geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: Any example on how to implement a programmatic login with geronimo security?
Date Wed, 23 Feb 2011 08:16:03 GMT
Hi Andreas,

I'm not sure why getUserPrincipal() is returning null.

isUserInRole(rolename) ought to work.  Have you defined your roles in web.xml and mapped them
to principals in the geronimo plan?

There's a lot going on behind the scenes with built in authentication.  In particular form
authentication keeps track of the authenticated subject for you by storing it in the session.
 If you don't want to imitate basic login and authenticate on every request you will need
to do the same.

hope this helps
david jencks

On Feb 22, 2011, at 11:14 PM, Andreas Bohnert wrote:

> hello david,
> 
> thank you again! It's working now. kind of .. ;)
> With global=true I can login now, but in subsequent requests the subject is not available
anymore. I also can not use request.getUserPrincipal() at anytime.
> 
> so this I do in one request:
> 
>             LoginContext lc  = org.apache.geronimo.security.ContextManager.login("my_security_realm",
this);
>             org.apache.geronimo.security.ContextManager.registerSubject(lc.getSubject());
>             org.apache.geronimo.security.ContextManager.setCallers(lc.getSubject(), lc.getSubject());
> 
>             // this one is successful in the same request
>             Subject sub = org.apache.geronimo.security.ContextManager.getCurrentCaller();
> 
>             // this one is NOT successfull, even in the same request
>             Principal principal  = request.getUserPrincipal();
>             
> in a subsequent requests both ContextManager.getCurrentCaller/ContextManager.getCallers().getCurrentCaller()
and request.getUserPrincipal return NULL or an empty Array;
> 
> Is there something else I have to take care of?
> Do I have to register the user somehow before I can use request.getUserPrincipal? 
> 
> What I want to do is:
> - configure the realm with geronimo administration console
> - use my own login form, pass the login data to jaas api or a geronimo implementation,
verify the login data
> - on each request check if the user is in role and access the users name
> 
> regards,
> Andreas
> 
>  
>> 	David Jencks
>> 22. Februar 2011 00:59
>> 
>> Hi Andreas,
>> 
>> I think (but haven't checked) that if you do this kind of programatic use of a named
security realm you have to mark the realm <attribute name="global">true</attribute>.
 IIRC the built in code does some more lookup to find the actual login Configuration object
for a non-global realm and you probably don't want to mess with that unless you need several
realms all with the same name for different apps.
>> 
>> thanks
>> david jencks
>> 
>> 
>> 
>> 
>> 	Andreas Bohnert
>> 22. Februar 2011 00:21
>> 
>> hello david,
>> 
>> thanks for you quick response!
>> the servlet 3.0 implementation seems to be a much nicer approach. but at the moment
I stuck with geronimo 2.2.
>> 
>> > LoginContext lc = org.apache.geronimo.security.ContextManager.login(realm, callbackHandler);
>> > ContextManager.registerSubject(lc.getSubject());
>> > ContextManager.setCallers(lc.getSubject(), lc,getSubject());
>> 
>> that is what I wanted to know. thanks.
>> unfortunately I get an exception when I try this. the exception says that there are
no LoginModules configured for the given realm.
>> 
>> I created the realm according to this document:
>> https://cwiki.apache.org/GMOxDOC22/database-sql-realm.html
>> I tested the realm, it's working.
>> 
>> As far as I understand, if I create a realm with the geronimo adminstration console,
the realm is fully configured and I can reference the realm in my war without further configuration:
>> 
>> LoginContext lc  = org.apache.geronimo.security.ContextManager.login("my_security_realm",
this);
>> 
>> because this was not working ( ... no LoginModules configured for the given realm
...), I also tried to add deployment plan of this realm to my ear (geronimo-application.xml).
but still I get the exception.
>> 
>> so my deployment plan for my realm look like this:
>> <module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
>>     <environment>
>>         <moduleId>
>>             <groupId>console.realm</groupId>
>>             <artifactId>my_security_realm</artifactId>
>>             <version>1.0</version>
>>             <type>car</type>
>>         </moduleId>
>>         <dependencies>
>>             <dependency>
>>                 <groupId>org.apache.geronimo.framework</groupId>
>>                 <artifactId>j2ee-security</artifactId>
>>                 <type>car</type>
