geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andreas Bohnert <...@weberhofer.at>
Subject Re: Any example on how to implement a programmatic login with geronimo security?
Date Wed, 23 Feb 2011 07:14:02 GMT
hello david,

thank you again! It's working now. kind of .. ;)
With global=true I can login now, but in subsequent requests the subject 
is not available anymore. I also can not use request.getUserPrincipal() 
at anytime.

so this I do in one request:

             LoginContext lc  = 
org.apache.geronimo.security.ContextManager.login("my_security_realm", 
this);
             
org.apache.geronimo.security.ContextManager.registerSubject(lc.getSubject());
            
  org.apache.geronimo.security.ContextManager.setCallers(lc.getSubject(), lc.getSubject());

             // this one is successful in the same request
             Subject sub = 
org.apache.geronimo.security.ContextManager.getCurrentCaller();

             // this one is NOT successfull, even in the same request
             Principal principal  = request.getUserPrincipal();

in a subsequent requests both 
ContextManager.getCurrentCaller/ContextManager.getCallers().getCurrentCaller() 
and request.getUserPrincipal return NULL or an empty Array;

Is there something else I have to take care of?
Do I have to register the user somehow before I can use 
request.getUserPrincipal?

What I want to do is:
- configure the realm with geronimo administration console
- use my own login form, pass the login data to jaas api or a geronimo 
implementation, verify the login data
- on each request check if the user is in role and access the users name

