geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: Replacing the server-security-config plugin
Date Fri, 11 Sep 2009 22:49:08 GMT

On Sep 11, 2009, at 3:16 PM, Quintin Beukes wrote:

> OK. So I found the reference. It's like so:
>      <gbean name="PropertiesLoginManager"
> class
> =
> "org
> .apache.geronimo.console.core.security.PropertiesLoginModuleManager">
>        <reference name="ServerInfo">
>          <name>ServerInfo</name>
>        </reference>
>        <reference name="LoginModule">
>          <name>properties-login</name>
>        </reference>
>      </gbean>
>
> And it's in console-tomcat's plan.
>
> 1. How would I make it multivalued and wrap it in  
> SingleElementCollection?

You need to find the java code for PropertiesLoginModuleManager.  It  
should have a reference to a login module.... you need to turn the  
reference into a Collection<LoginModuleGBean>.  Hopefully it's a  
constructor arg.  Instead of dealing with the Collection itself you  
can immediately wrap it in a SingleElementCollection and use that  
instead.  Then you'll have to look at the code in  
PropertiesLoginModuleManager and make sure it doesn't do anything  
unfortunate if there is no login module in the collection.
>
>
> 2. How would I redeploy it?

you'll need to have checked out geronimo to get this far.... the  
simplest is to just build all of geronimo.  If you've built at least  
once, you can just build the plugins/console and then assemblies.   
(I'm assuming that my recollection that this code is in plugins/ 
console is correct).