>>             </dependency>
>>             <dependency>
>>                 <groupId>console.dbpool</groupId>
>>                 <artifactId>SecurityDatabasePool</artifactId>
>>                 <version>1.0</version>
>>                 <type>car</type>
>>             </dependency>
>>         </dependencies>
>>     </environment>
>>     <gbean name="my_security_realm" class="org.apache.geronimo.security.realm.GenericSecurityRealm"
xsi:type="dep:gbeanType" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>>         <attribute name="realmName">my_security_realm</attribute>
>>         <attribute name="global">false</attribute>
>>         <reference name="ServerInfo">
>>             <name>ServerInfo</name>
>>         </reference>
>>         <xml-reference name="LoginModuleConfiguration">
>>             <log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
>>                 <log:login-module control-flag="REQUIRED" wrap-principals="false">
>>                     <log:login-domain-name>eusoda_security_realm</log:login-domain-name>
>>                     <log:login-module-class>org.apache.geronimo.security.realm.providers.SQLLoginModule</log:login-module-class>
>>                     <log:option name="groupSelect">select username, groupname
from groups where username=?</log:option>
>>                     <log:option name="dataSourceApplication">null</log:option>
>>                     <log:option name="userSelect">select username, password
from users where username=?</log:option>
>>                     <log:option name="dataSourceName">SecurityDatabasePool</log:option>
>>                 </log:login-module>
>>                 <log:login-module control-flag="OPTIONAL" wrap-principals="false">
>>                     <log:login-domain-name>eusoda_security_realm-Audit</log:login-domain-name>
>>                     <log:login-module-class>org.apache.geronimo.security.realm.providers.FileAuditLoginModule</log:login-module-class>
>>                     <log:option name="file">var/log/security_log.log</log:option>
>>                 </log:login-module>
>>             </log:login-config>
>>         </xml-reference>
>>     </gbean>
>> </module>
>> 
>> if I put this plan in my ear, the geronimo-application.xml look like this:
>> 
>> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
>> <app:application xmlns:app="http://geronimo.apache.org/xml/ns/j2ee/application-2.0"
xmlns:client="http://geronimo.apache.org/xml/ns/j2ee/application-client-2.0" xmlns:conn="http://geronimo.apache.org/xml/ns/j2ee/connector-1.2"
xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:ejb="http://openejb.apache.org/xml/ns/openejb-jar-2.2"
xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0" xmlns:name="http://geronimo.apache.org/xml/ns/naming-1.2"
xmlns:pers="http://java.sun.com/xml/ns/persistence" xmlns:pkgen="http://openejb.apache.org/xml/ns/pkgen-2.1"
xmlns:sec="http://geronimo.apache.org/xml/ns/security-2.0" xmlns:web="http://geronimo.apache.org/xml/ns/j2ee/web-2.0.1"
application-name="test-geronimo">
>>     <dep:environment>
>>         <dep:moduleId>
>>             <dep:groupId>test</dep:groupId>
>>             <dep:artifactId>test-geronimo</dep:artifactId>
>>             <dep:version>1.0</dep:version>
>>             <dep:type>ear</dep:type>
>>         </dep:moduleId>
>>         <dep:dependencies>
>>             <dep:dependency>
>>                 <dep:groupId>org.apache.geronimo.framework</dep:groupId>
>>                 <dep:artifactId>j2ee-security</dep:artifactId>
>>                 <dep:type>car</dep:type>
>>             </dep:dependency>
>>             <dep:dependency>
>>                 <dep:groupId>console.dbpool</dep:groupId>
>>                 <dep:artifactId>SecurityDatabasePool</dep:artifactId>
>>                 <dep:version>1.0</dep:version>
>>                 <dep:type>car</dep:type>
>>             </dep:dependency>
>>      </dep:dependencies>
>>     </dep:environment>
>>     <dep:gbean name="my_security_realm" class="org.apache.geronimo.security.realm.GenericSecurityRealm"
xsi:type="dep:gbeanType" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>>         <dep:attribute name="realmName">my_security_realm</dep:attribute>
>>         <dep:attribute name="global">false</dep:attribute>
>>         <dep:reference name="ServerInfo">
>>             <dep:name>ServerInfo</dep:name>
>>         </dep:reference>
>>         <dep:xml-reference name="LoginModuleConfiguration">
>>             <log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
>>                 <log:login-module control-flag="REQUIRED" wrap-principals="false">
