geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From chi runhua <chirun...@gmail.com>
Subject Re: Replacing the server-security-config plugin
Date Sat, 12 Sep 2009 13:54:26 GMT
You may also refer to https://issues.apache.org/jira/browse/GERONIMO-4818 .

Doc for G2.2 on this topic will be updated soon.

Jeff C



On Sat, Sep 12, 2009 at 6:40 PM, Quintin Beukes <quintin@skywalk.co.za>wrote:

> Thanks. That helps. I'll see what I can do.
>
> Q
>
> On Sat, Sep 12, 2009 at 12:49 AM, David Jencks <david_jencks@yahoo.com>
> wrote:
> >
> > On Sep 11, 2009, at 3:16 PM, Quintin Beukes wrote:
> >
> >> OK. So I found the reference. It's like so:
> >>     <gbean name="PropertiesLoginManager"
> >> class
> >> =
> >> "org
> >> .apache.geronimo.console.core.security.PropertiesLoginModuleManager">
> >>       <reference name="ServerInfo">
> >>         <name>ServerInfo</name>
> >>       </reference>
> >>       <reference name="LoginModule">
> >>         <name>properties-login</name>
> >>       </reference>
> >>     </gbean>
> >>
> >> And it's in console-tomcat's plan.
> >>
> >> 1. How would I make it multivalued and wrap it in
> SingleElementCollection?
> >
> > You need to find the java code for PropertiesLoginModuleManager.  It
> should
> > have a reference to a login module.... you need to turn the reference
> into a
> > Collection<LoginModuleGBean>.  Hopefully it's a constructor arg.  Instead
> of
> > dealing with the Collection itself you can immediately wrap it in a
> > SingleElementCollection and use that instead.  Then you'll have to look
> at
> > the code in PropertiesLoginModuleManager and make sure it doesn't do
> > anything unfortunate if there is no login module in the collection.
> >>
> >>
> >> 2. How would I redeploy it?
> >
> > you'll need to have checked out geronimo to get this far.... the simplest
> is
> > to just build all of geronimo.  If you've built at least once, you can
> just
> > build the plugins/console and then assemblies.  (I'm assuming that my
> > recollection that this code is in plugins/console is correct).
> >
> > hope this helps
> > david jencks
> >
> >
> >>
> >> Q
> >>
> >> On Fri, Sep 11, 2009 at 11:15 PM, Joe Dente <jdente@21technologies.com>
> >> wrote:
> >>>
> >>> I'm going to be busy for the rest of the day, but here's the deployment
> >>> plan I use in my replacement server-security-config plugin:
> >>>
> >>> <?xml version="1.0" encoding="UTF-8"?>
> >>> <module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
> >>>  <environment>
> >>>   <moduleId>
> >>>     <groupId>com.mycode.geronimo</groupId>
> >>>     <artifactId>delegating-login-module</artifactId>
> >>>     <version>1.0</version>
> >>>     <type>car</type>
> >>>   </moduleId>
> >>>   <dependencies>
> >>>     <dependency>
> >>>       <groupId>org.apache.geronimo.framework</groupId>
> >>>       <artifactId>j2ee-security</artifactId>
> >>>       <version>2.1.4</version>
> >>>       <type>car</type>
> >>>     </dependency>
> >>>   </dependencies>
> >>>   <hidden-classes/>
> >>>   <non-overridable-classes/>
> >>>  </environment>
> >>>
> >>>  <gbean name="CredentialStore"
> >>>
> class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl"/>
> >>>
> >>>  <!-- Default Security Realm Using Delegate Login Module -->
> >>>  <gbean name="admin-login"
> >>> class="org.apache.geronimo.security.jaas.LoginModuleGBean">
> >>>   <attribute
> >>>
> name="loginModuleClass">com.mycode.geronimo.authorization.login.DelegatingLoginModule</attribute>
> >>>   <attribute name="options">delegateRealm=delegate-realm
> >>>       groupName=delegate-admin</attribute>
> >>>   <attribute name="loginDomainName">geronimo-admin</attribute>
> >>>  </gbean>
> >>>  <gbean name="geronimo-admin"
> >>> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
> >>>   <attribute name="realmName">geronimo-admin</attribute>
> >>>   <reference name="LoginModuleConfiguration">
> >>>     <name>admin-login</name>
> >>>   </reference>
> >>>   <reference name="ServerInfo">
> >>>     <name>ServerInfo</name>
> >>>   </reference>
> >>>  </gbean>
> >>>  <gbean name="admin-login"
> >>> class="org.apache.geronimo.security.jaas.JaasLoginModuleUse">
> >>>   <attribute name="controlFlag">REQUIRED</attribute>