regards,
Andreas


> 	David Jencks <mailto:david_jencks@yahoo.com>
> 22. Februar 2011 00:59
>
>
> Hi Andreas,
>
> I think (but haven't checked) that if you do this kind of programatic 
> use of a named security realm you have to mark the realm <attribute 
> name="global">true</attribute>.  IIRC the built in code does some more 
> lookup to find the actual login Configuration object for a non-global 
> realm and you probably don't want to mess with that unless you need 
> several realms all with the same name for different apps.
>
> thanks
> david jencks
>
>
>
> ------------------------------------------------------------------------
>
> 	Andreas Bohnert <mailto:abo@weberhofer.at>
> 22. Februar 2011 00:21
>
>
> hello david,
>
> thanks for you quick response!
> the servlet 3.0 implementation seems to be a much nicer approach. but 
> at the moment I stuck with geronimo 2.2.
>
> > LoginContext lc = 
> org.apache.geronimo.security.ContextManager.login(realm, callbackHandler);
> > ContextManager.registerSubject(lc.getSubject());
> > ContextManager.setCallers(lc.getSubject(), lc,getSubject());
>
> that is what I wanted to know. thanks.
> unfortunately I get an exception when I try this. the exception says 
> that there are no LoginModules configured for the given realm.
>
> I created the realm according to this document:
> https://cwiki.apache.org/GMOxDOC22/database-sql-realm.html
> I tested the realm, it's working.
>
> As far as I understand, if I create a realm with the geronimo 
> adminstration console, the realm is fully configured and I can 
> reference the realm in my war without further configuration:
>
> LoginContext lc  = 
> org.apache.geronimo.security.ContextManager.login("my_security_realm", 
> this);
>
> because this was not working ( ... no LoginModules configured for the 
> given realm ...), I also tried to add deployment plan of this realm to 
> my ear (geronimo-application.xml). but still I get the exception.
>
> so my deployment plan for my realm look like this:
> <module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
> <environment>
> <moduleId>
> <groupId>console.realm</groupId>
> <artifactId>my_security_realm</artifactId>
> <version>1.0</version>
> <type>car</type>
> </moduleId>
> <dependencies>
> <dependency>
> <groupId>org.apache.geronimo.framework</groupId>
> <artifactId>j2ee-security</artifactId>
> <type>car</type>
> </dependency>
> <dependency>
> <groupId>console.dbpool</groupId>
> <artifactId>SecurityDatabasePool</artifactId>
> <version>1.0</version>
> <type>car</type>
> </dependency>
> </dependencies>
> </environment>
> <gbean name="my_security_realm" 
> class="org.apache.geronimo.security.realm.GenericSecurityRealm" 
> xsi:type="dep:gbeanType" 
> xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" 
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> <attribute name="realmName">my_security_realm</attribute>
> <attribute name="global">false</attribute>
> <reference name="ServerInfo">
> <name>ServerInfo</name>
> </reference>
> <xml-reference name="LoginModuleConfiguration">
> <log:login-config 
> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
> <log:login-module control-flag="REQUIRED" wrap-principals="false">
> <log:login-domain-name>eusoda_security_realm</log:login-domain-name>
> <log:login-module-class>org.apache.geronimo.security.realm.providers.SQLLoginModule</log:login-module-class>
> <log:option name="groupSelect">select username, groupname from groups 
> where username=?</log:option>
> <log:option name="dataSourceApplication">null</log:option>
> <log:option name="userSelect">select username, password from users 
> where username=?</log:option>
> <log:option name="dataSourceName">SecurityDatabasePool</log:option>
> </log:login-module>
> <log:login-module control-flag="OPTIONAL" wrap-principals="false">
> <log:login-domain-name>eusoda_security_realm-Audit</log:login-domain-name>
> <log:login-module-class>org.apache.geronimo.security.realm.providers.FileAuditLoginModule</log:login-module-class>
> <log:option name="file">var/log/security_log.log</log:option>
> </log:login-module>
> </log:login-config>
> </xml-reference>
> </gbean>
> </module>
>
> if I put this plan in my ear, the geronimo-application.xml look like this:
>
> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
> <app:application 
> xmlns:app="http://geronimo.apache.org/xml/ns/j2ee/application-2.0" 
> xmlns:client="http://geronimo.apache.org/xml/ns/j2ee/application-client-2.0" 
> xmlns:conn="http://geronimo.apache.org/xml/ns/j2ee/connector-1.2" 
> xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" 
> xmlns:ejb="http://openejb.apache.org/xml/ns/openejb-jar-2.2" 
> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0" 
> xmlns:name="http://geronimo.apache.org/xml/ns/naming-1.2" 
> xmlns:pers="http://java.sun.com/xml/ns/persistence" 
> xmlns:pkgen="http://openejb.apache.org/xml/ns/pkgen-2.1" 
> xmlns:sec="http://geronimo.apache.org/xml/ns/security-2.0" 
> xmlns:web="http://geronimo.apache.org/xml/ns/j2ee/web-2.0.1" 
> application-name="test-geronimo">
> <dep:environment>
> <dep:moduleId>
> <dep:groupId>test</dep:groupId>
> <dep:artifactId>test-geronimo</dep:artifactId>
> <dep:version>1.0</dep:version>
> <dep:type>ear</dep:type>
> </dep:moduleId>
> <dep:dependencies>
> <dep:dependency>
> <dep:groupId>org.apache.geronimo.framework</dep:groupId>
> <dep:artifactId>j2ee-security</dep:artifactId>
> <dep:type>car</dep:type>
> </dep:dependency>
> <dep:dependency>
