From user-return-13923-apmail-geronimo-user-archive=geronimo.apache.org@geronimo.apache.org Fri Sep 11 20:17:05 2009 Return-Path: Delivered-To: apmail-geronimo-user-archive@www.apache.org Received: (qmail 5383 invoked from network); 11 Sep 2009 20:17:05 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 11 Sep 2009 20:17:05 -0000 Received: (qmail 16932 invoked by uid 500); 11 Sep 2009 20:17:04 -0000 Delivered-To: apmail-geronimo-user-archive@geronimo.apache.org Received: (qmail 16878 invoked by uid 500); 11 Sep 2009 20:17:04 -0000 Mailing-List: contact user-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: user@geronimo.apache.org List-Id: Delivered-To: mailing list user@geronimo.apache.org Received: (qmail 16870 invoked by uid 99); 11 Sep 2009 20:17:04 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 11 Sep 2009 20:17:04 +0000 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [209.85.132.245] (HELO an-out-0708.google.com) (209.85.132.245) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 11 Sep 2009 20:16:55 +0000 Received: by an-out-0708.google.com with SMTP id d40so448513and.40 for ; Fri, 11 Sep 2009 13:16:33 -0700 (PDT) MIME-Version: 1.0 Received: by 10.101.121.3 with SMTP id y3mr3749256anm.53.1252700193558; Fri, 11 Sep 2009 13:16:33 -0700 (PDT) In-Reply-To: <1f3854d50909111231y385b9cd9med01d2f9dada87ce@mail.gmail.com> References: <54D41E91F26CF6488C7088C89D9160F8015ED64A@21ctexg01.21technologies.com> <09C050CC-52C1-49EF-8735-42B92A3B125B@yahoo.com> <1f3854d50909110549l2d62397ap72952cec2b0f1920@mail.gmail.com> <1f3854d50909111045l19ebc385j1af4747b149c7cbe@mail.gmail.com> <54D41E91F26CF6488C7088C89D9160F8015ED7AE@21ctexg01.21technologies.com> <1f3854d50909111204m4fdcb053gfcd43c7097b3057b@mail.gmail.com> <54D41E91F26CF6488C7088C89D9160F8015ED7CF@21ctexg01.21technologies.com> <1f3854d50909111231y385b9cd9med01d2f9dada87ce@mail.gmail.com> Date: Fri, 11 Sep 2009 22:16:33 +0200 Message-ID: <1f3854d50909111316q332fd21bg4fea956b6948982c@mail.gmail.com> Subject: Re: Replacing the server-security-config plugin From: Quintin Beukes To: user@geronimo.apache.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org No. This isn't working right. I don't know what I'm doing wrong. I take the exported plugin. Extract it to directory "x". Then I change only the groupId everywhere in the plugin frmo "org.apache.geronimo.framework" to "test" and version from "2.2-SNAPSHOT" to "2.2". Then I jar it again. Then I start geronimo and deploy this with deploy.sh install-plugin. Successfully installed: test/server-security-config/2.2/car I stop the server, and then edit artifact_aliases.properties and change: org.apache.geronimo.framework/server-security-config//car=3Dorg.apache.gero= nimo.framework/server-security-config/2.2-SNAPSHOT/car test/server-security-config//car=3Dtest/server-security-config/2.2/car TO org.apache.geronimo.framework/server-security-config//car=3Dtest/server-sec= urity-config/2.2/car org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car=3Dtes= t/server-security-config/2.2/car test/server-security-config//car=3Dtest/server-security-config/2.2/car And config.xml from: TO: Then I try and start the server, and all I get is this, ie. it starts and right after loading my plugin stops the server without an error. 2009-09-11 22:14:37,642 INFO [Log4jService] ---------------------------------------------- 2009-09-11 22:14:37,643 INFO [Log4jService] Started Logging Service 2009-09-11 22:14:37,643 INFO [Log4jService] Runtime Information: 2009-09-11 22:14:37,644 INFO [Log4jService] Install Directory =3D /opt/testkms/server/geronimo-2.2-20090908 2009-09-11 22:14:37,645 INFO [JvmVendor] Sun JVM 1.5.0_17 2009-09-11 22:14:37,645 INFO [Log4jService] JVM in use =3D Sun JVM 1.5.0_17 2009-09-11 22:14:37,645 INFO [Log4jService] Java Information: 2009-09-11 22:14:37,645 INFO [Log4jService] System property [java.runtime.name] =3D Java(TM) 2 Runtime Environment, Standard Edition 2009-09-11 22:14:37,645 INFO [Log4jService] System property [java.runtime.version] =3D 