geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andreas Bohnert <...@weberhofer.at>
Subject Re: Any example on how to implement a programmatic login with geronimo security?
Date Mon, 21 Feb 2011 17:21:48 GMT
hello david,

thanks for you quick response!
the servlet 3.0 implementation seems to be a much nicer approach. but at 
the moment I stuck with geronimo 2.2.

 > LoginContext lc = 
org.apache.geronimo.security.ContextManager.login(realm, callbackHandler);
 > ContextManager.registerSubject(lc.getSubject());
 > ContextManager.setCallers(lc.getSubject(), lc,getSubject());

that is what I wanted to know. thanks.
unfortunately I get an exception when I try this. the exception says 
that there are no LoginModules configured for the given realm.

I created the realm according to this document:
https://cwiki.apache.org/GMOxDOC22/database-sql-realm.html
I tested the realm, it's working.

As far as I understand, if I create a realm with the geronimo 
adminstration console, the realm is fully configured and I can reference 
the realm in my war without further configuration:

LoginContext lc  = 
org.apache.geronimo.security.ContextManager.login("my_security_realm", 
this);

because this was not working ( ... no LoginModules configured for the 
given realm ...), I also tried to add deployment plan of this realm to 
my ear (geronimo-application.xml). but still I get the exception.

so my deployment plan for my realm look like this:
<module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
<environment>
<moduleId>
<groupId>console.realm</groupId>
<artifactId>my_security_realm</artifactId>
<version>1.0</version>
<type>car</type>
</moduleId>
<dependencies>
<dependency>
<groupId>org.apache.geronimo.framework</groupId>
<artifactId>j2ee-security</artifactId>
<type>car</type>
</dependency>
<dependency>
<groupId>console.dbpool</groupId>
<artifactId>SecurityDatabasePool</artifactId>
<version>1.0</version>
<type>car</type>
</dependency>
</dependencies>
</environment>
<gbean name="my_security_realm" 
class="org.apache.geronimo.security.realm.GenericSecurityRealm" 
xsi:type="dep:gbeanType" 
xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<attribute name="realmName">my_security_realm</attribute>
<attribute name="global">false</attribute>
<reference name="ServerInfo">
<name>ServerInfo</name>
</reference>
<xml-reference name="LoginModuleConfiguration">
<log:login-config 
xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
<log:login-module control-flag="REQUIRED" wrap-principals="false">
<log:login-domain-name>eusoda_security_realm</log:login-domain-name>
<log:login-module-class>org.apache.geronimo.security.realm.providers.SQLLoginModule</log:login-module-class>
<log:option name="groupSelect">select username, groupname from groups 
where username=?</log:option>
<log:option name="dataSourceApplication">null</log:option>
<log:option name="userSelect">select username, password from users where 
username=?</log:option>
<log:option name="dataSourceName">SecurityDatabasePool</log:option>
</log:login-module>
<log:login-module control-flag="OPTIONAL" wrap-principals="false">
<log:login-domain-name>eusoda_security_realm-Audit</log:login-domain-name>
<log:login-module-class>org.apache.geronimo.security.realm.providers.FileAuditLoginModule</log:login-module-class>
<log:option name="file">var/log/security_log.log</log:option>
</log:login-module>
</log:login-config>
</xml-reference>
</gbean>
</module>

if I put this plan in my ear, the geronimo-application.xml look like this:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<app:application 
xmlns:app="http://geronimo.apache.org/xml/ns/j2ee/application-2.0" 
xmlns:client="http://geronimo.apache.org/xml/ns/j2ee/application-client-2.0" 
xmlns:conn="http://geronimo.apache.org/xml/ns/j2ee/connector-1.2" 
xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" 
xmlns:ejb="http://openejb.apache.org/xml/ns/openejb-jar-2.2" 
xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0" 
xmlns:name="http://geronimo.apache.org/xml/ns/naming-1.2" 
xmlns:pers="http://java.sun.com/xml/ns/persistence" 
xmlns:pkgen="http://openejb.apache.org/xml/ns/pkgen-2.1" 
xmlns:sec="http://geronimo.apache.org/xml/ns/security-2.0" 
xmlns:web="http://geronimo.apache.org/xml/ns/j2ee/web-2.0.1" 
application-name="test-geronimo">
<dep:environment>
<dep:moduleId>
<dep:groupId>test</dep:groupId>
<dep:artifactId>test-geronimo</dep:artifactId>
<dep:version>1.0</dep:version>
<dep:type>ear</dep:type>
</dep:moduleId>
<dep:dependencies>
<dep:dependency>
<dep:groupId>org.apache.geronimo.framework</dep:groupId>
<dep:artifactId>j2ee-security</dep:artifactId>
<dep:type>car</dep:type>
</dep:dependency>
<dep:dependency>
<dep:groupId>console.dbpool</dep:groupId>
<dep:artifactId>SecurityDatabasePool</dep:artifactId>
<dep:version>1.0</dep:version>
<dep:type>car</dep:type>
</dep:dependency>
</dep:dependencies>
</dep:environment>
<dep:gbean name="my_security_realm" 
class="org.apache.geronimo.security.realm.GenericSecurityRealm" 
xsi:type="dep:gbeanType" 
xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<dep:attribute name="realmName">my_security_realm</dep:attribute>
<dep:attribute name="global">false</dep:attribute>
<dep:reference name="ServerInfo">
<dep:name>ServerInfo</dep:name>
</dep:reference>
<dep:xml-reference name="LoginModuleConfiguration">
<log:login-config 
xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
<log:login-module control-flag="REQUIRED" wrap-principals="false">
<log:login-domain-name>my_security_realm</log:login-domain-name>
<log:login-module-class>org.apache.geronimo.security.realm.providers.SQLLoginModule</log:login-module-class>
<log:option name="groupSelect">select username, groupname from groups 
where username=?</log:option>
<log:option name="dataSourceApplication">null</log:option>
<log:option name="userSelect">select username, password from users where 
username=?</log:option>
<log:option name="dataSourceName">SecurityDatabasePool</log:option>
</log:login-module>
<log:login-module control-flag="OPTIONAL" wrap-principals="false">
<log:login-domain-name>eusoda_security_realm-Audit</log:login-domain-name>
<log:login-module-class>org.apache.geronimo.security.realm.providers.FileAuditLoginModule</log:login-module-class>
<log:option name="file">var/log/eusoda_security_log.log</log:option>
</log:login-module>
</log:login-config>
</dep:xml-reference>
</dep:gbean>

