geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joe Dente" <jde...@21technologies.com>
Subject RE: Replacing the server-security-config plugin
Date Fri, 11 Sep 2009 21:15:36 GMT
I'm going to be busy for the rest of the day, but here's the deployment plan I use in my replacement
server-security-config plugin:

<?xml version="1.0" encoding="UTF-8"?>
<module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
  <environment>
    <moduleId>
      <groupId>com.mycode.geronimo</groupId>
      <artifactId>delegating-login-module</artifactId>
      <version>1.0</version>
      <type>car</type>
    </moduleId>
    <dependencies>
      <dependency>
        <groupId>org.apache.geronimo.framework</groupId>
        <artifactId>j2ee-security</artifactId>
        <version>2.1.4</version>
        <type>car</type>
      </dependency>
    </dependencies>
    <hidden-classes/>
    <non-overridable-classes/>
  </environment>
  
  <gbean name="CredentialStore" class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl"/>
  
  <!-- Default Security Realm Using Delegate Login Module -->
  <gbean name="admin-login" class="org.apache.geronimo.security.jaas.LoginModuleGBean">
    <attribute name="loginModuleClass">com.mycode.geronimo.authorization.login.DelegatingLoginModule</attribute>
    <attribute name="options">delegateRealm=delegate-realm
        groupName=delegate-admin</attribute>
    <attribute name="loginDomainName">geronimo-admin</attribute>
  </gbean>
  <gbean name="geronimo-admin" class="org.apache.geronimo.security.realm.GenericSecurityRealm">
    <attribute name="realmName">geronimo-admin</attribute>
    <reference name="LoginModuleConfiguration">
      <name>admin-login</name>
    </reference>
    <reference name="ServerInfo">
      <name>ServerInfo</name>
    </reference>
  </gbean>
  <gbean name="admin-login" class="org.apache.geronimo.security.jaas.JaasLoginModuleUse">
    <attribute name="controlFlag">REQUIRED</attribute>
    <reference name="LoginModule">
      <name>admin-login</name>
    </reference>
  </gbean>
  
  <!--
  <gbean name="properties-login" class="org.apache.geronimo.security.jaas.LoginModuleGBean">
    <attribute name="loginModuleClass">org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</attribute>
    <attribute name="options">usersURI=var/security/users.properties
            groupsURI=var/security/groups.properties</attribute>
    <attribute name="loginDomainName">geronimo-admin</attribute>
  </gbean>
  -->
  
  <gbean name="geronimo-default" class="org.apache.geronimo.security.keystore.FileKeystoreInstance">
    <attribute name="keystoreName">geronimo-default</attribute>
    <attribute name="keystorePath">var/security/keystores/geronimo-default</attribute>
    <attribute name="keystorePassword">secret</attribute>
    <attribute name="keystoreType">JKS</attribute>
    <attribute name="keyPasswords">geronimo=secret</attribute>
    <reference name="ServerInfo">
      <name>ServerInfo</name>
    </reference>
  </gbean>
</module>

You can see the configuration for my custom login module. The important piece for this problem
is the "properties-login" gbean that I have commented out. Without this GBean, Geronimo is
unable to startup due to the bug originally discussed in this thread (GERONIMO-4603). If you
enable this GBean, then Geronimo can startup correctly (granted everything else is configured
appropriately). Because of the hardwired issue discussed in issue 4603, I have to put the
dummy "properties-login" gbean in place even though I'm not using a "properties-login" gbean
in my configuration.

Joe

===========================
I also tried creating a realm through the console, then exporting it
as a plugin, undeploying the original, deploying as a plugin and
restarting the server after doing the config.xml changes.

Doesn't work either. Complains about:
org.omg.CORBA.COMM_FAILURE: socket() failed: Unable to create server
SSL socket factory: Keystore 'geronimo-default' is locked; please use
the keystore page in the admin console to unlock it:  vmcid: Apache
minor code: 0x5  completed: No

