geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From chi runhua <chirun...@gmail.com>
Subject Re: Replacing the server-security-config plugin
Date Tue, 15 Sep 2009 13:40:37 GMT
Hi, doc updated regarding this topic.

http://cwiki.apache.org/GMOxDOC22/replacing-default-realm-in-geronimo.html

See if there are any problems, please let me know.

Jeff C

On Sat, Sep 12, 2009 at 9:54 PM, chi runhua <chirunhua@gmail.com> wrote:

> You may also refer to https://issues.apache.org/jira/browse/GERONIMO-4818.
>
> Doc for G2.2 on this topic will be updated soon.
>
> Jeff C
>
>
>
>
> On Sat, Sep 12, 2009 at 6:40 PM, Quintin Beukes <quintin@skywalk.co.za>wrote:
>
>> Thanks. That helps. I'll see what I can do.
>>
>> Q
>>
>> On Sat, Sep 12, 2009 at 12:49 AM, David Jencks <david_jencks@yahoo.com>
>> wrote:
>> >
>> > On Sep 11, 2009, at 3:16 PM, Quintin Beukes wrote:
>> >
>> >> OK. So I found the reference. It's like so:
>> >>     <gbean name="PropertiesLoginManager"
>> >> class
>> >> =
>> >> "org
>> >> .apache.geronimo.console.core.security.PropertiesLoginModuleManager">
>> >>       <reference name="ServerInfo">
>> >>         <name>ServerInfo</name>
>> >>       </reference>
>> >>       <reference name="LoginModule">
>> >>         <name>properties-login</name>
>> >>       </reference>
>> >>     </gbean>
>> >>
>> >> And it's in console-tomcat's plan.
>> >>
>> >> 1. How would I make it multivalued and wrap it in
>> SingleElementCollection?
>> >
>> > You need to find the java code for PropertiesLoginModuleManager.  It
>> should
>> > have a reference to a login module.... you need to turn the reference
>> into a
>> > Collection<LoginModuleGBean>.  Hopefully it's a constructor arg.
>>  Instead of
>> > dealing with the Collection itself you can immediately wrap it in a
>> > SingleElementCollection and use that instead.  Then you'll have to look
>> at
>> > the code in PropertiesLoginModuleManager and make sure it doesn't do
>> > anything unfortunate if there is no login module in the collection.
>> >>
>> >>
>> >> 2. How would I redeploy it?
>> >
>> > you'll need to have checked out geronimo to get this far.... the
>> simplest is
>> > to just build all of geronimo.  If you've built at least once, you can
>> just
>> > build the plugins/console and then assemblies.  (I'm assuming that my
>> > recollection that this code is in plugins/console is correct).
>> >
>> > hope this helps
>> > david jencks
>> >
>> >
>> >>
>> >> Q
>> >>
>> >> On Fri, Sep 11, 2009 at 11:15 PM, Joe Dente <jdente@21technologies.com
>> >
>> >> wrote:
>> >>>
>> >>> I'm going to be busy for the rest of the day, but here's the
>> deployment
>> >>> plan I use in my replacement server-security-config plugin:
>> >>>
>> >>> <?xml version="1.0" encoding="UTF-8"?>
>> >>> <module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
>> >>>  <environment>
>> >>>   <moduleId>
>> >>>     <groupId>com.mycode.geronimo</groupId>
>> >>>     <artifactId>delegating-login-module</artifactId>
>> >>>     <version>1.0</version>
>> >>>     <type>car</type>
>> >>>   </moduleId>
>> >>>   <dependencies>
>> >>>     <dependency>
>> >>>       <groupId>org.apache.geronimo.framework</groupId>
>> >>>       <artifactId>j2ee-security</artifactId>
>> >>>       <version>2.1.4</version>
>> >>>       <type>car</type>
>> >>>     </dependency>
>> >>>   </dependencies>
>> >>>   <hidden-classes/>
>> >>>   <non-overridable-classes/>
>> >>>  </environment>
>> >>>
>> >>>  <gbean name="CredentialStore"
>> >>>
>> class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl"/>
>> >>>
>> >>>  <!-- Default Security Realm Using Delegate Login Module -->