hope this helps
david jencks


>
> Q
>
> On Fri, Sep 11, 2009 at 11:15 PM, Joe Dente  
> <jdente@21technologies.com> wrote:
>> I'm going to be busy for the rest of the day, but here's the  
>> deployment plan I use in my replacement server-security-config  
>> plugin:
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
>>  <environment>
>>    <moduleId>
>>      <groupId>com.mycode.geronimo</groupId>
>>      <artifactId>delegating-login-module</artifactId>
>>      <version>1.0</version>
>>      <type>car</type>
>>    </moduleId>
>>    <dependencies>
>>      <dependency>
>>        <groupId>org.apache.geronimo.framework</groupId>
>>        <artifactId>j2ee-security</artifactId>
>>        <version>2.1.4</version>
>>        <type>car</type>
>>      </dependency>
>>    </dependencies>
>>    <hidden-classes/>
>>    <non-overridable-classes/>
>>  </environment>
>>
>>  <gbean name="CredentialStore"  
>> class 
>> = 
>> "org 
>> .apache 
>> .geronimo.security.credentialstore.SimpleCredentialStoreImpl"/>
>>
>>  <!-- Default Security Realm Using Delegate Login Module -->
>>  <gbean name="admin-login"  
>> class="org.apache.geronimo.security.jaas.LoginModuleGBean">
>>    <attribute  
>> name 
>> = 
>> "loginModuleClass 
>> ">com.mycode.geronimo.authorization.login.DelegatingLoginModule</ 
>> attribute>
>>    <attribute name="options">delegateRealm=delegate-realm
>>        groupName=delegate-admin</attribute>
>>    <attribute name="loginDomainName">geronimo-admin</attribute>
>>  </gbean>
>>  <gbean name="geronimo-admin"  
>> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
>>    <attribute name="realmName">geronimo-admin</attribute>
>>    <reference name="LoginModuleConfiguration">
>>      <name>admin-login</name>
>>    </reference>
>>    <reference name="ServerInfo">
>>      <name>ServerInfo</name>
>>    </reference>
>>  </gbean>
>>  <gbean name="admin-login"  
>> class="org.apache.geronimo.security.jaas.JaasLoginModuleUse">
>>    <attribute name="controlFlag">REQUIRED</attribute>
>>    <reference name="LoginModule">
>>      <name>admin-login</name>
>>    </reference>
>>  </gbean>
>>
>>  <!--
>>  <gbean name="properties-login"  
>> class="org.apache.geronimo.security.jaas.LoginModuleGBean">
>>    <attribute  
>> name 
>> = 
>> "loginModuleClass 
>> "> 
>> org 
>> .apache 
>> .geronimo.security.realm.providers.PropertiesFileLoginModule</ 
>> attribute>
>>    <attribute name="options">usersURI=var/security/users.properties
>>            groupsURI=var/security/groups.properties</attribute>
>>    <attribute name="loginDomainName">geronimo-admin</attribute>
>>  </gbean>
>>  -->
>>
>>  <gbean name="geronimo-default"  
>> class="org.apache.geronimo.security.keystore.FileKeystoreInstance">
>>    <attribute name="keystoreName">geronimo-default</attribute>
>>    <attribute name="keystorePath">var/security/keystores/geronimo- 
>> default</attribute>
>>    <attribute name="keystorePassword">secret</attribute>
>>    <attribute name="keystoreType">JKS</attribute>
>>    <attribute name="keyPasswords">geronimo=secret</attribute>
>>    <reference name="ServerInfo">
>>      <name>ServerInfo</name>
>>    </reference>
>>  </gbean>
>> </module>
>>
>> You can see the configuration for my custom login module. The  
>> important piece for this problem is the "properties-login" gbean  
>> that I have commented out. Without this GBean, Geronimo is unable  
>> to startup due to the bug originally discussed in this thread  
>> (GERONIMO-4603). If you enable this GBean, then Geronimo can  
>> startup correctly (granted everything else is configured  
>> appropriately). Because of the hardwired issue discussed in issue  
>> 4603, I have to put the dummy "properties-login" gbean in place  
>> even though I'm not using a "properties-login" gbean in my  
>> configuration.
>>
>> Joe
>>
>> ===========================
>> I also tried creating a realm through the console, then exporting it
>> as a plugin, undeploying the original, deploying as a plugin and
>> restarting the server after doing the config.xml changes.
>>
>> Doesn't work either. Complains about:
>> org.omg.CORBA.COMM_FAILURE: socket() failed: Unable to create server
>> SSL socket factory: Keystore 'geronimo-default' is locked; please use
>> the keystore page in the admin console to unlock it:  vmcid: Apache
>> minor code: 0x5  completed: No
>>
>> Q
>>
>> On Fri, Sep 11, 2009 at 10:16 PM, Quintin Beukes <quintin@skywalk.co.za 
>> > wrote:
>>> No. This isn't working right. I don't know what I'm doing wrong.
>>>
>>> I take the exported plugin. Extract it to directory "x".
>>>
>>> Then I change only the groupId everywhere in the plugin frmo
>>> "org.apache.geronimo.framework" to "test" and version from
>>> "2.2-SNAPSHOT" to "2.2". Then I jar it again.
>>>
>>> Then I start geronimo and deploy this with deploy.sh install-plugin.
>>> Successfully installed: test/server-security-config/2.2/car
>>>
>>> I stop the server, and then edit artifact_aliases.properties and  
>>> change:
>>> org.apache.geronimo.framework/server-security-config// 
>>> car=org.apache.geronimo.framework/server-security-config/2.2- 
>>> SNAPSHOT/car
>>> test/server-security-config//car=test/server-security-config/2.2/car
>>>
>>> TO
>>> org.apache.geronimo.framework/server-security-config//car=test/ 
>>> server-security-config/2.2/car
>>> org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/ 
>>> car=test/server-security-config/2.2/car
>>> test/server-security-config//car=test/server-security-config/2.2/car
>>>
>>> And config.xml from:
>>>    <module name="org.apache.geronimo.framework/server-security- 
>>> config/2.2-SNAPSHOT/car"/>
>>>    <module name="test/server-security-config/2.2/car"/>
>>>
>>> TO:
>>>    <module name="org.apache.geronimo.framework/server-security- 
>>> config/2.2-SNAPSHOT/car"
>>> load="false"/>
>>>    <module name="test/server-security-config/2.2/car"/>
>>>
>>> Then I try and start the server, and all I get is this, ie. it  
>>> starts
>>> and right after loading my plugin stops the server without an error.
>>> 2009-09-11 22:14:37,642 INFO  [Log4jService]
>>> ----------------------------------------------
>>> 2009-09-11 22:14:37,643 INFO  [Log4jService] Started Logging Service
>>> 2009-09-11 22:14:37,643 INFO  [Log4jService] Runtime Information:
