geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From chi runhua <chirun...@gmail.com>
Subject Re: when using an application client to consume a secure ejb, who perform the authentication?
Date Wed, 07 Apr 2010 06:13:06 GMT
Assume we want use properties files realm for user auditing. On Geronimo
server, deploy a module as followed:

<module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
    <environment>
        <moduleId>
            <groupId>console.realm</groupId>
            <artifactId>test-realm</artifactId>
            <version>1.0</version>
            <type>car</type>
        </moduleId>
        <dependencies>
            <dependency>
                <groupId>org.apache.geronimo.framework</groupId>
                <artifactId>j2ee-security</artifactId>
                <type>car</type>
            </dependency>
        </dependencies>
    </environment>
    <gbean name="test-realm"
class="org.apache.geronimo.security.realm.GenericSecurityRealm"
xsi:type="dep:gbeanType" xmlns:dep="
http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance">
        <attribute name="realmName">test-realm</attribute>
        <reference name="ServerInfo">
            <name>ServerInfo</name>
        </reference>
        <xml-reference name="LoginModuleConfiguration">
            <log:login-config xmlns:log="
http://geronimo.apache.org/xml/ns/loginconfig-2.0">
                <log:login-module control-flag="REQUIRED"
wrap-principals="false">

 <log:login-domain-name>test-realm</log:login-domain-name>
                    <
log:login-module-class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</log:login-module-class>
                    <log:option
name="usersURI">var/security/demo_users.properties</log:option>
                    <log:option
name="groupsURI">var/security/demo_groups.properties</log:option>
                </log:login-module>
            </log:login-config>
        </xml-reference>
    </gbean>
</module>


Then deploy a client-side-realm for application client to authenticate with
OpenEJB container as followed:

<module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
    <environment>
        <moduleId>
            <groupId>console.realm</groupId>
            <artifactId>remote-openejb-realm</artifactId>
            <version>1.0</version>
            <type>car</type>
        </moduleId>
        <dependencies>
            <dependency>
                <groupId>org.apache.geronimo.framework</groupId>
                <artifactId>j2ee-security</artifactId>
                <type>car</type>
            </dependency>
     <dependency>
               <groupId>org.apache.geronimo.modules</groupId>
               <artifactId>geronimo-openejb</artifactId>
               <type>jar</type>
            </dependency>
        </dependencies>
    </environment>
    <gbean name="remote-openejb-realm"
class="org.apache.geronimo.security.realm.GenericSecurityRealm"
xsi:type="dep:gbeanType" xmlns:dep="
http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance">
        <attribute name="realmName">remote-openejb-realm</attribute>
        <reference name="ServerInfo">
            <name>ServerInfo</name>
        </reference>
        <xml-reference name="LoginModuleConfiguration">
            <log:login-config xmlns:log="
http://geronimo.apache.org/xml/ns/loginconfig-2.0">
                <log:login-module control-flag="REQUIRED"
wrap-principals="false">

 <log:login-domain-name>remote-openejb-realm</log:login-domain-name>

<log:login-module-class>org.apache.geronimo.openejb.OpenejbRemoteLoginModule</log:login-module-class>
     <log:option name="RemoteSecurityRealm">test-realm</log:option>
                    <log:option
name="ServerURI">ejbd://localhost:4201</log:option>
                </log:login-module>
            </log:login-config>
        </xml-reference>
    </gbean>
</module>

In your geronimo-application-client.xml, specify the client-side-realm
module as its dependency and realm name. Aslo you need to profide your
<callback-handler> as David J mentioned earlier. See the snippet as
followed:

<?xml version="1.0" encoding="UTF-8"?>

<application-client xmlns="
http://geronimo.apache.org/xml/ns/j2ee/application-client-2.0"
  xmlns:sys="http://geronimo.apache.org/xml/ns/deployment-1.2"
  xmlns:naming="http://geronimo.apache.org/xml/ns/naming-1.2"
  xmlns:security="http://geronimo.apache.org/xml/ns/security-2.0"
  xmlns:connector="http://geronimo.apache.org/xml/ns/j2ee/connector-1.2">

 <sys:client-environment>
  <sys:moduleId>
  <sys:groupId>org.apache.geronimo.samples</sys:groupId>
  <sys:artifactId>Myclient</sys:artifactId>
  <sys:version>2.2.0</sys:version>
  <sys:type>jar</sys:type>
  </sys:moduleId>
  <sys:dependencies>
      <sys:dependency>
        <sys:groupId>console.realm</sys:groupId>
        <sys:artifactId>remote-openejb-realm</sys:artifactId>
        <sys:version>1.0</sys:version>
        <sys:type>car</sys:type>
      </sys:dependency>
    </sys:dependencies>
 </sys:client-environment>

  <sys:server-environment>
   <sys:moduleId>
   <sys:groupId>org.apache.geronimo.samples</sys:groupId>
   <sys:artifactId>MyServer</sys:artifactId>
   <sys:version>2.2.0</sys:version>
   <sys:type>jar</sys:type>
   </sys:moduleId>
   <sys:dependencies>
      <sys:dependency>
        <sys:groupId>console.realm</sys:groupId>
        <sys:artifactId>remote-openejb-realm</sys:artifactId>
        <sys:version>1.0</sys:version>
        <sys:type>car</sys:type>
      </sys:dependency>
    </sys:dependencies>
  </sys:server-environment>

  <realm-name>remote-openejb-realm</realm-name>
  <callback-handler>org.apache.geronimo.samples.Myclient.appClient.
MyCallbackHandler</callback-handler>
</application-client>

Hope this helpls.

Jeff C


On Tue, Apr 6, 2010 at 11:16 PM, Sarah.kho <sarah.kho@gmail.com> wrote:

>
> Hi,
>
> I studied the page but it does not have the name of the deployment
> descriptor which I should include those sample code inside it. should I
> include them inside the geronimo-application-client.xml?
>
> it also says that the realm should also be specified at the server side. i
> think it means in the openejb-jar.xml. can you give me the sample snippet
> for that one as well?
>
> thanks
> --
> View this message in context:
> http://n3.nabble.com/when-using-an-application-client-to-consume-a-secure-ejb-who-perform-the-authentication-tp699700p700639.html
> Sent from the Users mailing list archive at Nabble.com.
>

Mime
View raw message