>> >>>  <gbean name="admin-login"
>> >>> class="org.apache.geronimo.security.jaas.LoginModuleGBean">
>> >>>   <attribute
>> >>>
>> name="loginModuleClass">com.mycode.geronimo.authorization.login.DelegatingLoginModule</attribute>
>> >>>   <attribute name="options">delegateRealm=delegate-realm
>> >>>       groupName=delegate-admin</attribute>
>> >>>   <attribute name="loginDomainName">geronimo-admin</attribute>
>> >>>  </gbean>
>> >>>  <gbean name="geronimo-admin"
>> >>> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
>> >>>   <attribute name="realmName">geronimo-admin</attribute>
>> >>>   <reference name="LoginModuleConfiguration">
>> >>>     <name>admin-login</name>
>> >>>   </reference>
>> >>>   <reference name="ServerInfo">
>> >>>     <name>ServerInfo</name>
>> >>>   </reference>
>> >>>  </gbean>
>> >>>  <gbean name="admin-login"
>> >>> class="org.apache.geronimo.security.jaas.JaasLoginModuleUse">
>> >>>   <attribute name="controlFlag">REQUIRED</attribute>
>> >>>   <reference name="LoginModule">
>> >>>     <name>admin-login</name>
>> >>>   </reference>
>> >>>  </gbean>
>> >>>
>> >>>  <!--
>> >>>  <gbean name="properties-login"
>> >>> class="org.apache.geronimo.security.jaas.LoginModuleGBean">
>> >>>   <attribute
>> >>>
>> name="loginModuleClass">org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</attribute>
>> >>>   <attribute name="options">usersURI=var/security/users.properties
>> >>>           groupsURI=var/security/groups.properties</attribute>
>> >>>   <attribute name="loginDomainName">geronimo-admin</attribute>
>> >>>  </gbean>
>> >>>  -->
>> >>>
>> >>>  <gbean name="geronimo-default"
>> >>> class="org.apache.geronimo.security.keystore.FileKeystoreInstance">
>> >>>   <attribute name="keystoreName">geronimo-default</attribute>
>> >>>   <attribute
>> >>>
>> name="keystorePath">var/security/keystores/geronimo-default</attribute>
>> >>>   <attribute name="keystorePassword">secret</attribute>
>> >>>   <attribute name="keystoreType">JKS</attribute>
>> >>>   <attribute name="keyPasswords">geronimo=secret</attribute>
>> >>>   <reference name="ServerInfo">
>> >>>     <name>ServerInfo</name>
>> >>>   </reference>
>> >>>  </gbean>
>> >>> </module>
>> >>>
>> >>> You can see the configuration for my custom login module. The
>> important
>> >>> piece for this problem is the "properties-login" gbean that I have
>> commented
>> >>> out. Without this GBean, Geronimo is unable to startup due to the bug
>> >>> originally discussed in this thread (GERONIMO-4603). If you enable
>> this
>> >>> GBean, then Geronimo can startup correctly (granted everything else
is
>> >>> configured appropriately). Because of the hardwired issue discussed
in
>> issue
>> >>> 4603, I have to put the dummy "properties-login" gbean in place even
>> though
>> >>> I'm not using a "properties-login" gbean in my configuration.
>> >>>
>> >>> Joe
>> >>>
>> >>> ===========================
>> >>> I also tried creating a realm through the console, then exporting it
>> >>> as a plugin, undeploying the original, deploying as a plugin and
>> >>> restarting the server after doing the config.xml changes.
>> >>>
>> >>> Doesn't work either. Complains about:
>> >>> org.omg.CORBA.COMM_FAILURE: socket() failed: Unable to create server
>> >>> SSL socket factory: Keystore 'geronimo-default' is locked; please use
>> >>> the keystore page in the admin console to unlock it:  vmcid: Apache
>> >>> minor code: 0x5  completed: No
>> >>>
>> >>> Q
>> >>>
>> >>> On Fri, Sep 11, 2009 at 10:16 PM, Quintin Beukes <
>> quintin@skywalk.co.za>
>> >>> wrote:
>> >>>>
>> >>>> No. This isn't working right. I don't know what I'm doing wrong.