>>> 2009-09-11 22:14:37,644 INFO  [Log4jService]   Install Directory =
>>> /opt/testkms/server/geronimo-2.2-20090908
>>> 2009-09-11 22:14:37,645 INFO  [JvmVendor] Sun JVM 1.5.0_17
>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   JVM in use        =  
>>> Sun
>>> JVM 1.5.0_17
>>> 2009-09-11 22:14:37,645 INFO  [Log4jService] Java Information:
>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>>> [java.runtime.name]     = Java(TM) 2 Runtime Environment, Standard
>>> Edition
>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>>> [java.runtime.version]  = 1.5.0_17-b04
>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>>> [os.name]               = Linux
>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>>> [os.version]            = 2.6.24-24-generic
>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>>> [sun.os.patch.level]    = unknown
>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>>> [os.arch]               = i386
>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>>> [java.class.version]    = 49.0
>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>>> [locale]                = en_ZA
>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>> [unicode.encoding]      = UnicodeLittle
>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>> [file.encoding]         = UTF-8
>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>> [java.vm.name]          = Java HotSpot(TM) Client VM
>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>> [java.vm.vendor]        = Sun Microsystems Inc.
>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>> [java.vm.version]       = 1.5.0_17-b04
>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>> [java.vm.info]          = mixed mode
>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>> [java.home]             = /opt/kms/java/sun-jdk1.5.0_17/jre
>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>> [java.classpath]        = null
>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>> [java.library.path]     =
>>> /opt/kms/java/sun-jdk1.5.0_17/jre/lib/i386/client:/opt/kms/java/ 
>>> sun-jdk1.5.0_17/jre/lib/i386:/opt/kms/java/sun-jdk1.5.0_17/jre/../ 
>>> lib/i386
>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>> [java.endorsed.dirs]    =
>>> /opt/testkms/server/geronimo-2.2-20090908/lib/endorsed:/opt/kms/ 
>>> java/sun-jdk1.5.0_17/jre/lib/endorsed
>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>> [java.ext.dirs]         =
>>> /opt/testkms/server/geronimo-2.2-20090908/lib/ext:/opt/kms/java/ 
>>> sun-jdk1.5.0_17/jre/lib/ext
>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>> [sun.boot.class.path]   =
>>> /opt/testkms/server/geronimo-2.2-20090908/lib/endorsed/yoko-spec- 
>>> corba-1.0.jar:/opt/testkms/server/geronimo-2.2-20090908/lib/ 
>>> endorsed/yoko-rmi-spec-1.0.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/ 
>>> lib/rt.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/i18n.jar:/opt/kms/ 
>>> java/sun-jdk1.5.0_17/jre/lib/sunrsasign.jar:/opt/kms/java/sun- 
>>> jdk1.5.0_17/jre/lib/jsse.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/ 
>>> jce.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/charsets.jar:/opt/ 
>>> kms/java/sun-jdk1.5.0_17/jre/classes
>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]
>>> ----------------------------------------------
>>> 2009-09-11 22:14:39,041 INFO  [KernelContextGBean] bound gbean
>>> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car? 
>>> ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2- 
>>> SNAPSHOT/car,j2eeType=Context,name=JavaCompContext
>>> at name java:comp
>>> 2009-09-11 22:14:39,043 INFO  [KernelContextGBean] bound gbean
>>> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car? 
>>> ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2- 
>>> SNAPSHOT/car,j2eeType=Context,name=JavaContext
>>> at name java:
>>> 2009-09-11 22:14:39,043 INFO  [KernelContextGBean] bound gbean
>>> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car? 
>>> ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2- 
>>> SNAPSHOT/car,j2eeType=Context,name=GeronimoContext
>>> at name ger:
>>> 2009-09-11 22:14:40,086 INFO  [SystemProperties] Setting
>>> Property=javax.xml.soap.MetaFactory to
>>> Value=org.apache.geronimo.webservices.saaj.GeronimoMetaFactory
>>> 2009-09-11 22:14:40,086 INFO  [SystemProperties] Setting
>>> Property=javax.xml.soap.MessageFactory to
>>> Value=org.apache.geronimo.webservices.saaj.GeronimoMessageFactory
>>> 2009-09-11 22:14:40,086 INFO  [SystemProperties] Setting
>>> Property=java.net.preferIPv4Stack to Value=true
>>> 2009-09-11 22:14:40,086 INFO  [SystemProperties] Setting
>>> Property=javax.xml.soap.SOAPConnectionFactory to
>>> Value 
>>> =org.apache.geronimo.webservices.saaj.GeronimoSOAPConnectionFactory
>>> 2009-09-11 22:14:40,087 INFO  [SystemProperties] Setting
>>> Property=javax.xml.soap.SOAPFactory to
>>> Value=org.apache.geronimo.webservices.saaj.GeronimoSOAPFactory
>>> 2009-09-11 22:14:40,087 INFO  [SystemProperties] Setting
>>> Property=java.security.Provider to Value=SUN
>>> 2009-09-11 22:14:40,261 INFO  [KernelContextGBean] unbound gbean
>>> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car? 
>>> ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2- 
>>> SNAPSHOT/car,j2eeType=Context,name=JavaContext
>>> at name java:
>>> 2009-09-11 22:14:40,264 INFO  [KernelContextGBean] unbound gbean
>>> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car? 
>>> ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2- 
>>> SNAPSHOT/car,j2eeType=Context,name=GeronimoContext
>>> at name ger:
>>> 2009-09-11 22:14:40,264 INFO  [KernelContextGBean] unbound gbean
>>> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car? 
>>> ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2- 
>>> SNAPSHOT/car,j2eeType=Context,name=JavaCompContext
>>> at name java:comp
>>> 2009-09-11 22:14:40,265 INFO  [Log4jService] Stopping Logging  
>>> Service
>>> 2009-09-11 22:14:40,265 INFO  [Log4jService]
>>> ----------------------------------------------
>>>
>>> Q
>>> On Fri, Sep 11, 2009 at 9:31 PM, Quintin Beukes <quintin@skywalk.co.za 
>>> > wrote:
>>>> do i need to delete config.ser?
>>>>
>>>> Q
>>>>
>>>> On Fri, Sep 11, 2009 at 9:16 PM, Joe Dente <jdente@21technologies.com

