Return-Path: Delivered-To: apmail-geronimo-user-archive@www.apache.org Received: (qmail 77759 invoked from network); 11 Sep 2009 18:47:55 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 11 Sep 2009 18:47:55 -0000 Received: (qmail 96498 invoked by uid 500); 11 Sep 2009 18:47:54 -0000 Delivered-To: apmail-geronimo-user-archive@geronimo.apache.org Received: (qmail 96453 invoked by uid 500); 11 Sep 2009 18:47:54 -0000 Mailing-List: contact user-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: user@geronimo.apache.org List-Id: Delivered-To: mailing list user@geronimo.apache.org Received: (qmail 96445 invoked by uid 99); 11 Sep 2009 18:47:54 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 11 Sep 2009 18:47:54 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [72.29.211.230] (HELO 21ctexg01.21technologies.com) (72.29.211.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 11 Sep 2009 18:47:46 +0000 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: RE: Replacing the server-security-config plugin Date: Fri, 11 Sep 2009 13:47:23 -0500 Message-ID: <54D41E91F26CF6488C7088C89D9160F8015ED7AE@21ctexg01.21technologies.com> In-Reply-To: <1f3854d50909111045l19ebc385j1af4747b149c7cbe@mail.gmail.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: thread-topic: Replacing the server-security-config plugin thread-index: AcozB8w3WXchJ//GTOW/irzZY0LO7AABxXcg References: <54D41E91F26CF6488C7088C89D9160F8015ED64A@21ctexg01.21technologies.com> <09C050CC-52C1-49EF-8735-42B92A3B125B@yahoo.com> <1f3854d50909110549l2d62397ap72952cec2b0f1920@mail.gmail.com> <1f3854d50909111045l19ebc385j1af4747b149c7cbe@mail.gmail.com> From: "Joe Dente" To: X-Virus-Checked: Checked by ClamAV on apache.org To reproduce it create your own server-security-config plugin that uses = any login module other than the properties-login gbean that is expected. = You then need to deploy your new server-security-config plugin and have = it completely replace the default server-security-config (see = http://cwiki.apache.org/confluence/display/GMOxDOC22/Basic+Hints+on+Secur= ity+Configuration). I achieved this by telling the = server-security-config car to not load in the config.xml, telling my = security plugin to load in the config.xml, and then adding artifact = aliases for both the 2.1.4 and wildcard-versioned lines referring to the = server-security-config plugin in the artifact_aliases.properties file. In artifact_alases.properties: = org.apache.geronimo.framework/server-security-config//car=3Dcom.my.geroni= mo/my-security-config/1.0/car org.apache.geronimo.framework/server-security-config/2.1.4/car=3Dorg = com.my.geronimo/my-security-config/1.0/car In config.xml: Now try and startup Geronimo. You will see the error discussing the = missing expected gbean. Hope this helps, Joe ------------- Errr. Ouch. *rubbing the brused area in his brain*. I'm not that on with everything you said. I think the best thing would be to reproduce it. What would I do to reproduce it? Q On Fri, Sep 11, 2009 at 6:42 PM, David Jencks = wrote: > > On Sep 11, 2009, at 5:49 AM, Quintin Beukes wrote: > >> I'll be willing to have a look at it. >> >> can you give me a general idea what I'm supposed to look at and how = it >> would be done? > > IIRC the failure is caused by an unsatisfied single valued gbean = reference > to the properties login module gbean from something in the admin = console. > =A0You need to find the gbean reference and change it to a collection = valued > reference so it's no longer a mandatory reference. =A0You can wrap a > collection valued reference with SingleElementCollection to make it = act like > an optional single valued reference. > > hope this is clear enough to help.. > david jencks > >> >> Q >> >> On Fri, Sep 11, 2009 at 12:07 AM, David Jencks = >> wrote: >>> >>> Hi Joe! >>> On Sep 10, 2009, at 2:18 PM, Joe Dente wrote: >>> >>> Hi, >>> I've been working on replacing Geronimo 2.1.4's = server-security-config >>> plugin's example security with our own security plugin. We need = single >>> sign >>> on for our application which also means the same sign on process has = to >>> work >>> with the Geronimo admin console. We need to be able to use custom = realms >>> and >>> custom login modules in our server-security-config plugin = replacement >>> that >>> may change depending on the environment we deploy to. I've run into = two >>> limitations so far that I've found documented online. One is that = unless >>> I >>> want to re-deploy other plugins that use the 'geronimo-admin' = security >>> realm, than our custom security realm must be named 'geronimo-admin' = as >>> well. The other is that I ran >>> intohttp://issues.apache.org/jira/browse/GERONIMO-4603, forcing me = to >>> creating a dummy properties-login gbean in order for the tomcat >>> components >>> to start up. >>> >>> In my experience this is incredibly annoying. =A0I don't have time = but >>> wonder >>> if anyone else can see about fixing this for 2.2. >>> >>> =A0I've created alias' for my plugin over the server-security-config = plugin >>> in >>> 'artifact-aliases.properties' file and I've also disabled the >>> server-security-config plugin and added my plugin as a loaded module = in >>> the >>> 'config.xml'. Unfortunately, I still cannot log into the Geronimo = console >>> using my custom security realm and login module. Geronimo has no = problem >>> starting with the current configuration and I can even login using = my >>> custom >>> login module. Everything seems happy as far as the login process is >>> concerned when I step through the code, but instead of seeing the >>> Geronimo >>> console I get a tomcat error page stating 'Access to the specified >>> resource >>> () has been forbidden'. =A0The logs are completely clean as well as = the >>> console output. My only idea is that my admin users also need to be >>> members >>> of a specifically named Geronimo admin group (make my admin groups = name >>> exactly match the one setup in the default security plugin)? I have = not >>> tested this hypothesis out yet, because I have my own admin group = that is >>> used by our application that I would like to re-use as the Geronimo >>> console's admin group. Any other thoughts? >>> >>> In 2.1.x you are stuck with the principal-role mapping in the ee >>> application, although in 2.2 you can put it into a different plugin = if >>> you >>> want and I think then swap it via an artifact-alias with one in a >>> different >>> plugin. >>> So, that means that you need to supply the principals the = principal-role >>> mapping expects: >>> =A0 =A0 >>> =A0 =A0 =A0 =A0 >>> =A0 =A0 =A0 =A0 =A0 =A0 >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0>> >>> = class=3D"org.apache.geronimo.security.realm.providers.GeronimoGroupPrinci= pal" >>> name=3D"admin" /> >>> =A0 =A0 =A0 =A0 =A0 =A0 >>> =A0 =A0 =A0 =A0 >>> =A0 =A0 >>> >>> So, your login module needs to supply a principal of >>> class GeronimoGroupPrincipal and name "admin". >>> Let us know if this doesn't work. >>> thanks >>> david jencks >>> >>> Thanks, >>> Joe >>> >> >> >> >> -- >> Quintin Beukes > > --=20 Quintin Beukes