Q

On Fri, Sep 11, 2009 at 10:16 PM, Quintin Beukes <quintin@skywalk.co.za> wrote:
> No. This isn't working right. I don't know what I'm doing wrong.
>
> I take the exported plugin. Extract it to directory "x".
>
> Then I change only the groupId everywhere in the plugin frmo
> "org.apache.geronimo.framework" to "test" and version from
> "2.2-SNAPSHOT" to "2.2". Then I jar it again.
>
> Then I start geronimo and deploy this with deploy.sh install-plugin.
> Successfully installed: test/server-security-config/2.2/car
>
> I stop the server, and then edit artifact_aliases.properties and change:
> org.apache.geronimo.framework/server-security-config//car=org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car
> test/server-security-config//car=test/server-security-config/2.2/car
>
> TO
> org.apache.geronimo.framework/server-security-config//car=test/server-security-config/2.2/car
> org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car=test/server-security-config/2.2/car
> test/server-security-config//car=test/server-security-config/2.2/car
>
> And config.xml from:
>    <module name="org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car"/>
>    <module name="test/server-security-config/2.2/car"/>
>
> TO:
>    <module name="org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car"
> load="false"/>
>    <module name="test/server-security-config/2.2/car"/>
>
> Then I try and start the server, and all I get is this, ie. it starts
> and right after loading my plugin stops the server without an error.
> 2009-09-11 22:14:37,642 INFO  [Log4jService]
> ----------------------------------------------
> 2009-09-11 22:14:37,643 INFO  [Log4jService] Started Logging Service
> 2009-09-11 22:14:37,643 INFO  [Log4jService] Runtime Information:
> 2009-09-11 22:14:37,644 INFO  [Log4jService]   Install Directory =
> /opt/testkms/server/geronimo-2.2-20090908
> 2009-09-11 22:14:37,645 INFO  [JvmVendor] Sun JVM 1.5.0_17
> 2009-09-11 22:14:37,645 INFO  [Log4jService]   JVM in use        = Sun
> JVM 1.5.0_17
> 2009-09-11 22:14:37,645 INFO  [Log4jService] Java Information:
> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
> [java.runtime.name]     = Java(TM) 2 Runtime Environment, Standard
> Edition
> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
> [java.runtime.version]  = 1.5.0_17-b04
> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
> [os.name]               = Linux
> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
> [os.version]            = 2.6.24-24-generic
> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
> [sun.os.patch.level]    = unknown
> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
> [os.arch]               = i386
> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
> [java.class.version]    = 49.0
> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
> [locale]                = en_ZA
> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
> [unicode.encoding]      = UnicodeLittle
> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
> [file.encoding]         = UTF-8
> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
> [java.vm.name]          = Java HotSpot(TM) Client VM
> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
> [java.vm.vendor]        = Sun Microsystems Inc.
> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
> [java.vm.version]       = 1.5.0_17-b04
> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
> [java.vm.info]          = mixed mode
> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
> [java.home]             = /opt/kms/java/sun-jdk1.5.0_17/jre
> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
> [java.classpath]        = null
> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
> [java.library.path]     =
> /opt/kms/java/sun-jdk1.5.0_17/jre/lib/i386/client:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/i386:/opt/kms/java/sun-jdk1.5.0_17/jre/../lib/i386
> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
> [java.endorsed.dirs]    =
> /opt/testkms/server/geronimo-2.2-20090908/lib/endorsed:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/endorsed
> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
> [java.ext.dirs]         =
> /opt/testkms/server/geronimo-2.2-20090908/lib/ext:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/ext
> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
> [sun.boot.class.path]   =
> /opt/testkms/server/geronimo-2.2-20090908/lib/endorsed/yoko-spec-corba-1.0.jar:/opt/testkms/server/geronimo-2.2-20090908/lib/endorsed/yoko-rmi-spec-1.0.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/rt.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/i18n.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/sunrsasign.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/jsse.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/jce.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/charsets.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/classes