1.5.0_17-b04 2009-09-11 22:14:37,645 INFO [Log4jService] System property [os.name] =3D Linux 2009-09-11 22:14:37,645 INFO [Log4jService] System property [os.version] =3D 2.6.24-24-generic 2009-09-11 22:14:37,645 INFO [Log4jService] System property [sun.os.patch.level] =3D unknown 2009-09-11 22:14:37,645 INFO [Log4jService] System property [os.arch] =3D i386 2009-09-11 22:14:37,645 INFO [Log4jService] System property [java.class.version] =3D 49.0 2009-09-11 22:14:37,645 INFO [Log4jService] System property [locale] =3D en_ZA 2009-09-11 22:14:37,646 INFO [Log4jService] System property [unicode.encoding] =3D UnicodeLittle 2009-09-11 22:14:37,646 INFO [Log4jService] System property [file.encoding] =3D UTF-8 2009-09-11 22:14:37,646 INFO [Log4jService] System property [java.vm.name] =3D Java HotSpot(TM) Client VM 2009-09-11 22:14:37,646 INFO [Log4jService] System property [java.vm.vendor] =3D Sun Microsystems Inc. 2009-09-11 22:14:37,646 INFO [Log4jService] System property [java.vm.version] =3D 1.5.0_17-b04 2009-09-11 22:14:37,646 INFO [Log4jService] System property [java.vm.info] =3D mixed mode 2009-09-11 22:14:37,646 INFO [Log4jService] System property [java.home] =3D /opt/kms/java/sun-jdk1.5.0_17/jre 2009-09-11 22:14:37,646 INFO [Log4jService] System property [java.classpath] =3D null 2009-09-11 22:14:37,646 INFO [Log4jService] System property [java.library.path] =3D /opt/kms/java/sun-jdk1.5.0_17/jre/lib/i386/client:/opt/kms/java/sun-jdk1.5.= 0_17/jre/lib/i386:/opt/kms/java/sun-jdk1.5.0_17/jre/../lib/i386 2009-09-11 22:14:37,646 INFO [Log4jService] System property [java.endorsed.dirs] =3D /opt/testkms/server/geronimo-2.2-20090908/lib/endorsed:/opt/kms/java/sun-jd= k1.5.0_17/jre/lib/endorsed 2009-09-11 22:14:37,646 INFO [Log4jService] System property [java.ext.dirs] =3D /opt/testkms/server/geronimo-2.2-20090908/lib/ext:/opt/kms/java/sun-jdk1.5.= 0_17/jre/lib/ext 2009-09-11 22:14:37,646 INFO [Log4jService] System property [sun.boot.class.path] =3D /opt/testkms/server/geronimo-2.2-20090908/lib/endorsed/yoko-spec-corba-1.0.= jar:/opt/testkms/server/geronimo-2.2-20090908/lib/endorsed/yoko-rmi-spec-1.= 0.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/rt.jar:/opt/kms/java/sun-jdk1.5= .0_17/jre/lib/i18n.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/sunrsasign.jar= :/opt/kms/java/sun-jdk1.5.0_17/jre/lib/jsse.jar:/opt/kms/java/sun-jdk1.5.0_= 17/jre/lib/jce.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/charsets.jar:/opt/= kms/java/sun-jdk1.5.0_17/jre/classes 2009-09-11 22:14:37,646 INFO [Log4jService] ---------------------------------------------- 2009-09-11 22:14:39,041 INFO [KernelContextGBean] bound gbean org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=3Do= rg.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=3DContext= ,name=3DJavaCompContext at name java:comp 2009-09-11 22:14:39,043 INFO [KernelContextGBean] bound gbean org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=3Do= rg.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=3DContext= ,name=3DJavaContext at name java: 2009-09-11 22:14:39,043 INFO [KernelContextGBean] bound gbean org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=3Do= rg.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=3DContext= ,name=3DGeronimoContext at name ger: 2009-09-11 22:14:40,086 INFO [SystemProperties] Setting Property=3Djavax.xml.soap.MetaFactory to Value=3Dorg.apache.geronimo.webservices.saaj.GeronimoMetaFactory 2009-09-11 22:14:40,086 INFO [SystemProperties] Setting Property=3Djavax.xml.soap.MessageFactory to Value=3Dorg.apache.geronimo.webservices.saaj.GeronimoMessageFactory 2009-09-11 22:14:40,086 INFO [SystemProperties] Setting Property=3Djava.net.preferIPv4Stack to Value=3Dtrue 2009-09-11 22:14:40,086 INFO [SystemProperties] Setting Property=3Djavax.xml.soap.SOAPConnectionFactory to Value=3Dorg.apache.geronimo.webservices.saaj.GeronimoSOAPConnectionFactory 2009-09-11 22:14:40,087 INFO [SystemProperties] Setting Property=3Djavax.xml.soap.SOAPFactory to Value=3Dorg.apache.geronimo.webservices.saaj.GeronimoSOAPFactory 2009-09-11 22:14:40,087 INFO [SystemProperties] Setting Property=3Djava.security.Provider to Value=3DSUN 2009-09-11 22:14:40,261 INFO [KernelContextGBean] unbound gbean org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=3Do= rg.