>> >>>>
>> >>>> I take the exported plugin. Extract it to directory "x".
>> >>>>
>> >>>> Then I change only the groupId everywhere in the plugin frmo
>> >>>> "org.apache.geronimo.framework" to "test" and version from
>> >>>> "2.2-SNAPSHOT" to "2.2". Then I jar it again.
>> >>>>
>> >>>> Then I start geronimo and deploy this with deploy.sh install-plugin.
>> >>>> Successfully installed: test/server-security-config/2.2/car
>> >>>>
>> >>>> I stop the server, and then edit artifact_aliases.properties and
>> change:
>> >>>>
>> >>>>
>> org.apache.geronimo.framework/server-security-config//car=org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car
>> >>>> test/server-security-config//car=test/server-security-config/2.2/car
>> >>>>
>> >>>> TO
>> >>>>
>> >>>>
>> org.apache.geronimo.framework/server-security-config//car=test/server-security-config/2.2/car
>> >>>>
>> >>>>
>> org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car=test/server-security-config/2.2/car
>> >>>> test/server-security-config//car=test/server-security-config/2.2/car
>> >>>>
>> >>>> And config.xml from:
>> >>>>   <module
>> >>>>
>> name="org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car"/>
>> >>>>   <module name="test/server-security-config/2.2/car"/>
>> >>>>
>> >>>> TO:
>> >>>>   <module
>> >>>>
>> name="org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car"
>> >>>> load="false"/>
>> >>>>   <module name="test/server-security-config/2.2/car"/>
>> >>>>
>> >>>> Then I try and start the server, and all I get is this, ie. it starts
>> >>>> and right after loading my plugin stops the server without an error.
>> >>>> 2009-09-11 22:14:37,642 INFO  [Log4jService]
>> >>>> ----------------------------------------------
>> >>>> 2009-09-11 22:14:37,643 INFO  [Log4jService] Started Logging Service
>> >>>> 2009-09-11 22:14:37,643 INFO  [Log4jService] Runtime Information:
>> >>>> 2009-09-11 22:14:37,644 INFO  [Log4jService]   Install Directory
=
>> >>>> /opt/testkms/server/geronimo-2.2-20090908
>> >>>> 2009-09-11 22:14:37,645 INFO  [JvmVendor] Sun JVM 1.5.0_17
>> >>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   JVM in use      
 =
>> Sun
>> >>>> JVM 1.5.0_17
>> >>>> 2009-09-11 22:14:37,645 INFO  [Log4jService] Java Information:
>> >>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>> >>>> [java.runtime.name]     = Java(TM) 2 Runtime Environment, Standard
>> >>>> Edition
>> >>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>> >>>> [java.runtime.version]  = 1.5.0_17-b04
>> >>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>> >>>> [os.name]               = Linux
>> >>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>> >>>> [os.version]            = 2.6.24-24-generic
>> >>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>> >>>> [sun.os.patch.level]    = unknown
>> >>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>> >>>> [os.arch]               = i386
>> >>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>> >>>> [java.class.version]    = 49.0
>> >>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>> >>>> [locale]                = en_ZA
>> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>> >>>> [unicode.encoding]      = UnicodeLittle
>> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>> >>>> [file.encoding]         = UTF-8
>> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>> >>>> [java.vm.name]          = Java HotSpot(TM) Client VM
>> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>> >>>> [java.vm.vendor]        = Sun Microsystems Inc.
>> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>> >>>> [java.vm.version]       = 1.5.0_17-b04
>> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>> >>>> [java.vm.info]          = mixed mode
>> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>> >>>> [java.home]             = /opt/kms/java/sun-jdk1.5.0_17/jre
>> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>> >>>> [java.classpath]        = null
>> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>> >>>> [java.library.path]     =
>> >>>>
>> >>>>
>> /opt/kms/java/sun-jdk1.5.0_17/jre/lib/i386/client:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/i386:/opt/kms/java/sun-jdk1.5.0_17/jre/../lib/i386
>> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>> >>>> [java.endorsed.dirs]    =
>> >>>>
>> >>>>
>> /opt/testkms/server/geronimo-2.2-20090908/lib/endorsed:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/endorsed
>> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>> >>>> [java.ext.dirs]         =
>> >>>>
>> >>>>
>> /opt/testkms/server/geronimo-2.2-20090908/lib/ext:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/ext
>> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>> >>>> [sun.boot.class.path]   =
>> >>>>
>> >>>>
>> /opt/testkms/server/geronimo-2.2-20090908/lib/endorsed/yoko-spec-corba-1.0.jar:/opt/testkms/server/geronimo-2.2-20090908/lib/endorsed/yoko-rmi-spec-1.0.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/rt.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/i18n.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/sunrsasign.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/jsse.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/jce.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/charsets.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/classes
>> >>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]
>> >>>> ----------------------------------------------
>> >>>> 2009-09-11 22:14:39,041 INFO  [KernelContextGBean] bound gbean
>> >>>>
>> >>>>
>> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=JavaCompContext
>> >>>> at name java:comp
>> >>>> 2009-09-11 22:14:39,043 INFO  [KernelContextGBean] bound gbean
>> >>>>
>> >>>>
>> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=JavaContext
>> >>>> at name java:
>> >>>> 2009-09-11 22:14:39,043 INFO  [KernelContextGBean] bound gbean
>> >>>>
>> >>>>
>> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=GeronimoContext
>> >>>> at name ger:
>> >>>> 2009-09-11 22:14:40,086 INFO  [SystemProperties] Setting
>> >>>> Property=javax.xml.soap.MetaFactory to
>> >>>> Value=org.apache.geronimo.webservices.saaj.GeronimoMetaFactory
>> >>>> 2009-09-11 22:14:40,086 INFO  [SystemProperties] Setting
>> >>>> Property=javax.xml.soap.MessageFactory to
>> >>>> Value=org.apache.geronimo.webservices.saaj.GeronimoMessageFactory
>> >>>> 2009-09-11 22:14:40,086 INFO  [SystemProperties] Setting
>> >>>> Property=java.net.preferIPv4Stack to Value=true
>> >>>> 2009-09-11 22:14:40,086 INFO  [SystemProperties] Setting
>> >>>> Property=javax.xml.soap.SOAPConnectionFactory to
>> >>>>
>> Value=org.apache.geronimo.webservices.saaj.GeronimoSOAPConnectionFactory
>> >>>> 2009-09-11 22:14:40,087 INFO  [SystemProperties] Setting
>> >>>> Property=javax.xml.soap.SOAPFactory to
>> >>>> Value=org.apache.geronimo.webservices.saaj.GeronimoSOAPFactory
>> >>>> 2009-09-11 22:14:40,087 INFO  [SystemProperties] Setting
>> >>>> Property=java.security.Provider to Value=SUN
>> >>>> 2009-09-11 22:14:40,261 INFO  [KernelContextGBean] unbound gbean
>> >>>>
>> >>>>
>> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=JavaContext
>> >>>> at name java:
>> >>>> 2009-09-11 22:14:40,264 INFO  [KernelContextGBean] unbound gbean
>> >>>>
>> >>>>
>> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=GeronimoContext
>> >>>> at name ger:
>> >>>> 2009-09-11 22:14:40,264 INFO  [KernelContextGBean] unbound gbean
>> >>>>
>> >>>>
>> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=JavaCompContext
>> >>>> at name java:comp
>> >>>> 2009-09-11 22:14:40,265 INFO  [Log4jService] Stopping Logging Service
>> >>>> 2009-09-11 22:14:40,265 INFO  [Log4jService]
>> >>>> ----------------------------------------------
>> >>>>
>> >>>> Q
>> >>>> On Fri, Sep 11, 2009 at 9:31 PM, Quintin Beukes <
>> quintin@skywalk.co.za>
>> >>>> wrote:
>> >>>>>
>> >>>>> do i need to delete config.ser?