> >>>   <reference name="LoginModule">
> >>>     <name>admin-login</name>
> >>>   </reference>
> >>>  </gbean>
> >>>
> >>>  <!--
> >>>  <gbean name="properties-login"
> >>> class="org.apache.geronimo.security.jaas.LoginModuleGBean">
> >>>   <attribute
> >>>
> name="loginModuleClass">org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</attribute>
> >>>   <attribute name="options">usersURI=var/security/users.properties
> >>>           groupsURI=var/security/groups.properties</attribute>
> >>>   <attribute name="loginDomainName">geronimo-admin</attribute>
> >>>  </gbean>
> >>>  -->
> >>>
> >>>  <gbean name="geronimo-default"
> >>> class="org.apache.geronimo.security.keystore.FileKeystoreInstance">
> >>>   <attribute name="keystoreName">geronimo-default</attribute>
> >>>   <attribute
> >>> name="keystorePath">var/security/keystores/geronimo-default</attribute>
> >>>   <attribute name="keystorePassword">secret</attribute>
> >>>   <attribute name="keystoreType">JKS</attribute>
> >>>   <attribute name="keyPasswords">geronimo=secret</attribute>
> >>>   <reference name="ServerInfo">
> >>>     <name>ServerInfo</name>
> >>>   </reference>
> >>>  </gbean>
> >>> </module>
> >>>
> >>> You can see the configuration for my custom login module. The important
> >>> piece for this problem is the "properties-login" gbean that I have
> commented
> >>> out. Without this GBean, Geronimo is unable to startup due to the bug
> >>> originally discussed in this thread (GERONIMO-4603). If you enable this
> >>> GBean, then Geronimo can startup correctly (granted everything else is
> >>> configured appropriately). Because of the hardwired issue discussed in
> issue
> >>> 4603, I have to put the dummy "properties-login" gbean in place even
> though
> >>> I'm not using a "properties-login" gbean in my configuration.
> >>>
> >>> Joe
> >>>
> >>> ===========================
> >>> I also tried creating a realm through the console, then exporting it
> >>> as a plugin, undeploying the original, deploying as a plugin and
> >>> restarting the server after doing the config.xml changes.
> >>>
> >>> Doesn't work either. Complains about:
> >>> org.omg.CORBA.COMM_FAILURE: socket() failed: Unable to create server
> >>> SSL socket factory: Keystore 'geronimo-default' is locked; please use
> >>> the keystore page in the admin console to unlock it:  vmcid: Apache
> >>> minor code: 0x5  completed: No
> >>>
> >>> Q
> >>>
> >>> On Fri, Sep 11, 2009 at 10:16 PM, Quintin Beukes <
> quintin@skywalk.co.za>
> >>> wrote:
> >>>>
> >>>> No. This isn't working right. I don't know what I'm doing wrong.
> >>>>
> >>>> I take the exported plugin. Extract it to directory "x".
> >>>>
> >>>> Then I change only the groupId everywhere in the plugin frmo
> >>>> "org.apache.geronimo.framework" to "test" and version from
> >>>> "2.2-SNAPSHOT" to "2.2". Then I jar it again.
> >>>>
> >>>> Then I start geronimo and deploy this with deploy.sh install-plugin.
> >>>> Successfully installed: test/server-security-config/2.2/car
> >>>>
> >>>> I stop the server, and then edit artifact_aliases.properties and
> change:
> >>>>
> >>>>
> org.apache.geronimo.framework/server-security-config//car=org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car
> >>>> test/server-security-config//car=test/server-security-config/2.2/car
> >>>>
> >>>> TO
> >>>>
> >>>>
> org.apache.geronimo.framework/server-security-config//car=test/server-security-config/2.2/car
> >>>>
> >>>>
> org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car=test/server-security-config/2.2/car
> >>>> test/server-security-config//car=test/server-security-config/2.2/car
> >>>>
> >>>> And config.xml from:
> >>>>   <module
> >>>>
> name="org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car"/>
> >>>>   <module name="test/server-security-config/2.2/car"/>
> >>>>
> >>>> TO:
> >>>>   <module
> >>>>
> name="org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car"
> >>>> load="false"/>
> >>>>   <module name="test/server-security-config/2.2/car"/>
> >>>>
> >>>> Then I try and start the server, and all I get is this, ie. it starts
> >>>> and right after loading my plugin stops the server without an error.
