geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: Any example on how to implement a programmatic login with geronimo security?
Date Tue, 22 Feb 2011 18:10:07 GMT
I thought that would not be possible since IIUC the security realm is defined in the war or
ear plan itself so there is nothing to depend on.  You should put in this dependency if the
realm is defined in its' own plan.

thanks
david jencks

On Feb 22, 2011, at 1:18 AM, chi runhua wrote:

> And IIRC, you also need to add your realm as a dependency in the deployment plan of your
application.
> 
>  geronimo-application.xml 
> ...
>          <dep:dependency>
>                 <dep:groupId>console.realm</dep:groupId>
>                 <dep:artifactId>my_security_realm</dep:artifactId>
>                 <dep:type>car</dep:type>
>             </dep:dependency>
> ...
> 
> HTH.
> 
> Jeff 
> 
> 
> On Tue, Feb 22, 2011 at 1:59 AM, David Jencks <david_jencks@yahoo.com> wrote:
> Hi Andreas,
> 
> I think (but haven't checked) that if you do this kind of programatic use of a named
security realm you have to mark the realm <attribute name="global">true</attribute>.
 IIRC the built in code does some more lookup to find the actual login Configuration object
for a non-global realm and you probably don't want to mess with that unless you need several
realms all with the same name for different apps.
> 
> thanks
> david jencks
> 
> On Feb 21, 2011, at 9:21 AM, Andreas Bohnert wrote:
> 
>> hello david,
>> 
>> thanks for you quick response!
>> the servlet 3.0 implementation seems to be a much nicer approach. but at the moment
I stuck with geronimo 2.2.
>> 
>> > LoginContext lc = org.apache.geronimo.security.ContextManager.login(realm, callbackHandler);
>> > ContextManager.registerSubject(lc.getSubject());
>> > ContextManager.setCallers(lc.getSubject(), lc,getSubject());
>> 
>> that is what I wanted to know. thanks.
>> unfortunately I get an exception when I try this. the exception says that there are
no LoginModules configured for the given realm.
>> 
>> I created the realm according to this document:
>> https://cwiki.apache.org/GMOxDOC22/database-sql-realm.html
>> I tested the realm, it's working.
>> 
>> As far as I understand, if I create a realm with the geronimo adminstration console,
the realm is fully configured and I can reference the realm in my war without further configuration:
>> 
>> LoginContext lc  = org.apache.geronimo.security.ContextManager.login("my_security_realm",
this);
>> 
>> because this was not working ( ... no LoginModules configured for the given realm
...), I also tried to add deployment plan of this realm to my ear (geronimo-application.xml).
but still I get the exception.
>> 
>> so my deployment plan for my realm look like this:
>> <module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
>>     <environment>
>>         <moduleId>
>>             <groupId>console.realm</groupId>
>>             <artifactId>my_security_realm</artifactId>
>>             <version>1.0</version>
>>             <type>car</type>
>>         </moduleId>
>>         <dependencies>
>>             <dependency>
>>                 <groupId>org.apache.geronimo.framework</groupId>
>>                 <artifactId>j2ee-security</artifactId>
>>                 <type>car</type>
>>             </dependency>
>>             <dependency>
>>                 <groupId>console.dbpool</groupId>
>>                 <artifactId>SecurityDatabasePool</artifactId>
>>                 <version>1.0</version>
>>                 <type>car</type>
>>             </dependency>
>>         </dependencies>
>>     </environment>
>>     <gbean name="my_security_realm" class="org.apache.geronimo.security.realm.GenericSecurityRealm"
xsi:type="dep:gbeanType" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>>         <attribute name="realmName">my_security_realm</attribute>
>>         <attribute name="global">false</attribute>
>>         <reference name="ServerInfo">
>>             <name>ServerInfo</name>
>>         </reference>
>>         <xml-reference name="LoginModuleConfiguration">
>>             <log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
>>                 <log:login-module control-flag="REQUIRED" wrap-principals="false">