>>>> > wrote:
>>>>> That's how I got started. I have a project that includes a  
>>>>> custom login module as well as a customized geronimo-plugin.xml  
>>>>> that originally was an exported version of the server-security- 
>>>>> config plugin. My plugin project creates a simple jar with the  
>>>>> geronimo-plugin.xml in my jar's 'META-INF' folder. I then deploy  
>>>>> this jar into Geronimo with the geronimo-plugin.xml being my  
>>>>> jar's deployment plan. You can also try and build a car using  
>>>>> the maven car plugin, although I haven't played around with this  
>>>>> yet. I found this wiki article to be helpful: http://cwiki.apache.org/confluence/display/GMOxDOC22/Administering+plugins
>>>>>
>>>>> Joe
>>>>>
>>>>> ---------------------
>>>>> Sorry, I've never created a plugin. To create a new
>>>>> server-security-config plugin, do you mean I should copy
>>>>> server-security-config using the console's plugin export and  
>>>>> modify
>>>>> it?
>>>>>
>>>>> Q
>>>>>
>>>>> On Fri, Sep 11, 2009 at 8:47 PM, Joe Dente <jdente@21technologies.com

>>>>> > wrote:
>>>>>> To reproduce it create your own server-security-config plugin  
>>>>>> that uses any login module other than the properties-login  
>>>>>> gbean that is expected. You then need to deploy your new server-

>>>>>> security-config plugin and have it completely replace the  
>>>>>> default server-security-config (see http://cwiki.apache.org/confluence/display/GMOxDOC22/Basic+Hints+on+Security+Configuration)