> >>>> 2009-09-11 22:14:37,642 INFO  [Log4jService]
> >>>> ----------------------------------------------
> >>>> 2009-09-11 22:14:37,643 INFO  [Log4jService] Started Logging Service
> >>>> 2009-09-11 22:14:37,643 INFO  [Log4jService] Runtime Information:
> >>>> 2009-09-11 22:14:37,644 INFO  [Log4jService]   Install Directory =
> >>>> /opt/testkms/server/geronimo-2.2-20090908
> >>>> 2009-09-11 22:14:37,645 INFO  [JvmVendor] Sun JVM 1.5.0_17
> >>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   JVM in use        = Sun
> >>>> JVM 1.5.0_17
> >>>> 2009-09-11 22:14:37,645 INFO  [Log4jService] Java Information:
> >>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
> >>>> [java.runtime.name]     = Java(TM) 2 Runtime Environment, Standard
> >>>> Edition
> >>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
> >>>> [java.runtime.version]  = 1.5.0_17-b04
> >>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
> >>>> [os.name]               = Linux
> >>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
> >>>> [os.version]            = 2.6.24-24-generic
> >>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
> >>>> [sun.os.patch.level]    = unknown
> >>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
> >>>> [os.arch]               = i386
> >>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
> >>>> [java.class.version]    = 49.0
> >>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
> >>>> [locale]                = en_ZA
> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
> >>>> [unicode.encoding]      = UnicodeLittle
> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
> >>>> [file.encoding]         = UTF-8
> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
> >>>> [java.vm.name]          = Java HotSpot(TM) Client VM
> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
> >>>> [java.vm.vendor]        = Sun Microsystems Inc.
> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
> >>>> [java.vm.version]       = 1.5.0_17-b04
> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
> >>>> [java.vm.info]          = mixed mode
> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
> >>>> [java.home]             = /opt/kms/java/sun-jdk1.5.0_17/jre
> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
> >>>> [java.classpath]        = null
> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
> >>>> [java.library.path]     =
> >>>>
> >>>>
> /opt/kms/java/sun-jdk1.5.0_17/jre/lib/i386/client:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/i386:/opt/kms/java/sun-jdk1.5.0_17/jre/../lib/i386
> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
> >>>> [java.endorsed.dirs]    =
> >>>>
> >>>>
> /opt/testkms/server/geronimo-2.2-20090908/lib/endorsed:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/endorsed
> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
> >>>> [java.ext.dirs]         =
> >>>>
> >>>>
> /opt/testkms/server/geronimo-2.2-20090908/lib/ext:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/ext
> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
> >>>> [sun.boot.class.path]   =
> >>>>
> >>>>
> /opt/testkms/server/geronimo-2.2-20090908/lib/endorsed/yoko-spec-corba-1.0.jar:/opt/testkms/server/geronimo-2.2-20090908/lib/endorsed/yoko-rmi-spec-1.0.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/rt.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/i18n.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/sunrsasign.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/jsse.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/jce.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/charsets.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/classes
> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]
> >>>> ----------------------------------------------
> >>>> 2009-09-11 22:14:39,041 INFO  [KernelContextGBean] bound gbean
> >>>>
> >>>>
> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=JavaCompContext
> >>>> at name java:comp
> >>>> 2009-09-11 22:14:39,043 INFO  [KernelContextGBean] bound gbean
> >>>>
> >>>>
> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=JavaContext