> 2009-09-11 22:14:37,646 INFO  [Log4jService]
> ----------------------------------------------
> 2009-09-11 22:14:39,041 INFO  [KernelContextGBean] bound gbean
> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=JavaCompContext
> at name java:comp
> 2009-09-11 22:14:39,043 INFO  [KernelContextGBean] bound gbean
> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=JavaContext
> at name java:
> 2009-09-11 22:14:39,043 INFO  [KernelContextGBean] bound gbean
> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=GeronimoContext
> at name ger:
> 2009-09-11 22:14:40,086 INFO  [SystemProperties] Setting
> Property=javax.xml.soap.MetaFactory to
> Value=org.apache.geronimo.webservices.saaj.GeronimoMetaFactory
> 2009-09-11 22:14:40,086 INFO  [SystemProperties] Setting
> Property=javax.xml.soap.MessageFactory to
> Value=org.apache.geronimo.webservices.saaj.GeronimoMessageFactory
> 2009-09-11 22:14:40,086 INFO  [SystemProperties] Setting
> Property=java.net.preferIPv4Stack to Value=true
> 2009-09-11 22:14:40,086 INFO  [SystemProperties] Setting
> Property=javax.xml.soap.SOAPConnectionFactory to
> Value=org.apache.geronimo.webservices.saaj.GeronimoSOAPConnectionFactory
> 2009-09-11 22:14:40,087 INFO  [SystemProperties] Setting
> Property=javax.xml.soap.SOAPFactory to
> Value=org.apache.geronimo.webservices.saaj.GeronimoSOAPFactory
> 2009-09-11 22:14:40,087 INFO  [SystemProperties] Setting
> Property=java.security.Provider to Value=SUN
> 2009-09-11 22:14:40,261 INFO  [KernelContextGBean] unbound gbean
> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=JavaContext
> at name java:
> 2009-09-11 22:14:40,264 INFO  [KernelContextGBean] unbound gbean
> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=GeronimoContext
> at name ger:
> 2009-09-11 22:14:40,264 INFO  [KernelContextGBean] unbound gbean
> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=JavaCompContext
> at name java:comp
> 2009-09-11 22:14:40,265 INFO  [Log4jService] Stopping Logging Service
> 2009-09-11 22:14:40,265 INFO  [Log4jService]
> ----------------------------------------------
>
> Q
> On Fri, Sep 11, 2009 at 9:31 PM, Quintin Beukes <quintin@skywalk.co.za> wrote:
>> do i need to delete config.ser?
>>
>> Q
>>
>> On Fri, Sep 11, 2009 at 9:16 PM, Joe Dente <jdente@21technologies.com> wrote:
>>> That's how I got started. I have a project that includes a custom login module
as well as a customized geronimo-plugin.xml that originally was an exported version of the
server-security-config plugin. My plugin project creates a simple jar with the geronimo-plugin.xml
in my jar's 'META-INF' folder. I then deploy this jar into Geronimo with the geronimo-plugin.xml
being my jar's deployment plan. You can also try and build a car using the maven car plugin,
although I haven't played around with this yet. I found this wiki article to be helpful: http://cwiki.apache.org/confluence/display/GMOxDOC22/Administering+plugins
>>>
>>> Joe
>>>
>>> ---------------------
>>> Sorry, I've never created a plugin. To create a new
>>> server-security-config plugin, do you mean I should copy
>>> server-security-config using the console's plugin export and modify
>>> it?
>>>
>>> Q
>>>
>>> On Fri, Sep 11, 2009 at 8:47 PM, Joe Dente <jdente@21technologies.com>
wrote:
>>>> To reproduce it create your own server-security-config plugin that uses any
login module other than the properties-login gbean that is expected. You then need to deploy
your new server-security-config plugin and have it completely replace the default server-security-config
(see http://cwiki.apache.org/confluence/display/GMOxDOC22/Basic+Hints+on+Security+Configuration).
I achieved this by telling the server-security-config car to not load in the config.xml, telling
my security plugin to load in the config.xml, and then adding artifact aliases for both the
2.1.4 and wildcard-versioned lines referring to the server-security-config plugin in the artifact_aliases.properties
file.
>>>>
>>>> In artifact_alases.properties:
>>>>        org.apache.geronimo.framework/server-security-config//car=com.my.geronimo/my-security-config/1.0/car
>>>>        org.apache.geronimo.framework/server-security-config/2.1.4/car=org
com.my.geronimo/my-security-config/1.0/car
>>>>
>>>> In config.xml:
>>>>        <module name="org.apache.geronimo.framework/server-security-config/2.1.4/car"
load="false"/>
>>>>        <module name="com.my.geronimo/my-security-config/1.0/car"/>
>>>>
>>>> Now try and startup Geronimo. You will see the error discussing the missing
expected gbean.
>>>> Hope this helps,
>>>> Joe
>>>>
>>>>
>>>>
>>>> -------------
>>>> Errr. Ouch. *rubbing the brused area in his brain*.
>>>>
>>>> I'm not that on with everything you said. I think the best thing would
>>>> be to reproduce it. What would I do to reproduce it?