>> >>>>>
>> >>>>> Q
>> >>>>>
>> >>>>> On Fri, Sep 11, 2009 at 9:16 PM, Joe Dente <
>> jdente@21technologies.com>
>> >>>>> wrote:
>> >>>>>>
>> >>>>>> That's how I got started. I have a project that includes
a custom
>> >>>>>> login module as well as a customized geronimo-plugin.xml
that
>> originally was
>> >>>>>> an exported version of the server-security-config plugin.
My plugin
>> project
>> >>>>>> creates a simple jar with the geronimo-plugin.xml in my
jar's
>> 'META-INF'
>> >>>>>> folder. I then deploy this jar into Geronimo with the
>> geronimo-plugin.xml
>> >>>>>> being my jar's deployment plan. You can also try and build
a car
>> using the
>> >>>>>> maven car plugin, although I haven't played around with
this yet. I
>> found
>> >>>>>> this wiki article to be helpful:
>> >>>>>>
>> http://cwiki.apache.org/confluence/display/GMOxDOC22/Administering+plugins
>> >>>>>>
>> >>>>>> Joe
>> >>>>>>
>> >>>>>> ---------------------
>> >>>>>> Sorry, I've never created a plugin. To create a new
>> >>>>>> server-security-config plugin, do you mean I should copy
>> >>>>>> server-security-config using the console's plugin export
and modify
>> >>>>>> it?
>> >>>>>>
>> >>>>>> Q
>> >>>>>>
>> >>>>>> On Fri, Sep 11, 2009 at 8:47 PM, Joe Dente <
>> jdente@21technologies.com>
>> >>>>>> wrote:
>> >>>>>>>
>> >>>>>>> To reproduce it create your own server-security-config
plugin that
>> >>>>>>> uses any login module other than the properties-login
gbean that
>> is
>> >>>>>>> expected. You then need to deploy your new server-security-config
>> plugin and
>> >>>>>>> have it completely replace the default server-security-config
(see
>> >>>>>>>
>> http://cwiki.apache.org/confluence/display/GMOxDOC22/Basic+Hints+on+Security+Configuration
>> ).
>> >>>>>>> I achieved this by telling the server-security-config
car to not
>> load in the
>> >>>>>>> config.xml, telling my security plugin to load in the
config.xml,
>> and then
>> >>>>>>> adding artifact aliases for both the 2.1.4 and wildcard-versioned
>> lines
>> >>>>>>> referring to the server-security-config plugin in the
>> >>>>>>> artifact_aliases.properties file.
>> >>>>>>>
>> >>>>>>> In artifact_alases.properties:
>> >>>>>>>
>> >>>>>>>
>> org.apache.geronimo.framework/server-security-config//car=com.my.geronimo/my-security-config/1.0/car
>> >>>>>>>
>> >>>>>>> org.apache.geronimo.framework/server-security-config/2.1.4/car=org
>> >>>>>>> com.my.geronimo/my-security-config/1.0/car
>> >>>>>>>
>> >>>>>>> In config.xml:
>> >>>>>>>       <module
>> >>>>>>>
>> name="org.apache.geronimo.framework/server-security-config/2.1.4/car"
>> >>>>>>> load="false"/>
>> >>>>>>>       <module name="com.my.geronimo/my-security-config/1.0/car"/>
>> >>>>>>>
>> >>>>>>> Now try and startup Geronimo. You will see the error
discussing
>> the
>> >>>>>>> missing expected gbean.
>> >>>>>>> Hope this helps,
>> >>>>>>> Joe
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> -------------
>> >>>>>>> Errr. Ouch. *rubbing the brused area in his brain*.
>> >>>>>>>
>> >>>>>>> I'm not that on with everything you said. I think the
best thing
>> >>>>>>> would
>> >>>>>>> be to reproduce it. What would I do to reproduce it?