> >>>> at name java:
> >>>> 2009-09-11 22:14:39,043 INFO  [KernelContextGBean] bound gbean
> >>>>
> >>>>
> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=GeronimoContext
> >>>> at name ger:
> >>>> 2009-09-11 22:14:40,086 INFO  [SystemProperties] Setting
> >>>> Property=javax.xml.soap.MetaFactory to
> >>>> Value=org.apache.geronimo.webservices.saaj.GeronimoMetaFactory
> >>>> 2009-09-11 22:14:40,086 INFO  [SystemProperties] Setting
> >>>> Property=javax.xml.soap.MessageFactory to
> >>>> Value=org.apache.geronimo.webservices.saaj.GeronimoMessageFactory
> >>>> 2009-09-11 22:14:40,086 INFO  [SystemProperties] Setting
> >>>> Property=java.net.preferIPv4Stack to Value=true
> >>>> 2009-09-11 22:14:40,086 INFO  [SystemProperties] Setting
> >>>> Property=javax.xml.soap.SOAPConnectionFactory to
> >>>>
> Value=org.apache.geronimo.webservices.saaj.GeronimoSOAPConnectionFactory
> >>>> 2009-09-11 22:14:40,087 INFO  [SystemProperties] Setting
> >>>> Property=javax.xml.soap.SOAPFactory to
> >>>> Value=org.apache.geronimo.webservices.saaj.GeronimoSOAPFactory
> >>>> 2009-09-11 22:14:40,087 INFO  [SystemProperties] Setting
> >>>> Property=java.security.Provider to Value=SUN
> >>>> 2009-09-11 22:14:40,261 INFO  [KernelContextGBean] unbound gbean
> >>>>
> >>>>
> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=JavaContext
> >>>> at name java:
> >>>> 2009-09-11 22:14:40,264 INFO  [KernelContextGBean] unbound gbean
> >>>>
> >>>>
> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=GeronimoContext
> >>>> at name ger:
> >>>> 2009-09-11 22:14:40,264 INFO  [KernelContextGBean] unbound gbean
> >>>>
> >>>>
> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=JavaCompContext
> >>>> at name java:comp
> >>>> 2009-09-11 22:14:40,265 INFO  [Log4jService] Stopping Logging Service
> >>>> 2009-09-11 22:14:40,265 INFO  [Log4jService]
> >>>> ----------------------------------------------
> >>>>
> >>>> Q
> >>>> On Fri, Sep 11, 2009 at 9:31 PM, Quintin Beukes <
> quintin@skywalk.co.za>
> >>>> wrote:
> >>>>>
> >>>>> do i need to delete config.ser?
> >>>>>
> >>>>> Q
> >>>>>
> >>>>> On Fri, Sep 11, 2009 at 9:16 PM, Joe Dente <
> jdente@21technologies.com>
> >>>>> wrote:
> >>>>>>
> >>>>>> That's how I got started. I have a project that includes a custom
> >>>>>> login module as well as a customized geronimo-plugin.xml that
> originally was
> >>>>>> an exported version of the server-security-config plugin. My
plugin
> project
> >>>>>> creates a simple jar with the geronimo-plugin.xml in my jar's
> 'META-INF'
> >>>>>> folder. I then deploy this jar into Geronimo with the
> geronimo-plugin.xml
> >>>>>> being my jar's deployment plan. You can also try and build a
car
> using the
> >>>>>> maven car plugin, although I haven't played around with this
yet. I
> found
> >>>>>> this wiki article to be helpful:
> >>>>>>
> http://cwiki.apache.org/confluence/display/GMOxDOC22/Administering+plugins
> >>>>>>
> >>>>>> Joe
> >>>>>>
> >>>>>> ---------------------
> >>>>>> Sorry, I've never created a plugin. To create a new
> >>>>>> server-security-config plugin, do you mean I should copy
> >>>>>> server-security-config using the console's plugin export and
modify
> >>>>>> it?
> >>>>>>
> >>>>>> Q
> >>>>>>
> >>>>>> On Fri, Sep 11, 2009 at 8:47 PM, Joe Dente <
> jdente@21technologies.com>
> >>>>>> wrote:
> >>>>>>>
> >>>>>>> To reproduce it create your own server-security-config plugin
that
> >>>>>>> uses any login module other than the properties-login gbean
that is
> >>>>>>> expected. You then need to deploy your new server-security-config
> plugin and
> >>>>>>> have it completely replace the default server-security-config
(see
> >>>>>>>
> http://cwiki.apache.org/confluence/display/GMOxDOC22/Basic+Hints+on+Security+Configuration
> ).
> >>>>>>> I achieved this by telling the server-security-config car
to not
> load in the
> >>>>>>> config.xml, telling my security plugin to load in the config.xml,
> and then
> >>>>>>> adding artifact aliases for both the 2.1.4 and wildcard-versioned
> lines
> >>>>>>> referring to the server-security-config plugin in the
> >>>>>>> artifact_aliases.properties file.
