geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: Replacing the server-security-config plugin
Date Fri, 11 Sep 2009 16:42:36 GMT

On Sep 11, 2009, at 5:49 AM, Quintin Beukes wrote:

> I'll be willing to have a look at it.
>
> can you give me a general idea what I'm supposed to look at and how it
> would be done?

IIRC the failure is caused by an unsatisfied single valued gbean  
reference to the properties login module gbean from something in the  
admin console.  You need to find the gbean reference and change it to  
a collection valued reference so it's no longer a mandatory  
reference.  You can wrap a collection valued reference with  
SingleElementCollection to make it act like an optional single valued  
reference.

hope this is clear enough to help..
david jencks

>
> Q
>
> On Fri, Sep 11, 2009 at 12:07 AM, David Jencks  
> <david_jencks@yahoo.com> wrote:
>> Hi Joe!
>> On Sep 10, 2009, at 2:18 PM, Joe Dente wrote:
>>
>> Hi,
>> I’ve been working on replacing Geronimo 2.1.4’s server-security- 
>> config
>> plugin’s example security with our own security plugin. We need  
>> single sign
>> on for our application which also means the same sign on process  
>> has to work
>> with the Geronimo admin console. We need to be able to use custom  
>> realms and
>> custom login modules in our server-security-config plugin  
>> replacement that
>> may change depending on the environment we deploy to. I’ve run into  
>> two
>> limitations so far that I’ve found documented online. One is that  
>> unless I
>> want to re-deploy other plugins that use the ‘geronimo-admin’  
>> security
>> realm, than our custom security realm must be named ‘geronimo- 
>> admin’ as
>> well. The other is that I ran
>> intohttp://issues.apache.org/jira/browse/GERONIMO-4603, forcing me to
>> creating a dummy properties-login gbean in order for the tomcat  
>> components
>> to start up.
>>
>> In my experience this is incredibly annoying.  I don't have time  
>> but wonder
>> if anyone else can see about fixing this for 2.2.
>>
>>  I’ve created alias’ for my plugin over the server-security-config  
>> plugin in
>> ‘artifact-aliases.properties’ file and I’ve also disabled the
>> server-security-config plugin and added my plugin as a loaded  
>> module in the
>> ‘config.xml’. Unfortunately, I still cannot log into the Geronimo  
>> console
>> using my custom security realm and login module. Geronimo has no  
>> problem
>> starting with the current configuration and I can even login using  
>> my custom
>> login module. Everything seems happy as far as the login process is
>> concerned when I step through the code, but instead of seeing the  
>> Geronimo
>> console I get a tomcat error page stating ‘Access to the specified  
>> resource
>> () has been forbidden’.  The logs are completely clean as well as the
>> console output. My only idea is that my admin users also need to be  
>> members
>> of a specifically named Geronimo admin group (make my admin groups  
>> name
>> exactly match the one setup in the default security plugin)? I have  
>> not
>> tested this hypothesis out yet, because I have my own admin group  
>> that is
>> used by our application that I would like to re-use as the Geronimo
>> console’s admin group. Any other thoughts?
>>
>> In 2.1.x you are stuck with the principal-role mapping in the ee
>> application, although in 2.2 you can put it into a different plugin  
>> if you
>> want and I think then swap it via an artifact-alias with one in a  
>> different
>> plugin.
>> So, that means that you need to supply the principals the principal- 
>> role
>> mapping expects:
>>     <security xmlns="http://geronimo.apache.org/xml/ns/security-1.2">
>>         <role-mappings>
>>             <role role-name="admin">
>>                 <principal
>> class 
>> = 
>> "org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
>> name="admin" />
>>             </role>
>>         </role-mappings>
>>     </security>
>>
>> So, your login module needs to supply a principal of
>> class GeronimoGroupPrincipal and name "admin".
>> Let us know if this doesn't work.
>> thanks
>> david jencks
>>
>> Thanks,
>> Joe
>>
>
>
>
> -- 
> Quintin Beukes


Mime
View raw message