>>>>>> . I achieved this by telling the server-security-config car to  
>>>>>> not load in the config.xml, telling my security plugin to load  
>>>>>> in the config.xml, and then adding artifact aliases for both  
>>>>>> the 2.1.4 and wildcard-versioned lines referring to the server- 
>>>>>> security-config plugin in the artifact_aliases.properties file.
>>>>>>
>>>>>> In artifact_alases.properties:
>>>>>>        org.apache.geronimo.framework/server-security-config// 
>>>>>> car=com.my.geronimo/my-security-config/1.0/car
>>>>>>        org.apache.geronimo.framework/server-security-config/ 
>>>>>> 2.1.4/car=org com.my.geronimo/my-security-config/1.0/car
>>>>>>
>>>>>> In config.xml:
>>>>>>        <module name="org.apache.geronimo.framework/server- 
>>>>>> security-config/2.1.4/car" load="false"/>
>>>>>>        <module name="com.my.geronimo/my-security-config/1.0/ 
>>>>>> car"/>
>>>>>>
>>>>>> Now try and startup Geronimo. You will see the error discussing 

>>>>>> the missing expected gbean.
>>>>>> Hope this helps,
>>>>>> Joe
>>>>>>
>>>>>>
>>>>>>
>>>>>> -------------
>>>>>> Errr. Ouch. *rubbing the brused area in his brain*.
>>>>>>
>>>>>> I'm not that on with everything you said. I think the best  
>>>>>> thing would
>>>>>> be to reproduce it. What would I do to reproduce it?
>>>>>>
>>>>>> Q
>>>>>>
>>>>>> On Fri, Sep 11, 2009 at 6:42 PM, David Jencks <david_jencks@yahoo.com

>>>>>> > wrote:
>>>>>>>
>>>>>>> On Sep 11, 2009, at 5:49 AM, Quintin Beukes wrote:
>>>>>>>
>>>>>>>> I'll be willing to have a look at it.
>>>>>>>>
>>>>>>>> can you give me a general idea what I'm supposed to look
at  
>>>>>>>> and how it
>>>>>>>> would be done?
>>>>>>>
>>>>>>> IIRC the failure is caused by an unsatisfied single valued  
>>>>>>> gbean reference
>>>>>>> to the properties login module gbean from something in the  
>>>>>>> admin console.
>>>>>>>  You need to find the gbean reference and change it to a  
>>>>>>> collection valued
>>>>>>> reference so it's no longer a mandatory reference.  You can 

>>>>>>> wrap a
>>>>>>> collection valued reference with SingleElementCollection to 

>>>>>>> make it act like
>>>>>>> an optional single valued reference.
>>>>>>>
>>>>>>> hope this is clear enough to help..
>>>>>>> david jencks
>>>>>>>
>>>>>>>>
>>>>>>>> Q
>>>>>>>>
>>>>>>>> On Fri, Sep 11, 2009 at 12:07 AM, David Jencks <david_jencks@yahoo.com

>>>>>>>> >
>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> Hi Joe!
>>>>>>>>> On Sep 10, 2009, at 2:18 PM, Joe Dente wrote:
>>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>> I've been working on replacing Geronimo 2.1.4's server-

>>>>>>>>> security-config
>>>>>>>>> plugin's example security with our own security plugin.
We  
>>>>>>>>> need single
>>>>>>>>> sign
>>>>>>>>> on for our application which also means the same sign
on  
>>>>>>>>> process has to
>>>>>>>>> work
>>>>>>>>> with the Geronimo admin console. We need to be able to
use  
>>>>>>>>> custom realms
>>>>>>>>> and
>>>>>>>>> custom login modules in our server-security-config plugin
 
>>>>>>>>> replacement
>>>>>>>>> that
>>>>>>>>> may change depending on the environment we deploy to.
I've  
>>>>>>>>> run into two
>>>>>>>>> limitations so far that I've found documented online.
One is  
>>>>>>>>> that unless
>>>>>>>>> I
>>>>>>>>> want to re-deploy other plugins that use the 'geronimo-

>>>>>>>>> admin' security
>>>>>>>>> realm, than our custom security realm must be named 

>>>>>>>>> 'geronimo-admin' as
>>>>>>>>> well. The other is that I ran
>>>>>>>>> intohttp://issues.apache.org/jira/browse/GERONIMO-4603,
 