> >>>>>>>
> >>>>>>> In artifact_alases.properties:
> >>>>>>>
> >>>>>>>
> org.apache.geronimo.framework/server-security-config//car=com.my.geronimo/my-security-config/1.0/car
> >>>>>>>
> >>>>>>> org.apache.geronimo.framework/server-security-config/2.1.4/car=org
> >>>>>>> com.my.geronimo/my-security-config/1.0/car
> >>>>>>>
> >>>>>>> In config.xml:
> >>>>>>>       <module
> >>>>>>>
> name="org.apache.geronimo.framework/server-security-config/2.1.4/car"
> >>>>>>> load="false"/>
> >>>>>>>       <module name="com.my.geronimo/my-security-config/1.0/car"/>
> >>>>>>>
> >>>>>>> Now try and startup Geronimo. You will see the error discussing
the
> >>>>>>> missing expected gbean.
> >>>>>>> Hope this helps,
> >>>>>>> Joe
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> -------------
> >>>>>>> Errr. Ouch. *rubbing the brused area in his brain*.
> >>>>>>>
> >>>>>>> I'm not that on with everything you said. I think the best
thing
> >>>>>>> would
> >>>>>>> be to reproduce it. What would I do to reproduce it?
> >>>>>>>
> >>>>>>> Q
> >>>>>>>
> >>>>>>> On Fri, Sep 11, 2009 at 6:42 PM, David Jencks
> >>>>>>> <david_jencks@yahoo.com> wrote:
> >>>>>>>>
> >>>>>>>> On Sep 11, 2009, at 5:49 AM, Quintin Beukes wrote:
> >>>>>>>>
> >>>>>>>>> I'll be willing to have a look at it.
> >>>>>>>>>
> >>>>>>>>> can you give me a general idea what I'm supposed
to look at and
> how
> >>>>>>>>> it
> >>>>>>>>> would be done?
> >>>>>>>>
> >>>>>>>> IIRC the failure is caused by an unsatisfied single
valued gbean
> >>>>>>>> reference
> >>>>>>>> to the properties login module gbean from something
in the admin
> >>>>>>>> console.
> >>>>>>>>  You need to find the gbean reference and change it
to a
> collection
> >>>>>>>> valued
> >>>>>>>> reference so it's no longer a mandatory reference. 
You can wrap a
> >>>>>>>> collection valued reference with SingleElementCollection
to make
> it
> >>>>>>>> act like
> >>>>>>>> an optional single valued reference.
> >>>>>>>>
> >>>>>>>> hope this is clear enough to help..
> >>>>>>>> david jencks
> >>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Q
> >>>>>>>>>
> >>>>>>>>> On Fri, Sep 11, 2009 at 12:07 AM, David Jencks
> >>>>>>>>> <david_jencks@yahoo.com>
> >>>>>>>>> wrote:
> >>>>>>>>>>
> >>>>>>>>>> Hi Joe!
> >>>>>>>>>> On Sep 10, 2009, at 2:18 PM, Joe Dente wrote:
> >>>>>>>>>>
> >>>>>>>>>> Hi,
> >>>>>>>>>> I've been working on replacing Geronimo 2.1.4's
> >>>>>>>>>> server-security-config
> >>>>>>>>>> plugin's example security with our own security
plugin. We need
> >>>>>>>>>> single
> >>>>>>>>>> sign
> >>>>>>>>>> on for our application which also means the
same sign on process
> >>>>>>>>>> has to
> >>>>>>>>>> work
> >>>>>>>>>> with the Geronimo admin console. We need to
be able to use
> custom
> >>>>>>>>>> realms
> >>>>>>>>>> and
> >>>>>>>>>> custom login modules in our server-security-config
plugin
> >>>>>>>>>> replacement
> >>>>>>>>>> that
> >>>>>>>>>> may change depending on the environment we deploy
to. I've run
> >>>>>>>>>> into two
> >>>>>>>>>> limitations so far that I've found documented
online. One is
> that
> >>>>>>>>>> unless
> >>>>>>>>>> I
> >>>>>>>>>> want to re-deploy other plugins that use the
'geronimo-admin'
> >>>>>>>>>> security
> >>>>>>>>>> realm, than our custom security realm must be
named
> >>>>>>>>>> 'geronimo-admin' as
> >>>>>>>>>> well. The other is that I ran
> >>>>>>>>>> intohttp://issues.apache.org/jira/browse/GERONIMO-4603,
forcing
> me
> >>>>>>>>>> to
> >>>>>>>>>> creating a dummy properties-login gbean in order
for the tomcat
> >>>>>>>>>> components
> >>>>>>>>>> to start up.
