From user-return-13915-apmail-geronimo-user-archive=geronimo.apache.org@geronimo.apache.org Fri Sep 11 17:46:30 2009 Return-Path: Delivered-To: apmail-geronimo-user-archive@www.apache.org Received: (qmail 42517 invoked from network); 11 Sep 2009 17:46:30 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 11 Sep 2009 17:46:30 -0000 Received: (qmail 2801 invoked by uid 500); 11 Sep 2009 17:46:30 -0000 Delivered-To: apmail-geronimo-user-archive@geronimo.apache.org Received: (qmail 2766 invoked by uid 500); 11 Sep 2009 17:46:30 -0000 Mailing-List: contact user-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: user@geronimo.apache.org List-Id: Delivered-To: mailing list user@geronimo.apache.org Received: (qmail 2757 invoked by uid 99); 11 Sep 2009 17:46:28 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 11 Sep 2009 17:46:28 +0000 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [209.85.211.179] (HELO mail-yw0-f179.google.com) (209.85.211.179) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 11 Sep 2009 17:46:19 +0000 Received: by ywh9 with SMTP id 9so1826861ywh.32 for ; Fri, 11 Sep 2009 10:45:58 -0700 (PDT) MIME-Version: 1.0 Received: by 10.101.194.8 with SMTP id w8mr3512615anp.190.1252691157053; Fri, 11 Sep 2009 10:45:57 -0700 (PDT) In-Reply-To: References: <54D41E91F26CF6488C7088C89D9160F8015ED64A@21ctexg01.21technologies.com> <09C050CC-52C1-49EF-8735-42B92A3B125B@yahoo.com> <1f3854d50909110549l2d62397ap72952cec2b0f1920@mail.gmail.com> Date: Fri, 11 Sep 2009 19:45:57 +0200 Message-ID: <1f3854d50909111045l19ebc385j1af4747b149c7cbe@mail.gmail.com> Subject: Re: Replacing the server-security-config plugin From: Quintin Beukes To: user@geronimo.apache.org Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org Errr. Ouch. *rubbing the brused area in his brain*. I'm not that on with everything you said. I think the best thing would be to reproduce it. What would I do to reproduce it? Q On Fri, Sep 11, 2009 at 6:42 PM, David Jencks wrot= e: > > On Sep 11, 2009, at 5:49 AM, Quintin Beukes wrote: > >> I'll be willing to have a look at it. >> >> can you give me a general idea what I'm supposed to look at and how it >> would be done? > > IIRC the failure is caused by an unsatisfied single valued gbean referenc= e > to the properties login module gbean from something in the admin console. > =A0You need to find the gbean reference and change it to a collection val= ued > reference so it's no longer a mandatory reference. =A0You can wrap a > collection valued reference with SingleElementCollection to make it act l= ike > an optional single valued reference. > > hope this is clear enough to help.. > david jencks > >> >> Q >> >> On Fri, Sep 11, 2009 at 12:07 AM, David Jencks >> wrote: >>> >>> Hi Joe! >>> On Sep 10, 2009, at 2:18 PM, Joe Dente wrote: >>> >>> Hi, >>> I=92ve been working on replacing Geronimo 2.1.4=92s server-security-con= fig >>> plugin=92s example security with our own security plugin. We need singl= e >>> sign >>> on for our application which also means the same sign on process has to >>> work >>> with the Geronimo admin console. We need to be able to use custom realm= s >>> and >>> custom login modules in our server-security-config plugin replacement >>> that >>> may change depending on the environment we deploy to. I=92ve run into t= wo >>> limitations so far that I=92ve found documented online. One is that unl= ess >>> I >>> want to re-deploy other plugins that use the =91geronimo-admin=92 secur= ity >>> realm, than our custom security realm must be named =91geronimo-admin= =92 as >>> well. The other is that I ran >>> intohttp://issues.apache.org/jira/browse/GERONIMO-4603, forcing me to >>> creating a dummy properties-login gbean in order for the tomcat >>> components >>> to start up. >>> >>> In my experience this is incredibly annoying. =A0I don't have time but >>> wonder >>> if anyone else can see about fixing this for 2.2. >>> >>> =A0I=92ve created alias=92 for my plugin over the server-security-confi= g plugin >>> in >>> =91artifact-aliases.properties=92 file and I=92ve also disabled the >>> server-security-config plugin and added my plugin as a loaded module in >>> the >>> =91config.xml=92. Unfortunately, I still cannot log into the Geronimo c= onsole >>> using my custom security realm and login module. Geronimo has no proble= m >>> starting with the current configuration and I can even login using my >>> custom >>> login module. Everything seems happy as far as the login process is >>> concerned when I step through the code, but instead of seeing the >>> Geronimo >>> console I get a tomcat error page stating =91Access to the specified >>> resource >>> () has been forbidden=92. =A0The logs are completely clean as well as t= he >>> console output. My only idea is that my admin users also need to be >>> members >>> of a specifically named Geronimo admin group (make my admin groups name >>> exactly match the one setup in the default security plugin)? I have not >>> tested this hypothesis out yet, because I have my own admin group that = is >>> used by our application that I would like to re-use as the Geronimo >>> console=92s admin group. Any other thoughts? >>> >>> In 2.1.x you are stuck with the principal-role mapping in the ee >>> application, although in 2.2 you can put it into a different plugin if >>> you >>> want and I think then swap it via an artifact-alias with one in a >>> different >>> plugin. >>> So, that means that you need to supply the principals the principal-rol= e >>> mapping expects: >>> =A0 =A0 >>> =A0 =A0 =A0 =A0 >>> =A0 =A0 =A0 =A0 =A0 =A0 >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0>> >>> class=3D"org.apache.geronimo.security.realm.providers.GeronimoGroupPrin= cipal" >>> name=3D"admin" /> >>> =A0 =A0 =A0 =A0 =A0 =A0 >>> =A0 =A0 =A0 =A0 >>> =A0 =A0 >>> >>> So, your login module needs to supply a principal of >>> class GeronimoGroupPrincipal and name "admin". >>> Let us know if this doesn't work. >>> thanks >>> david jencks >>> >>> Thanks, >>> Joe >>> >> >> >> >> -- >> Quintin Beukes > > --=20 Quintin Beukes