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=3DContext= ,name=3DJavaContext at name java: 2009-09-11 22:14:40,264 INFO [KernelContextGBean] unbound gbean org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=3Do= rg.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=3DContext= ,name=3DGeronimoContext at name ger: 2009-09-11 22:14:40,264 INFO [KernelContextGBean] unbound gbean org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=3Do= rg.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=3DContext= ,name=3DJavaCompContext at name java:comp 2009-09-11 22:14:40,265 INFO [Log4jService] Stopping Logging Service 2009-09-11 22:14:40,265 INFO [Log4jService] ---------------------------------------------- Q On Fri, Sep 11, 2009 at 9:31 PM, Quintin Beukes wro= te: > do i need to delete config.ser? > > Q > > On Fri, Sep 11, 2009 at 9:16 PM, Joe Dente wr= ote: >> That's how I got started. I have a project that includes a custom login = module as well as a customized geronimo-plugin.xml that originally was an e= xported version of the server-security-config plugin. My plugin project cre= ates a simple jar with the geronimo-plugin.xml in my jar's 'META-INF' folde= r. I then deploy this jar into Geronimo with the geronimo-plugin.xml being = my jar's deployment plan. You can also try and build a car using the maven = car plugin, although I haven't played around with this yet. I found this wi= ki article to be helpful: http://cwiki.apache.org/confluence/display/GMOxDO= C22/Administering+plugins >> >> Joe >> >> --------------------- >> Sorry, I've never created a plugin. To create a new >> server-security-config plugin, do you mean I should copy >> server-security-config using the console's plugin export and modify >> it? >> >> Q >> >> On Fri, Sep 11, 2009 at 8:47 PM, Joe Dente w= rote: >>> To reproduce it create your own server-security-config plugin that uses= any login module other than the properties-login gbean that is expected. Y= ou then need to deploy your new server-security-config plugin and have it c= ompletely replace the default server-security-config (see http://cwiki.apac= he.org/confluence/display/GMOxDOC22/Basic+Hints+on+Security+Configuration).= I achieved this by telling the server-security-config car to not load in t= he config.xml, telling my security plugin to load in the config.xml, and th= en adding artifact aliases for both the 2.1.4 and wildcard-versioned lines = referring to the server-security-config plugin in the artifact_aliases.prop= erties file. >>> >>> In artifact_alases.properties: >>> =A0 =A0 =A0 =A0org.apache.geronimo.framework/server-security-config//ca= r=3Dcom.my.geronimo/my-security-config/1.0/car >>> =A0 =A0 =A0 =A0org.apache.geronimo.framework/server-security-config/2.1= .4/car=3Dorg com.my.geronimo/my-security-config/1.0/car >>> >>> In config.xml: >>> =A0 =A0 =A0 =A0 >>> =A0 =A0 =A0 =A0 >>> >>> Now try and startup Geronimo. You will see the error discussing the mis= sing expected gbean. >>> Hope this helps, >>> Joe >>> >>> >>> >>> ------------- >>> Errr. Ouch. *rubbing the brused area in his brain*. >>> >>> I'm not that on with everything you said. I think the best thing would >>> be to reproduce it. What would I do to reproduce it? >>> >>> Q >>> >>> On Fri, Sep 11, 2009 at 6:42 PM, David Jencks = wrote: >>>> >>>> On Sep 11, 2009, at 5:49 AM, Quintin Beukes wrote: >>>> >>>>> I'll be willing to have a look at it. >>>>> >>>>> can you give me a general idea what I'm supposed to look at and how i= t >>>>> would be done? >>>> >>>> IIRC the failure is caused by an unsatisfied single valued gbean refer= ence >>>> to the properties login module gbean from something in the admin conso= le. >>>> =A0You need to find the gbean reference and change it to a collection = valued >>>> reference so it's no longer a mandatory reference. =A0You can wrap a >>>> collection valued reference with SingleElementCollection to make it ac= t like >>>> an optional single valued reference. >>>> >>>> hope this is clear enough to help.. >>>> david jencks >>>> >>>>> >>>>> Q >>>>> >>>>> On Fri, Sep 11, 2009 at 12:07 AM, David Jencks >>>>> wrote: >>>>>> >>>>>> Hi Joe! >>>>>> On Sep 10, 2009, at 2:18 PM, Joe Dente wrote: >>>>>> >>>>>> Hi, >>>>>> I've been working on replacing Geronimo 2.1.4's server-security-conf= ig >>>>>> plugin's example security with our own security plugin. We need sing= le >>>>>> sign >>>>>> on for our application which also means the same sign on process has= to >>>>>> work >>>>>> with the Geronimo admin console. We need to be able to use custom re= alms >>>>>> and >>>>>> custom login modules in our server-security-config plugin replacemen= t >>>>>> that >>>>>> may change depending on the environment we deploy to. I've run into = two >>>>>> limitations so far that I've found documented online. One is that un= less >>>>>> I >>>>>> want to re-deploy other plugins that use the 'geronimo-admin' securi= ty >>>>>> realm, than our custom security realm must be named 'geronimo-admin'= as >>>>>> well. The other is that I ran >>>>>> intohttp://issues.apache.org/jira/browse/GERONIMO-4603, forcing me t= o >>>>>> creating a dummy properties-login gbean in order for the tomcat >>>>>> components >>>>>> to start up. >>>>>> >>>>>> In my experience this is incredibly annoying. =A0I don't have time b= ut >>>>>> wonder >>>>>> if anyone else can see about fixing this for 2.2. >>>>>> >>>>>> =A0I've created alias' for my plugin over the server-security-config= plugin >>>>>> in >>>>>> 'artifact-aliases.properties' file and I've also disabled the >>>>>> server-security-config plugin and added my plugin as a loaded module= in >>>>>> the >>>>>> 'config.xml'. Unfortunately, I still cannot log into the Geronimo co= nsole >>>>>> using my custom security realm and login module. Geronimo has no pro= blem >>>>>> starting with the current configuration and I can even login using m= y >>>>>> custom >>>>>> login module. Everything seems happy as far as the login process is >>>>>> concerned when I step through the code, but instead of seeing the >>>>>> Geronimo >>>>>> console I get a tomcat error page stating 'Access to the specified >>>>>> resource >>>>>> () has been forbidden'. =A0The logs are completely clean as well as = the >>>>>> console output. My only idea is that my admin users also need to be >>>>>> members >>>>>> of a specifically named Geronimo admin group (make my admin groups n= ame >>>>>> exactly match the one setup in the default security plugin)? I have = not >>>>>> tested this hypothesis out yet, because I have my own admin group th= at is >>>>>> used by our application that I would like to re-use as the Geronimo >>>>>> console's admin group. Any other thoughts? >>>>>> >>>>>> In 2.1.x you are stuck with the principal-role mapping in the ee >>>>>> application, although in 2.2 you can put it into a different plugin = if >>>>>> you >>>>>> want and I think then swap it via an artifact-alias with one in a >>>>>> different >>>>>> plugin. >>>>>> So, that means that you need to supply the principals the principal-= role >>>>>> mapping expects: >>>>>> =A0 =A0 >>>>>> =A0 =A0 =A0 =A0 >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0>>>>> >>>>>> class=3D"org.apache.geronimo.security.realm.providers.GeronimoGroupP= rincipal" >>>>>> name=3D"admin" /> >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 >>>>>> =A0 =A0 =A0 =A0 >>>>>> =A0 =A0 >>>>>> >>>>>> So, your login module needs to supply a principal of >>>>>> class GeronimoGroupPrincipal and name "admin". >>>>>> Let us know if this doesn't work. >>>>>> thanks >>>>>> david jencks >>>>>> >>>>>> Thanks, >>>>>> Joe >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Quintin Beukes >>>> >>>> >>> >>> >>> >>> -- >>> Quintin Beukes >>> >> >> >> >> -- >> Quintin Beukes >> > > > > -- > Quintin Beukes > --=20 Quintin Beukes