>>>>
>>>> Q
>>>>
>>>> On Fri, Sep 11, 2009 at 6:42 PM, David Jencks <david_jencks@yahoo.com>
wrote:
>>>>>
>>>>> On Sep 11, 2009, at 5:49 AM, Quintin Beukes wrote:
>>>>>
>>>>>> I'll be willing to have a look at it.
>>>>>>
>>>>>> can you give me a general idea what I'm supposed to look at and how
it
>>>>>> would be done?
>>>>>
>>>>> IIRC the failure is caused by an unsatisfied single valued gbean reference
>>>>> to the properties login module gbean from something in the admin console.
>>>>>  You need to find the gbean reference and change it to a collection
valued
>>>>> reference so it's no longer a mandatory reference.  You can wrap a
>>>>> collection valued reference with SingleElementCollection to make it act
like
>>>>> an optional single valued reference.
>>>>>
>>>>> hope this is clear enough to help..
>>>>> david jencks
>>>>>
>>>>>>
>>>>>> Q
>>>>>>
>>>>>> On Fri, Sep 11, 2009 at 12:07 AM, David Jencks <david_jencks@yahoo.com>
>>>>>> wrote:
>>>>>>>
>>>>>>> Hi Joe!
>>>>>>> On Sep 10, 2009, at 2:18 PM, Joe Dente wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>> I've been working on replacing Geronimo 2.1.4's server-security-config
>>>>>>> plugin's example security with our own security plugin. We need
single
>>>>>>> sign
>>>>>>> on for our application which also means the same sign on process
has to
>>>>>>> work
>>>>>>> with the Geronimo admin console. We need to be able to use custom
realms
>>>>>>> and
>>>>>>> custom login modules in our server-security-config plugin replacement
>>>>>>> that
>>>>>>> may change depending on the environment we deploy to. I've run
into two
>>>>>>> limitations so far that I've found documented online. One is
that unless
>>>>>>> I
>>>>>>> want to re-deploy other plugins that use the 'geronimo-admin'
security
>>>>>>> realm, than our custom security realm must be named 'geronimo-admin'
as
>>>>>>> well. The other is that I ran
>>>>>>> intohttp://issues.apache.org/jira/browse/GERONIMO-4603, forcing
me to
>>>>>>> creating a dummy properties-login gbean in order for the tomcat
>>>>>>> components
>>>>>>> to start up.
>>>>>>>
>>>>>>> In my experience this is incredibly annoying.  I don't have
time but
>>>>>>> wonder
>>>>>>> if anyone else can see about fixing this for 2.2.
>>>>>>>
>>>>>>>  I've created alias' for my plugin over the server-security-config
plugin
>>>>>>> in
>>>>>>> 'artifact-aliases.properties' file and I've also disabled the
>>>>>>> server-security-config plugin and added my plugin as a loaded
module in
>>>>>>> the
>>>>>>> 'config.xml'. Unfortunately, I still cannot log into the Geronimo
console
>>>>>>> using my custom security realm and login module. Geronimo has
no problem
>>>>>>> starting with the current configuration and I can even login
using my
>>>>>>> custom
>>>>>>> login module. Everything seems happy as far as the login process
is
>>>>>>> concerned when I step through the code, but instead of seeing
the
>>>>>>> Geronimo
>>>>>>> console I get a tomcat error page stating 'Access to the specified
>>>>>>> resource
>>>>>>> () has been forbidden'.  The logs are completely clean as well
as the
>>>>>>> console output. My only idea is that my admin users also need
to be
>>>>>>> members
>>>>>>> of a specifically named Geronimo admin group (make my admin groups
name
>>>>>>> exactly match the one setup in the default security plugin)?
I have not
>>>>>>> tested this hypothesis out yet, because I have my own admin group
that is
>>>>>>> used by our application that I would like to re-use as the Geronimo
>>>>>>> console's admin group. Any other thoughts?
>>>>>>>
>>>>>>> In 2.1.x you are stuck with the principal-role mapping in the
ee
>>>>>>> application, although in 2.2 you can put it into a different
plugin if
>>>>>>> you
>>>>>>> want and I think then swap it via an artifact-alias with one
in a
>>>>>>> different
>>>>>>> plugin.
>>>>>>> So, that means that you need to supply the principals the principal-role
>>>>>>> mapping expects:
>>>>>>>    <security xmlns="http://geronimo.apache.org/xml/ns/security-1.2">
>>>>>>>        <role-mappings>
>>>>>>>            <role role-name="admin">
>>>>>>>                <principal
>>>>>>>
>>>>>>> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
>>>>>>> name="admin" />
>>>>>>>            </role>
>>>>>>>        </role-mappings>
>>>>>>>    </security>
>>>>>>>
>>>>>>> So, your login module needs to supply a principal of
>>>>>>> class GeronimoGroupPrincipal and name "admin".
>>>>>>> Let us know if this doesn't work.
>>>>>>> thanks
>>>>>>> david jencks
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Joe
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Quintin Beukes
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Quintin Beukes
>>>>
>>>
>>>
>>>
>>> --
>>> Quintin Beukes
>>>
>>
>>
>>
>> --
>> Quintin Beukes
>>
>
>
>
> --
> Quintin Beukes
>



-- 
Quintin Beukes

Mime
View raw message