> <dep:groupId>console.dbpool</dep:groupId>
> <dep:artifactId>SecurityDatabasePool</dep:artifactId>
> <dep:version>1.0</dep:version>
> <dep:type>car</dep:type>
> </dep:dependency>
> </dep:dependencies>
> </dep:environment>
> <dep:gbean name="my_security_realm" 
> class="org.apache.geronimo.security.realm.GenericSecurityRealm" 
> xsi:type="dep:gbeanType" 
> xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" 
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> <dep:attribute name="realmName">my_security_realm</dep:attribute>
> <dep:attribute name="global">false</dep:attribute>
> <dep:reference name="ServerInfo">
> <dep:name>ServerInfo</dep:name>
> </dep:reference>
> <dep:xml-reference name="LoginModuleConfiguration">
> <log:login-config 
> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
> <log:login-module control-flag="REQUIRED" wrap-principals="false">
> <log:login-domain-name>my_security_realm</log:login-domain-name>
> <log:login-module-class>org.apache.geronimo.security.realm.providers.SQLLoginModule</log:login-module-class>
> <log:option name="groupSelect">select username, groupname from groups 
> where username=?</log:option>
> <log:option name="dataSourceApplication">null</log:option>
> <log:option name="userSelect">select username, password from users 
> where username=?</log:option>
> <log:option name="dataSourceName">SecurityDatabasePool</log:option>
> </log:login-module>
> <log:login-module control-flag="OPTIONAL" wrap-principals="false">
> <log:login-domain-name>eusoda_security_realm-Audit</log:login-domain-name>
> <log:login-module-class>org.apache.geronimo.security.realm.providers.FileAuditLoginModule</log:login-module-class>
> <log:option name="file">var/log/eusoda_security_log.log</log:option>
> </log:login-module>
> </log:login-config>
> </dep:xml-reference>
> </dep:gbean>
>
> </app:application>
>
> for my war I added this to geronimo-web.xml :
>
> <web:security-realm-name>my_security_realm</web:security-realm-name>
> <sec:security>
> <sec:role-mappings>
> <sec:role role-name="admin">
> <sec:principal name="administrators"  
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" 
> />
> <sec:principal name="root" 
> class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" 
> />
> </sec:role>
> </sec:role-mappings>
> </sec:security>
>
> What am I'm doing wrong?
>
> regards,
> Andreas
>
>
>
>
> ------------------------------------------------------------------------
>
> 	David Jencks <mailto:david_jencks@yahoo.com>
> 21. Februar 2011 08:10
>
>
> It's not entirely clear what you want to do.
>
> The documentation you point to is still fairly accurate but not really 
> relevant IIUC.
>
> In servlet 3.0 (implemented in geronimo 3.0, not yet released but this 
> part is working), there are new methods on HttpServletRequest where 
> you can either force a login (e.g. form or basic) that has been 
> otherwise configured for the web app or login using username and 
> password you have collected yourself somehow. After this login all 
> container managed security will work just as if the user had tried to 
> access a protected resource and been logged in automatically.
>
> Before servlet 3.0 you can always get some credentials and login but 
> the resulting subject won't automatically be known to the container 
> and container managed security won't work at all unless you do 
> something to register the result.
>
> I think I've given some advice on how to do this on the user list in 
> the past. IIRC you want to do something like
>
> LoginContext lc = 
> org.apache.geronimo.security.ContextManager.login(realm, callbackHandler);
> ContextManager.registerSubject(lc.getSubject());
> ContextManager.setCallers(lc.getSubject(), lc,getSubject());
> //do work
>
> ContextManager.clearCallers();
> ContextManager.unregisterSubject(lc.getSubject());
> lc.logout();
>
> hope this helps
> david jencks
>
> .
> ------------------------------------------------------------------------
>
> 	Andreas Bohnert <mailto:abo@weberhofer.at>
> 21. Februar 2011 07:26
>
>
> dear list,
>
> there is an example (time report) on how to configure a form based 
> login (j_security_check) but how am I'm doing a programmatic login 
> with geronimo?
> I can not find any references on how to do this with geronimo 2.x
>
> I found this, but I wonder if it is still up to date:
> http://docs.huihoo.com/apache/geronimo/1.0/geronimo-and-jaas.html
>
> If the above documentation is obsolet:
> Do I need to write a login-config.xm and how does it look like?
> Are there any callbackhandler implementations that I can pass to a 
> LoginContext?
>
> Any help is very much appreciated.
>
> Andreas
>
> ------------------------------------------------------------------------
>
> 	Andreas Bohnert <mailto:abo@online.de>
> 21. Februar 2011 00:28
>
>
> dear list,
>
> there is an example (time report) on how to configure a form based 
> login (j_security_check) but how am I'm doing a programmatic login 
> with geronimo?
> I can not find any references on how to do this with geronimo 2.x
>
> I found this:
> http://docs.huihoo.com/apache/geronimo/1.0/geronimo-and-jaas.html
> Is this still up to date?
>
> If the documentation is obsolet:
> Do I need to write a login-config.xm and how does it look like?
> Are there any callbackhandler implementations that I can pass to a 
> LoginContext?
>
> Any help is very much appreciated.
>
> Andreas
>
> ------------------------------------------------------------------------


Mime
View raw message