>>>>>>>>> forcing me to
>>>>>>>>> creating a dummy properties-login gbean in order for
the  
>>>>>>>>> tomcat
>>>>>>>>> components
>>>>>>>>> to start up.
>>>>>>>>>
>>>>>>>>> In my experience this is incredibly annoying.  I don't
have  
>>>>>>>>> time but
>>>>>>>>> wonder
>>>>>>>>> if anyone else can see about fixing this for 2.2.
>>>>>>>>>
>>>>>>>>>  I've created alias' for my plugin over the server-security-

>>>>>>>>> config plugin
>>>>>>>>> in
>>>>>>>>> 'artifact-aliases.properties' file and I've also disabled
the
>>>>>>>>> server-security-config plugin and added my plugin as
a  
>>>>>>>>> loaded module in
>>>>>>>>> the
>>>>>>>>> 'config.xml'. Unfortunately, I still cannot log into
the  
>>>>>>>>> Geronimo console
>>>>>>>>> using my custom security realm and login module. Geronimo
 
>>>>>>>>> has no problem
>>>>>>>>> starting with the current configuration and I can even
login  
>>>>>>>>> using my
>>>>>>>>> custom
>>>>>>>>> login module. Everything seems happy as far as the login
 
>>>>>>>>> process is
>>>>>>>>> concerned when I step through the code, but instead of
 
>>>>>>>>> seeing the
>>>>>>>>> Geronimo
>>>>>>>>> console I get a tomcat error page stating 'Access to
the  
>>>>>>>>> specified
>>>>>>>>> resource
>>>>>>>>> () has been forbidden'.  The logs are completely clean
as  
>>>>>>>>> well as the
>>>>>>>>> console output. My only idea is that my admin users also
 
>>>>>>>>> need to be
>>>>>>>>> members
>>>>>>>>> of a specifically named Geronimo admin group (make my
admin  
>>>>>>>>> groups name
>>>>>>>>> exactly match the one setup in the default security plugin)?
 
>>>>>>>>> I have not
>>>>>>>>> tested this hypothesis out yet, because I have my own
admin  
>>>>>>>>> group that is
>>>>>>>>> used by our application that I would like to re-use as
the  
>>>>>>>>> Geronimo
>>>>>>>>> console's admin group. Any other thoughts?
>>>>>>>>>
>>>>>>>>> In 2.1.x you are stuck with the principal-role mapping
in  
>>>>>>>>> the ee
>>>>>>>>> application, although in 2.2 you can put it into a different
 
>>>>>>>>> plugin if
>>>>>>>>> you
>>>>>>>>> want and I think then swap it via an artifact-alias with
one  
>>>>>>>>> in a
>>>>>>>>> different
>>>>>>>>> plugin.
>>>>>>>>> So, that means that you need to supply the principals
the  
>>>>>>>>> principal-role
>>>>>>>>> mapping expects:
>>>>>>>>>    <security xmlns="http://geronimo.apache.org/xml/ns/security-1.2

>>>>>>>>> ">
>>>>>>>>>        <role-mappings>
>>>>>>>>>            <role role-name="admin">
>>>>>>>>>                <principal
>>>>>>>>>
>>>>>>>>> class 
>>>>>>>>> = 
>>>>>>>>> "org 
>>>>>>>>> .apache 
>>>>>>>>> .geronimo.security.realm.providers.GeronimoGroupPrincipal"
>>>>>>>>> name="admin" />
>>>>>>>>>            </role>
>>>>>>>>>        </role-mappings>
>>>>>>>>>    </security>
>>>>>>>>>
>>>>>>>>> So, your login module needs to supply a principal of
>>>>>>>>> class GeronimoGroupPrincipal and name "admin".
>>>>>>>>> Let us know if this doesn't work.
>>>>>>>>> thanks
>>>>>>>>> david jencks
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Joe
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Quintin Beukes
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Quintin Beukes
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Quintin Beukes
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Quintin Beukes
>>>>
>>>
>>>
>>>
>>> --
>>> Quintin Beukes
>>>
>>
>>
>>
>> --
>> Quintin Beukes
>>
>
>
>
> -- 
> Quintin Beukes


Mime
View raw message