory to
>>> >>>>
>>> Value=org.apache.geronimo.webservices.saaj.GeronimoSOAPConnectionFactory
>>> >>>> 2009-09-11 22:14:40,087 INFO  [SystemProperties] Setting
>>> >>>> Property=javax.xml.soap.SOAPFactory to
>>> >>>> Value=org.apache.geronimo.webservices.saaj.GeronimoSOAPFactory
>>> >>>> 2009-09-11 22:14:40,087 INFO  [SystemProperties] Setting
>>> >>>> Property=java.security.Provider to Value=SUN
>>> >>>> 2009-09-11 22:14:40,261 INFO  [KernelContextGBean] unbound gbean
>>> >>>>
>>> >>>>
>>> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=JavaContext
>>> >>>> at name java:
>>> >>>> 2009-09-11 22:14:40,264 INFO  [KernelContextGBean] unbound gbean
>>> >>>>
>>> >>>>
>>> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=GeronimoContext
>>> >>>> at name ger:
>>> >>>> 2009-09-11 22:14:40,264 INFO  [KernelContextGBean] unbound gbean
>>> >>>>
>>> >>>>
>>> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=JavaCompContext
>>> >>>> at name java:comp
>>> >>>> 2009-09-11 22:14:40,265 INFO  [Log4jService] Stopping Logging
>>> Service
>>> >>>> 2009-09-11 22:14:40,265 INFO  [Log4jService]
>>> >>>> ----------------------------------------------
>>> >>>>
>>> >>>> Q
>>> >>>> On Fri, Sep 11, 2009 at 9:31 PM, Quintin Beukes <
>>> quintin@skywalk.co.za>
>>> >>>> wrote:
>>> >>>>>
>>> >>>>> do i need to delete config.ser?
>>> >>>>>
>>> >>>>> Q
>>> >>>>>
>>> >>>>> On Fri, Sep 11, 2009 at 9:16 PM, Joe Dente <
>>> jdente@21technologies.com>
>>> >>>>> wrote:
>>> >>>>>>
>>> >>>>>> That's how I got started. I have a project that includes
a custom
>>> >>>>>> login module as well as a customized geronimo-plugin.xml
that
>>> originally was
>>> >>>>>> an exported version of the server-security-config plugin.
My
>>> plugin project
>>> >>>>>> creates a simple jar with the geronimo-plugin.xml in
my jar's
>>> 'META-INF'
>>> >>>>>> folder. I then deploy this jar into Geronimo with the
>>> geronimo-plugin.xml
>>> >>>>>> being my jar's deployment plan. You can also try and
build a car
>>> using the
>>> >>>>>> maven car plugin, although I haven't played around with
this yet.
>>> I found
>>> >>>>>> this wiki article to be helpful:
>>> >>>>>>
>>> http://cwiki.apache.org/confluence/display/GMOxDOC22/Administering+plugins
>>> >>>>>>
>>> >>>>>> Joe
>>> >>>>>>
>>> >>>>>> ---------------------
>>> >>>>>> Sorry, I've never created a plugin. To create a new
>>> >>>>>> server-security-config plugin, do you mean I should
copy
>>> >>>>>> server-security-config using the console's plugin export
and
>>> modify
>>> >>>>>> it?
>>> >>>>>>
>>> >>>>>> Q
>>> >>>>>>
>>> >>>>>> On Fri, Sep 11, 2009 at 8:47 PM, Joe Dente <
>>> jdente@21technologies.com>
>>> >>>>>> wrote:
>>> >>>>>>>
>>> >>>>>>> To reproduce it create your own server-security-config
plugin
>>> that
>>> >>>>>>> uses any login module other than the properties-login
gbean that
>>> is
>>> >>>>>>> expected. You then need to deploy your new server-security-config
>>> plugin and
>>> >>>>>>> have it completely replace the default server-security-config
>>> (see
>>> >>>>>>>
>>> http://cwiki.apache.org/confluence/display/GMOxDOC22/Basic+Hints+on+Security+Configuration
>>> ).
>>> >>>>>>> I achieved this by telling the server-security-config
car to not
>>> load in the
>>> >>>>>>> config.xml, telling my security plugin to load in
the config.xml,
>>> and then
>>> >>>>>>> adding artifact aliases for both the 2.1.4 and wildcard-versioned
>>> lines
>>> >>>>>>> referring to the server-security-config plugin in
the
>>> >>>>>>> artifact_aliases.properties file.
>>> >>>>>>>
>>> >>>>>>> In artifact_alases.properties:
>>> >>>>>>>
>>> >>>>>>>
>>> org.apache.geronimo.framework/server-security-config//car=com.my.geronimo/my-security-config/1.0/car
>>> >>>>>>>
>>> >>>>>>>
>>> org.apache.geronimo.framework/server-security-config/2.1.4/car=org
>>> >>>>>>> com.my.geronimo/my-security-config/1.0/car
>>> >>>>>>>
>>> >>>>>>> In config.xml:
>>> >>>>>>>       <module
>>> >>>>>>>
>>> name="org.apache.geronimo.framework/server-security-config/2.1.4/car"
>>> >>>>>>> load="false"/>
>>> >>>>>>>       <module name="com.my.geronimo/my-security-config/1.0/car"/>
>>> >>>>>>>
>>> >>>>>>> Now try and startup Geronimo. You will see the error
discussing
>>> the
>>> >>>>>>> missing expected gbean.