</app:application>

for my war I added this to geronimo-web.xml :

<web:security-realm-name>my_security_realm</web:security-realm-name>
<sec:security>
<sec:role-mappings>
<sec:role role-name="admin">
<sec:principal name="administrators"  
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" 
/>
<sec:principal name="root" 
class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" 
/>
</sec:role>
</sec:role-mappings>
</sec:security>

What am I'm doing wrong?

regards,
Andreas


> 	David Jencks <mailto:david_jencks@yahoo.com>
> 21. Februar 2011 08:10
>
>
> It's not entirely clear what you want to do.
>
> The documentation you point to is still fairly accurate but not really 
> relevant IIUC.
>
> In servlet 3.0 (implemented in geronimo 3.0, not yet released but this 
> part is working), there are new methods on HttpServletRequest where 
> you can either force a login (e.g. form or basic) that has been 
> otherwise configured for the web app or login using username and 
> password you have collected yourself somehow. After this login all 
> container managed security will work just as if the user had tried to 
> access a protected resource and been logged in automatically.
>
> Before servlet 3.0 you can always get some credentials and login but 
> the resulting subject won't automatically be known to the container 
> and container managed security won't work at all unless you do 
> something to register the result.
>
> I think I've given some advice on how to do this on the user list in 
> the past. IIRC you want to do something like
>
> LoginContext lc = 
> org.apache.geronimo.security.ContextManager.login(realm, callbackHandler);
> ContextManager.registerSubject(lc.getSubject());
> ContextManager.setCallers(lc.getSubject(), lc,getSubject());
> //do work
>
> ContextManager.clearCallers();
> ContextManager.unregisterSubject(lc.getSubject());
> lc.logout();
>
> hope this helps
> david jencks
>
> .
> ------------------------------------------------------------------------
>
> 	Andreas Bohnert <mailto:abo@weberhofer.at>
> 21. Februar 2011 07:26
>
>
> dear list,
>
> there is an example (time report) on how to configure a form based 
> login (j_security_check) but how am I'm doing a programmatic login 
> with geronimo?
> I can not find any references on how to do this with geronimo 2.x
>
> I found this, but I wonder if it is still up to date:
> http://docs.huihoo.com/apache/geronimo/1.0/geronimo-and-jaas.html
>
> If the above documentation is obsolet:
> Do I need to write a login-config.xm and how does it look like?
> Are there any callbackhandler implementations that I can pass to a 
> LoginContext?
>
> Any help is very much appreciated.
>
> Andreas
>
> ------------------------------------------------------------------------
>
> 	Andreas Bohnert <mailto:abo@online.de>
> 21. Februar 2011 00:28
>
>
> dear list,
>
> there is an example (time report) on how to configure a form based 
> login (j_security_check) but how am I'm doing a programmatic login 
> with geronimo?
> I can not find any references on how to do this with geronimo 2.x
>
> I found this:
> http://docs.huihoo.com/apache/geronimo/1.0/geronimo-and-jaas.html
> Is this still up to date?
>
> If the documentation is obsolet:
> Do I need to write a login-config.xm and how does it look like?
> Are there any callbackhandler implementations that I can pass to a 
> LoginContext?
>
> Any help is very much appreciated.
>
> Andreas
>
> ------------------------------------------------------------------------



Mime
View raw message