>>                     <log:login-domain-name>eusoda_security_realm</log:login-domain-name>
>>                     <log:login-module-class>org.apache.geronimo.security.realm.providers.SQLLoginModule</log:login-module-class>
>>                     <log:option name="groupSelect">select username, groupname
from groups where username=?</log:option>
>>                     <log:option name="dataSourceApplication">null</log:option>
>>                     <log:option name="userSelect">select username, password
from users where username=?</log:option>
>>                     <log:option name="dataSourceName">SecurityDatabasePool</log:option>
>>                 </log:login-module>
>>                 <log:login-module control-flag="OPTIONAL" wrap-principals="false">
>>                     <log:login-domain-name>eusoda_security_realm-Audit</log:login-domain-name>
>>                     <log:login-module-class>org.apache.geronimo.security.realm.providers.FileAuditLoginModule</log:login-module-class>
>>                     <log:option name="file">var/log/security_log.log</log:option>
>>                 </log:login-module>
>>             </log:login-config>
>>         </xml-reference>
>>     </gbean>
>> </module>
>> 
>> if I put this plan in my ear, the geronimo-application.xml look like this:
>> 
>> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
>> <app:application xmlns:app="http://geronimo.apache.org/xml/ns/j2ee/application-2.0"
xmlns:client="http://geronimo.apache.org/xml/ns/j2ee/application-client-2.0" xmlns:conn="http://geronimo.apache.org/xml/ns/j2ee/connector-1.2"
xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:ejb="http://openejb.apache.org/xml/ns/openejb-jar-2.2"
xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0" xmlns:name="http://geronimo.apache.org/xml/ns/naming-1.2"
xmlns:pers="http://java.sun.com/xml/ns/persistence" xmlns:pkgen="http://openejb.apache.org/xml/ns/pkgen-2.1"
xmlns:sec="http://geronimo.apache.org/xml/ns/security-2.0" xmlns:web="http://geronimo.apache.org/xml/ns/j2ee/web-2.0.1"
application-name="test-geronimo">
>>     <dep:environment>
>>         <dep:moduleId>
>>             <dep:groupId>test</dep:groupId>
>>             <dep:artifactId>test-geronimo</dep:artifactId>
>>             <dep:version>1.0</dep:version>
>>             <dep:type>ear</dep:type>
>>         </dep:moduleId>
>>         <dep:dependencies>
>>             <dep:dependency>
>>                 <dep:groupId>org.apache.geronimo.framework</dep:groupId>
>>                 <dep:artifactId>j2ee-security</dep:artifactId>
>>                 <dep:type>car</dep:type>
>>             </dep:dependency>
>>             <dep:dependency>
>>                 <dep:groupId>console.dbpool</dep:groupId>
>>                 <dep:artifactId>SecurityDatabasePool</dep:artifactId>
>>                 <dep:version>1.0</dep:version>
>>                 <dep:type>car</dep:type>
>>             </dep:dependency>
>>      </dep:dependencies>
>>     </dep:environment>
>>     <dep:gbean name="my_security_realm" class="org.apache.geronimo.security.realm.GenericSecurityRealm"
xsi:type="dep:gbeanType" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>>         <dep:attribute name="realmName">my_security_realm</dep:attribute>
>>         <dep:attribute name="global">false</dep:attribute>
>>         <dep:reference name="ServerInfo">
>>             <dep:name>ServerInfo</dep:name>
>>         </dep:reference>
>>         <dep:xml-reference name="LoginModuleConfiguration">
>>             <log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
>>                 <log:login-module control-flag="REQUIRED" wrap-principals="false">
>>                     <log:login-domain-name>my_security_realm</log:login-domain-name>
>>                     <log:login-module-class>org.apache.geronimo.security.realm.providers.SQLLoginModule</log:login-module-class>
>>                     <log:option name="groupSelect">select username, groupname
from groups where username=?</log:option>
>>                     <log:option name="dataSourceApplication">null</log:option>
>>                     <log:option name="userSelect">select username, password
from users where username=?</log:option>