>>> >>>>>>> Hope this helps,
>>> >>>>>>> Joe
>>> >>>>>>>
>>> >>>>>>>
>>> >>>>>>>
>>> >>>>>>> -------------
>>> >>>>>>> Errr. Ouch. *rubbing the brused area in his brain*.
>>> >>>>>>>
>>> >>>>>>> I'm not that on with everything you said. I think
the best thing
>>> >>>>>>> would
>>> >>>>>>> be to reproduce it. What would I do to reproduce
it?
>>> >>>>>>>
>>> >>>>>>> Q
>>> >>>>>>>
>>> >>>>>>> On Fri, Sep 11, 2009 at 6:42 PM, David Jencks
>>> >>>>>>> <david_jencks@yahoo.com> wrote:
>>> >>>>>>>>
>>> >>>>>>>> On Sep 11, 2009, at 5:49 AM, Quintin Beukes
wrote:
>>> >>>>>>>>
>>> >>>>>>>>> I'll be willing to have a look at it.
>>> >>>>>>>>>
>>> >>>>>>>>> can you give me a general idea what I'm
supposed to look at and
>>> how
>>> >>>>>>>>> it
>>> >>>>>>>>> would be done?
>>> >>>>>>>>
>>> >>>>>>>> IIRC the failure is caused by an unsatisfied
single valued gbean
>>> >>>>>>>> reference
>>> >>>>>>>> to the properties login module gbean from something
in the admin
>>> >>>>>>>> console.
>>> >>>>>>>>  You need to find the gbean reference and change
it to a
>>> collection
>>> >>>>>>>> valued
>>> >>>>>>>> reference so it's no longer a mandatory reference.
 You can wrap
>>> a
>>> >>>>>>>> collection valued reference with SingleElementCollection
to make
>>> it
>>> >>>>>>>> act like
>>> >>>>>>>> an optional single valued reference.
>>> >>>>>>>>
>>> >>>>>>>> hope this is clear enough to help..
>>> >>>>>>>> david jencks
>>> >>>>>>>>
>>> >>>>>>>>>
>>> >>>>>>>>> Q
>>> >>>>>>>>>
>>> >>>>>>>>> On Fri, Sep 11, 2009 at 12:07 AM, David
Jencks
>>> >>>>>>>>> <david_jencks@yahoo.com>
>>> >>>>>>>>> wrote:
>>> >>>>>>>>>>
>>> >>>>>>>>>> Hi Joe!
>>> >>>>>>>>>> On Sep 10, 2009, at 2:18 PM, Joe Dente
wrote:
>>> >>>>>>>>>>
>>> >>>>>>>>>> Hi,
>>> >>>>>>>>>> I've been working on replacing Geronimo
2.1.4's
>>> >>>>>>>>>> server-security-config
>>> >>>>>>>>>> plugin's example security with our own
security plugin. We
>>> need
>>> >>>>>>>>>> single
>>> >>>>>>>>>> sign
>>> >>>>>>>>>> on for our application which also means
the same sign on
>>> process
>>> >>>>>>>>>> has to
>>> >>>>>>>>>> work
>>> >>>>>>>>>> with the Geronimo admin console. We
need to be able to use
>>> custom
>>> >>>>>>>>>> realms
>>> >>>>>>>>>> and
>>> >>>>>>>>>> custom login modules in our server-security-config
plugin
>>> >>>>>>>>>> replacement
>>> >>>>>>>>>> that
>>> >>>>>>>>>> may change depending on the environment
we deploy to. I've run
>>> >>>>>>>>>> into two
>>> >>>>>>>>>> limitations so far that I've found documented
online. One is
>>> that
>>> >>>>>>>>>> unless
>>> >>>>>>>>>> I
>>> >>>>>>>>>> want to re-deploy other plugins that
use the 'geronimo-admin'
>>> >>>>>>>>>> security
>>> >>>>>>>>>> realm, than our custom security realm
must be named
>>> >>>>>>>>>> 'geronimo-admin' as
>>> >>>>>>>>>> well. The other is that I ran
>>> >>>>>>>>>> intohttp://issues.apache.org/jira/browse/GERONIMO-4603,
>>> forcing me
>>> >>>>>>>>>> to
>>> >>>>>>>>>> creating a dummy properties-login gbean
in order for the
>>> tomcat
>>> >>>>>>>>>> components
>>> >>>>>>>>>> to start up.
>>> >>>>>>>>>>
>>> >>>>>>>>>> In my experience this is incredibly
annoying.  I don't have
>>> time
>>> >>>>>>>>>> but
>>> >>>>>>>>>> wonder
>>> >>>>>>>>>> if anyone else can see about fixing
this for 2.2.