>>                     <log:login-domain-name>my_security_realm</log:login-domain-name>
>>                     <log:login-module-class>org.apache.geronimo.security.realm.providers.SQLLoginModule</log:login-module-class>
>>                     <log:option name="groupSelect">select username, groupname
from groups where username=?</log:option>
>>                     <log:option name="dataSourceApplication">null</log:option>
>>                     <log:option name="userSelect">select username, password
from users where username=?</log:option>
>>                     <log:option name="dataSourceName">SecurityDatabasePool</log:option>
>>                 </log:login-module>
>>                 <log:login-module control-flag="OPTIONAL" wrap-principals="false">
>>                     <log:login-domain-name>eusoda_security_realm-Audit</log:login-domain-name>
>>                     <log:login-module-class>org.apache.geronimo.security.realm.providers.FileAuditLoginModule</log:login-module-class>
>>                     <log:option name="file">var/log/eusoda_security_log.log</log:option>
>>                 </log:login-module>
>>             </log:login-config>
>>         </dep:xml-reference>
>>     </dep:gbean>
>>     
>> </app:application>
>> 
>> for my war I added this to geronimo-web.xml :
>> 
>>     <web:security-realm-name>my_security_realm</web:security-realm-name>
>>      <sec:security>
>>         <sec:role-mappings>
>>             <sec:role role-name="admin">
>>                 <sec:principal name="administrators"  class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
/>
>>                 <sec:principal name="root" class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
/>
>>             </sec:role>
>>         </sec:role-mappings>
>>     </sec:security>
>> 
>> What am I'm doing wrong?
>> 
>> regards,
>> Andreas
>> 
>> 
>> 
>> 
>> 
>> 	David Jencks
>> 21. Februar 2011 08:10
>> 
>> It's not entirely clear what you want to do.
>> 
>> The documentation you point to is still fairly accurate but not really relevant IIUC.
>> 
>> In servlet 3.0 (implemented in geronimo 3.0, not yet released but this part is working),
there are new methods on HttpServletRequest where you can either force a login (e.g. form
or basic) that has been otherwise configured for the web app or login using username and password
you have collected yourself somehow. After this login all container managed security will
work just as if the user had tried to access a protected resource and been logged in automatically.
>> 
>> Before servlet 3.0 you can always get some credentials and login but the resulting
subject won't automatically be known to the container and container managed security won't
work at all unless you do something to register the result.
>> 
>> I think I've given some advice on how to do this on the user list in the past. IIRC
you want to do something like
>> 
>> LoginContext lc = org.apache.geronimo.security.ContextManager.login(realm, callbackHandler);
>> ContextManager.registerSubject(lc.getSubject());
>> ContextManager.setCallers(lc.getSubject(), lc,getSubject());
>> //do work
>> 
>> ContextManager.clearCallers();
>> ContextManager.unregisterSubject(lc.getSubject());
>> lc.logout();
>> 
>> hope this helps
>> david jencks
>> 
>> .
>> 
>> 	Andreas Bohnert
>> 21. Februar 2011 07:26
>> 
>> dear list, 
>> 
>> there is an example (time report) on how to configure a form based login (j_security_check)
but how am I'm doing a programmatic login with geronimo? 
>> I can not find any references on how to do this with geronimo 2.x 
>> 
>> I found this, but I wonder if it is still up to date: 
>> http://docs.huihoo.com/apache/geronimo/1.0/geronimo-and-jaas.html 
>> 
>> If the above documentation is obsolet: 
>> Do I need to write a login-config.xm and how does it look like? 
>> Are there any callbackhandler implementations that I can pass to a LoginContext?

>> 
>> Any help is very much appreciated. 
>> 
>> Andreas 
>> 
>> 
>> 	Andreas Bohnert
>> 21. Februar 2011 00:28
>> 
>> dear list, 
>> 
>> there is an example (time report) on how to configure a form based login (j_security_check)
but how am I'm doing a programmatic login with geronimo? 
>> I can not find any references on how to do this with geronimo 2.x 
>> 
>> I found this: 
>> http://docs.huihoo.com/apache/geronimo/1.0/geronimo-and-jaas.html 
>> Is this still up to date? 
>> 
>> If the documentation is obsolet: 
>> Do I need to write a login-config.xm and how does it look like? 
>> Are there any callbackhandler implementations that I can pass to a LoginContext?

>> 
>> Any help is very much appreciated. 
>> 
>> Andreas 
>> 
> 


Mime
View raw message