>>                     <log:option name="dataSourceName">SecurityDatabasePool</log:option>
>>                 </log:login-module>
>>                 <log:login-module control-flag="OPTIONAL" wrap-principals="false">
>>                     <log:login-domain-name>eusoda_security_realm-Audit</log:login-domain-name>
>>                     <log:login-module-class>org.apache.geronimo.security.realm.providers.FileAuditLoginModule</log:login-module-class>
>>                     <log:option name="file">var/log/eusoda_security_log.log</log:option>
>>                 </log:login-module>
>>             </log:login-config>
>>         </dep:xml-reference>
>>     </dep:gbean>
>>     
>> </app:application>
>> 
>> for my war I added this to geronimo-web.xml :
>> 
>>     <web:security-realm-name>my_security_realm</web:security-realm-name>
>>      <sec:security>
>>         <sec:role-mappings>
>>             <sec:role role-name="admin">
>>                 <sec:principal name="administrators"  class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
/>
>>                 <sec:principal name="root" class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
/>
>>             </sec:role>
>>         </sec:role-mappings>
>>     </sec:security>
>> 
>> What am I'm doing wrong?
>> 
>> regards,
>> Andreas
>> 
>> 
>>> 	David Jencks
>>> 21. Februar 2011 08:10
>>> 
>>> It's not entirely clear what you want to do.
>>> 
>>> The documentation you point to is still fairly accurate but not really relevant
IIUC.
>>> 
>>> In servlet 3.0 (implemented in geronimo 3.0, not yet released but this part is
working), there are new methods on HttpServletRequest where you can either force a login (e.g.
form or basic) that has been otherwise configured for the web app or login using username
and password you have collected yourself somehow. After this login all container managed security
will work just as if the user had tried to access a protected resource and been logged in
automatically.
>>> 
>>> Before servlet 3.0 you can always get some credentials and login but the resulting
subject won't automatically be known to the container and container managed security won't
work at all unless you do something to register the result.
>>> 
>>> I think I've given some advice on how to do this on the user list in the past.
IIRC you want to do something like
>>> 
>>> LoginContext lc = org.apache.geronimo.security.ContextManager.login(realm, callbackHandler);
>>> ContextManager.registerSubject(lc.getSubject());
>>> ContextManager.setCallers(lc.getSubject(), lc,getSubject());
>>> //do work
>>> 
>>> ContextManager.clearCallers();
>>> ContextManager.unregisterSubject(lc.getSubject());
>>> lc.logout();
>>> 
>>> hope this helps
>>> david jencks
>>> 
>>> .
>>> 
>>> 	Andreas Bohnert
>>> 21. Februar 2011 07:26
>>> 
>>> dear list, 
>>> 
>>> there is an example (time report) on how to configure a form based login (j_security_check)
but how am I'm doing a programmatic login with geronimo? 
>>> I can not find any references on how to do this with geronimo 2.x 
>>> 
>>> I found this, but I wonder if it is still up to date: 
>>> http://docs.huihoo.com/apache/geronimo/1.0/geronimo-and-jaas.html 
>>> 
>>> If the above documentation is obsolet: 
>>> Do I need to write a login-config.xm and how does it look like? 
>>> Are there any callbackhandler implementations that I can pass to a LoginContext?

>>> 
>>> Any help is very much appreciated. 
>>> 
>>> Andreas 
>>> 
>>> 
>>> 	Andreas Bohnert
>>> 21. Februar 2011 00:28
>>> 
>>> dear list, 
>>> 
>>> there is an example (time report) on how to configure a form based login (j_security_check)
but how am I'm doing a programmatic login with geronimo? 
>>> I can not find any references on how to do this with geronimo 2.x 
>>> 
>>> I found this: 
>>> http://docs.huihoo.com/apache/geronimo/1.0/geronimo-and-jaas.html 
>>> Is this still up to date? 
>>> 
>>> If the documentation is obsolet: 
>>> Do I need to write a login-config.xm and how does it look like? 
>>> Are there any callbackhandler implementations that I can pass to a LoginContext?

>>> 
>>> Any help is very much appreciated. 
>>> 
>>> Andreas 
>>> 
>> 
>> 
> 
> 


Mime
View raw message