>>> >>>>>>>>>>
>>> >>>>>>>>>>  I've created alias' for my plugin over
the
>>> server-security-config
>>> >>>>>>>>>> plugin
>>> >>>>>>>>>> in
>>> >>>>>>>>>> 'artifact-aliases.properties' file and
I've also disabled the
>>> >>>>>>>>>> server-security-config plugin and added
my plugin as a loaded
>>> >>>>>>>>>> module in
>>> >>>>>>>>>> the
>>> >>>>>>>>>> 'config.xml'. Unfortunately, I still
cannot log into the
>>> Geronimo
>>> >>>>>>>>>> console
>>> >>>>>>>>>> using my custom security realm and login
module. Geronimo has
>>> no
>>> >>>>>>>>>> problem
>>> >>>>>>>>>> starting with the current configuration
and I can even login
>>> using
>>> >>>>>>>>>> my
>>> >>>>>>>>>> custom
>>> >>>>>>>>>> login module. Everything seems happy
as far as the login
>>> process
>>> >>>>>>>>>> is
>>> >>>>>>>>>> concerned when I step through the code,
but instead of seeing
>>> the
>>> >>>>>>>>>> Geronimo
>>> >>>>>>>>>> console I get a tomcat error page stating
'Access to the
>>> specified
>>> >>>>>>>>>> resource
>>> >>>>>>>>>> () has been forbidden'.  The logs are
completely clean as well
>>> as
>>> >>>>>>>>>> the
>>> >>>>>>>>>> console output. My only idea is that
my admin users also need
>>> to
>>> >>>>>>>>>> be
>>> >>>>>>>>>> members
>>> >>>>>>>>>> of a specifically named Geronimo admin
group (make my admin
>>> groups
>>> >>>>>>>>>> name
>>> >>>>>>>>>> exactly match the one setup in the default
security plugin)? I
>>> >>>>>>>>>> have not
>>> >>>>>>>>>> tested this hypothesis out yet, because
I have my own admin
>>> group
>>> >>>>>>>>>> that is
>>> >>>>>>>>>> used by our application that I would
like to re-use as the
>>> >>>>>>>>>> Geronimo
>>> >>>>>>>>>> console's admin group. Any other thoughts?
>>> >>>>>>>>>>
>>> >>>>>>>>>> In 2.1.x you are stuck with the principal-role
mapping in the
>>> ee
>>> >>>>>>>>>> application, although in 2.2 you can
put it into a different
>>> >>>>>>>>>> plugin if
>>> >>>>>>>>>> you
>>> >>>>>>>>>> want and I think then swap it via an
artifact-alias with one
>>> in a
>>> >>>>>>>>>> different
>>> >>>>>>>>>> plugin.
>>> >>>>>>>>>> So, that means that you need to supply
the principals the
>>> >>>>>>>>>> principal-role
>>> >>>>>>>>>> mapping expects:
>>> >>>>>>>>>>   <security
>>> >>>>>>>>>> xmlns="http://geronimo.apache.org/xml/ns/security-1.2">
>>> >>>>>>>>>>       <role-mappings>
>>> >>>>>>>>>>           <role role-name="admin">
>>> >>>>>>>>>>               <principal
>>> >>>>>>>>>>
>>> >>>>>>>>>>
>>> >>>>>>>>>>
>>> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
>>> >>>>>>>>>> name="admin" />
>>> >>>>>>>>>>           </role>
>>> >>>>>>>>>>       </role-mappings>
>>> >>>>>>>>>>   </security>
>>> >>>>>>>>>>
>>> >>>>>>>>>> So, your login module needs to supply
a principal of
>>> >>>>>>>>>> class GeronimoGroupPrincipal and name
"admin".
>>> >>>>>>>>>> Let us know if this doesn't work.
>>> >>>>>>>>>> thanks
>>> >>>>>>>>>> david jencks
>>> >>>>>>>>>>
>>> >>>>>>>>>> Thanks,
>>> >>>>>>>>>> Joe
>>> >>>>>>>>>>
>>> >>>>>>>>>
>>> >>>>>>>>>
>>> >>>>>>>>>
>>> >>>>>>>>> --
>>> >>>>>>>>> Quintin Beukes
>>> >>>>>>>>
>>> >>>>>>>>
>>> >>>>>>>
>>> >>>>>>>
>>> >>>>>>>
>>> >>>>>>> --
>>> >>>>>>> Quintin Beukes
>>> >>>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>> --
>>> >>>>>> Quintin Beukes
>>> >>>>>>
>>> >>>>>
>>> >>>>>
>>> >>>>>
>>> >>>>> --
>>> >>>>> Quintin Beukes
>>> >>>>>
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>> --
>>> >>>> Quintin Beukes
>>> >>>>
>>> >>>
>>> >>>
>>> >>>
>>> >>> --
>>> >>> Quintin Beukes
>>> >>>
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> Quintin Beukes
>>> >
>>> >
>>>
>>>
>>>
>>> --
>>> Quintin Beukes
>>>
>>
>>
>


-- 
Ivan

Mime
View raw message