>> >>>>>>>
>> >>>>>>> Q
>> >>>>>>>
>> >>>>>>> On Fri, Sep 11, 2009 at 6:42 PM, David Jencks
>> >>>>>>> <david_jencks@yahoo.com> wrote:
>> >>>>>>>>
>> >>>>>>>> On Sep 11, 2009, at 5:49 AM, Quintin Beukes wrote:
>> >>>>>>>>
>> >>>>>>>>> I'll be willing to have a look at it.
>> >>>>>>>>>
>> >>>>>>>>> can you give me a general idea what I'm supposed
to look at and
>> how
>> >>>>>>>>> it
>> >>>>>>>>> would be done?
>> >>>>>>>>
>> >>>>>>>> IIRC the failure is caused by an unsatisfied single
valued gbean
>> >>>>>>>> reference
>> >>>>>>>> to the properties login module gbean from something
in the admin
>> >>>>>>>> console.
>> >>>>>>>>  You need to find the gbean reference and change
it to a
>> collection
>> >>>>>>>> valued
>> >>>>>>>> reference so it's no longer a mandatory reference.
 You can wrap
>> a
>> >>>>>>>> collection valued reference with SingleElementCollection
to make
>> it
>> >>>>>>>> act like
>> >>>>>>>> an optional single valued reference.
>> >>>>>>>>
>> >>>>>>>> hope this is clear enough to help..
>> >>>>>>>> david jencks
>> >>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>> Q
>> >>>>>>>>>
>> >>>>>>>>> On Fri, Sep 11, 2009 at 12:07 AM, David Jencks
>> >>>>>>>>> <david_jencks@yahoo.com>
>> >>>>>>>>> wrote:
>> >>>>>>>>>>
>> >>>>>>>>>> Hi Joe!
>> >>>>>>>>>> On Sep 10, 2009, at 2:18 PM, Joe Dente wrote:
>> >>>>>>>>>>
>> >>>>>>>>>> Hi,
>> >>>>>>>>>> I've been working on replacing Geronimo
2.1.4's
>> >>>>>>>>>> server-security-config
>> >>>>>>>>>> plugin's example security with our own security
plugin. We need
>> >>>>>>>>>> single
>> >>>>>>>>>> sign
>> >>>>>>>>>> on for our application which also means
the same sign on
>> process
>> >>>>>>>>>> has to
>> >>>>>>>>>> work
>> >>>>>>>>>> with the Geronimo admin console. We need
to be able to use
>> custom
>> >>>>>>>>>> realms
>> >>>>>>>>>> and
>> >>>>>>>>>> custom login modules in our server-security-config
plugin
>> >>>>>>>>>> replacement
>> >>>>>>>>>> that
>> >>>>>>>>>> may change depending on the environment
we deploy to. I've run
>> >>>>>>>>>> into two
>> >>>>>>>>>> limitations so far that I've found documented
online. One is
>> that
>> >>>>>>>>>> unless
>> >>>>>>>>>> I
>> >>>>>>>>>> want to re-deploy other plugins that use
the 'geronimo-admin'
>> >>>>>>>>>> security
>> >>>>>>>>>> realm, than our custom security realm must
be named
>> >>>>>>>>>> 'geronimo-admin' as
>> >>>>>>>>>> well. The other is that I ran
>> >>>>>>>>>> intohttp://issues.apache.org/jira/browse/GERONIMO-4603,
>> forcing me
>> >>>>>>>>>> to
>> >>>>>>>>>> creating a dummy properties-login gbean
in order for the tomcat
>> >>>>>>>>>> components
>> >>>>>>>>>> to start up.
>> >>>>>>>>>>
>> >>>>>>>>>> In my experience this is incredibly annoying.
 I don't have
>> time
>> >>>>>>>>>> but
>> >>>>>>>>>> wonder
>> >>>>>>>>>> if anyone else can see about fixing this
for 2.2.