> >>>>>>>>>>
> >>>>>>>>>> In my experience this is incredibly annoying.
 I don't have time
> >>>>>>>>>> but
> >>>>>>>>>> wonder
> >>>>>>>>>> if anyone else can see about fixing this for
2.2.
> >>>>>>>>>>
> >>>>>>>>>>  I've created alias' for my plugin over the
> server-security-config
> >>>>>>>>>> plugin
> >>>>>>>>>> in
> >>>>>>>>>> 'artifact-aliases.properties' file and I've
also disabled the
> >>>>>>>>>> server-security-config plugin and added my plugin
as a loaded
> >>>>>>>>>> module in
> >>>>>>>>>> the
> >>>>>>>>>> 'config.xml'. Unfortunately, I still cannot
log into the
> Geronimo
> >>>>>>>>>> console
> >>>>>>>>>> using my custom security realm and login module.
Geronimo has no
> >>>>>>>>>> problem
> >>>>>>>>>> starting with the current configuration and
I can even login
> using
> >>>>>>>>>> my
> >>>>>>>>>> custom
> >>>>>>>>>> login module. Everything seems happy as far
as the login process
> >>>>>>>>>> is
> >>>>>>>>>> concerned when I step through the code, but
instead of seeing
> the
> >>>>>>>>>> Geronimo
> >>>>>>>>>> console I get a tomcat error page stating 'Access
to the
> specified
> >>>>>>>>>> resource
> >>>>>>>>>> () has been forbidden'.  The logs are completely
clean as well
> as
> >>>>>>>>>> the
> >>>>>>>>>> console output. My only idea is that my admin
users also need to
> >>>>>>>>>> be
> >>>>>>>>>> members
> >>>>>>>>>> of a specifically named Geronimo admin group
(make my admin
> groups
> >>>>>>>>>> name
> >>>>>>>>>> exactly match the one setup in the default security
plugin)? I
> >>>>>>>>>> have not
> >>>>>>>>>> tested this hypothesis out yet, because I have
my own admin
> group
> >>>>>>>>>> that is
> >>>>>>>>>> used by our application that I would like to
re-use as the
> >>>>>>>>>> Geronimo
> >>>>>>>>>> console's admin group. Any other thoughts?
> >>>>>>>>>>
> >>>>>>>>>> In 2.1.x you are stuck with the principal-role
mapping in the ee
> >>>>>>>>>> application, although in 2.2 you can put it
into a different
> >>>>>>>>>> plugin if
> >>>>>>>>>> you
> >>>>>>>>>> want and I think then swap it via an artifact-alias
with one in
> a
> >>>>>>>>>> different
> >>>>>>>>>> plugin.
> >>>>>>>>>> So, that means that you need to supply the principals
the
> >>>>>>>>>> principal-role
> >>>>>>>>>> mapping expects:
> >>>>>>>>>>   <security
> >>>>>>>>>> xmlns="http://geronimo.apache.org/xml/ns/security-1.2">
> >>>>>>>>>>       <role-mappings>
> >>>>>>>>>>           <role role-name="admin">
> >>>>>>>>>>               <principal
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> >>>>>>>>>> name="admin" />
> >>>>>>>>>>           </role>
> >>>>>>>>>>       </role-mappings>
> >>>>>>>>>>   </security>
> >>>>>>>>>>
> >>>>>>>>>> So, your login module needs to supply a principal
of
> >>>>>>>>>> class GeronimoGroupPrincipal and name "admin".
> >>>>>>>>>> Let us know if this doesn't work.
> >>>>>>>>>> thanks
> >>>>>>>>>> david jencks
> >>>>>>>>>>
> >>>>>>>>>> Thanks,
> >>>>>>>>>> Joe
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> --
> >>>>>>>>> Quintin Beukes
> >>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> --
> >>>>>>> Quintin Beukes
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> --
> >>>>>> Quintin Beukes
> >>>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> Quintin Beukes
> >>>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> Quintin Beukes
> >>>>
> >>>
> >>>
> >>>
> >>> --
> >>> Quintin Beukes
> >>>
> >>
> >>
> >>
> >> --
> >> Quintin Beukes
> >
> >
>
>
>
> --
> Quintin Beukes
>

Mime
View raw message