>> >>>>>>>>>>
>> >>>>>>>>>>  I've created alias' for my plugin over
the
>> server-security-config
>> >>>>>>>>>> plugin
>> >>>>>>>>>> in
>> >>>>>>>>>> 'artifact-aliases.properties' file and I've
also disabled the
>> >>>>>>>>>> server-security-config plugin and added
my plugin as a loaded
>> >>>>>>>>>> module in
>> >>>>>>>>>> the
>> >>>>>>>>>> 'config.xml'. Unfortunately, I still cannot
log into the
>> Geronimo
>> >>>>>>>>>> console
>> >>>>>>>>>> using my custom security realm and login
module. Geronimo has
>> no
>> >>>>>>>>>> problem
>> >>>>>>>>>> starting with the current configuration
and I can even login
>> using
>> >>>>>>>>>> my
>> >>>>>>>>>> custom
>> >>>>>>>>>> login module. Everything seems happy as
far as the login
>> process
>> >>>>>>>>>> is
>> >>>>>>>>>> concerned when I step through the code,
but instead of seeing
>> the
>> >>>>>>>>>> Geronimo
>> >>>>>>>>>> console I get a tomcat error page stating
'Access to the
>> specified
>> >>>>>>>>>> resource
>> >>>>>>>>>> () has been forbidden'.  The logs are completely
clean as well
>> as
>> >>>>>>>>>> the
>> >>>>>>>>>> console output. My only idea is that my
admin users also need
>> to
>> >>>>>>>>>> be
>> >>>>>>>>>> members
>> >>>>>>>>>> of a specifically named Geronimo admin group
(make my admin
>> groups
>> >>>>>>>>>> name
>> >>>>>>>>>> exactly match the one setup in the default
security plugin)? I
>> >>>>>>>>>> have not
>> >>>>>>>>>> tested this hypothesis out yet, because
I have my own admin
>> group
>> >>>>>>>>>> that is
>> >>>>>>>>>> used by our application that I would like
to re-use as the
>> >>>>>>>>>> Geronimo
>> >>>>>>>>>> console's admin group. Any other thoughts?
>> >>>>>>>>>>
>> >>>>>>>>>> In 2.1.x you are stuck with the principal-role
mapping in the
>> ee
>> >>>>>>>>>> application, although in 2.2 you can put
it into a different
>> >>>>>>>>>> plugin if
>> >>>>>>>>>> you
>> >>>>>>>>>> want and I think then swap it via an artifact-alias
with one in
>> a
>> >>>>>>>>>> different
>> >>>>>>>>>> plugin.
>> >>>>>>>>>> So, that means that you need to supply the
principals the
>> >>>>>>>>>> principal-role
>> >>>>>>>>>> mapping expects:
>> >>>>>>>>>>   <security
>> >>>>>>>>>> xmlns="http://geronimo.apache.org/xml/ns/security-1.2">
>> >>>>>>>>>>       <role-mappings>
>> >>>>>>>>>>           <role role-name="admin">
>> >>>>>>>>>>               <principal
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>>
>> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
>> >>>>>>>>>> name="admin" />
>> >>>>>>>>>>           </role>
>> >>>>>>>>>>       </role-mappings>
>> >>>>>>>>>>   </security>
>> >>>>>>>>>>
>> >>>>>>>>>> So, your login module needs to supply a
principal of
>> >>>>>>>>>> class GeronimoGroupPrincipal and name "admin".
>> >>>>>>>>>> Let us know if this doesn't work.
>> >>>>>>>>>> thanks
>> >>>>>>>>>> david jencks
>> >>>>>>>>>>
>> >>>>>>>>>> Thanks,
>> >>>>>>>>>> Joe
>> >>>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>> --
>> >>>>>>>>> Quintin Beukes
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> --
>> >>>>>>> Quintin Beukes
>> >>>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> --
>> >>>>>> Quintin Beukes
>> >>>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> --
>> >>>>> Quintin Beukes
>> >>>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> --
>> >>>> Quintin Beukes
>> >>>>
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> Quintin Beukes
>> >>>
>> >>
>> >>
>> >>
>> >> --
>> >> Quintin Beukes
>> >
>> >
>>
>>
>>
>> --
>> Quintin Beukes
>>
>
>

Mime
View raw message