geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From chi runhua <chirun...@gmail.com>
Subject Re: Any example on how to implement a programmatic login with geronimo security?
Date Tue, 22 Feb 2011 09:18:09 GMT
And IIRC, you also need to add your realm as a dependency in the deployment
plan of your application.

 geronimo-application.xml
...
         <dep:dependency>
                <dep:groupId>console.realm</dep:groupId>
                <dep:artifactId>my_security_realm</dep:artifactId>
                <dep:type>car</dep:type>
            </dep:dependency>
...

HTH.

Jeff


On Tue, Feb 22, 2011 at 1:59 AM, David Jencks <david_jencks@yahoo.com>wrote:

> Hi Andreas,
>
> I think (but haven't checked) that if you do this kind of programatic use
> of a named security realm you have to mark the realm <attribute
> name="global">true</attribute>.  IIRC the built in code does some more
> lookup to find the actual login Configuration object for a non-global realm
> and you probably don't want to mess with that unless you need several realms
> all with the same name for different apps.
>
> thanks
> david jencks
>
> On Feb 21, 2011, at 9:21 AM, Andreas Bohnert wrote:
>
>  hello david,
>
> thanks for you quick response!
> the servlet 3.0 implementation seems to be a much nicer approach. but at
> the moment I stuck with geronimo 2.2.
>
> > LoginContext lc =
> org.apache.geronimo.security.ContextManager.login(realm, callbackHandler);
> > ContextManager.registerSubject(lc.getSubject());
> > ContextManager.setCallers(lc.getSubject(), lc,getSubject());
>
> that is what I wanted to know. thanks.
> unfortunately I get an exception when I try this. the exception says that
> there are no LoginModules configured for the given realm.
>
> I created the realm according to this document:
> https://cwiki.apache.org/GMOxDOC22/database-sql-realm.html
> I tested the realm, it's working.
>
> As far as I understand, if I create a realm with the geronimo adminstration
> console, the realm is fully configured and I can reference the realm in my
> war without further configuration:
>
> LoginContext lc  =
> org.apache.geronimo.security.ContextManager.login("my_security_realm",
> this);
>
> because this was not working ( ... no LoginModules configured for the given
> realm ...), I also tried to add deployment plan of this realm to my ear
> (geronimo-application.xml). but still I get the exception.
>
> so my deployment plan for my realm look like this:
> <module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2"<http://geronimo.apache.org/xml/ns/deployment-1.2>
> >
>     <environment>
>         <moduleId>
>             <groupId>console.realm</groupId>
>             <artifactId>my_security_realm</artifactId>
>             <version>1.0</version>
>             <type>car</type>
>         </moduleId>
>         <dependencies>
>             <dependency>
>                 <groupId>org.apache.geronimo.framework</groupId>
>                 <artifactId>j2ee-security</artifactId>
>                 <type>car</type>
>             </dependency>
>             <dependency>
>                 <groupId>console.dbpool</groupId>
>                 <artifactId>SecurityDatabasePool</artifactId>
>                 <version>1.0</version>
>                 <type>car</type>
>             </dependency>
>         </dependencies>
>     </environment>
>     <gbean name="my_security_realm"
> class="org.apache.geronimo.security.realm.GenericSecurityRealm"
> xsi:type="dep:gbeanType" xmlns:dep=
> "http://geronimo.apache.org/xml/ns/deployment-1.2"<http://geronimo.apache.org/xml/ns/deployment-1.2>xmlns:xsi=
> "http://www.w3.org/2001/XMLSchema-instance"<http://www.w3.org/2001/XMLSchema-instance>
> >
>         <attribute name="realmName">my_security_realm</attribute>
>         <attribute name="global">false</attribute>
>         <reference name="ServerInfo">
>             <name>ServerInfo</name>
>         </reference>
>         <xml-reference name="LoginModuleConfiguration">
>             <log:login-config xmlns:log=
> "http://geronimo.apache.org/xml/ns/loginconfig-2.0"<http://geronimo.apache.org/xml/ns/loginconfig-2.0>
> >
>                 <log:login-module control-flag="REQUIRED"
> wrap-principals="false">
>
> <log:login-domain-name>eusoda_security_realm</log:login-domain-name>
>
> <log:login-module-class>org.apache.geronimo.security.realm.providers.SQLLoginModule</log:login-module-class>
>                     <log:option name="groupSelect">select username,
> groupname from groups where username=?</log:option>
>                     <log:option
> name="dataSourceApplication">null</log:option>
>                     <log:option name="userSelect">select username, password
> from users where username=?</log:option>
>                     <log:option
> name="dataSourceName">SecurityDatabasePool</log:option>
>                 </log:login-module>
>                 <log:login-module control-flag="OPTIONAL"
> wrap-principals="false">
>
> <log:login-domain-name>eusoda_security_realm-Audit</log:login-domain-name>
>
> <log:login-module-class>org.apache.geronimo.security.realm.providers.FileAuditLoginModule</log:login-module-class>
>                     <log:option
> name="file">var/log/security_log.log</log:option>
>                 </log:login-module>
>             </log:login-config>
>         </xml-reference>
>     </gbean>
> </module>
>
> if I put this plan in my ear, the geronimo-application.xml look like this:
>
> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
> <app:application xmlns:app=
> "http://geronimo.apache.org/xml/ns/j2ee/application-2.0"<http://geronimo.apache.org/xml/ns/j2ee/application-2.0>xmlns:client=
> "http://geronimo.apache.org/xml/ns/j2ee/application-client-2.0"<http://geronimo.apache.org/xml/ns/j2ee/application-client-2.0>xmlns:conn=
> "http://geronimo.apache.org/xml/ns/j2ee/connector-1.2"<http://geronimo.apache.org/xml/ns/j2ee/connector-1.2>xmlns:dep=
> "http://geronimo.apache.org/xml/ns/deployment-1.2"<http://geronimo.apache.org/xml/ns/deployment-1.2>xmlns:ejb=
> "http://openejb.apache.org/xml/ns/openejb-jar-2.2"<http://openejb.apache.org/xml/ns/openejb-jar-2.2>xmlns:log=
> "http://geronimo.apache.org/xml/ns/loginconfig-2.0"<http://geronimo.apache.org/xml/ns/loginconfig-2.0>xmlns:name=
> "http://geronimo.apache.org/xml/ns/naming-1.2"<http://geronimo.apache.org/xml/ns/naming-1.2>xmlns:pers=
> "http://java.sun.com/xml/ns/persistence"<http://java.sun.com/xml/ns/persistence>xmlns:pkgen=
> "http://openejb.apache.org/xml/ns/pkgen-2.1"<http://openejb.apache.org/xml/ns/pkgen-2.1>xmlns:sec=
> "http://geronimo.apache.org/xml/ns/security-2.0"<http://geronimo.apache.org/xml/ns/security-2.0>xmlns:web=
> "http://geronimo.apache.org/xml/ns/j2ee/web-2.0.1"<http://geronimo.apache.org/xml/ns/j2ee/web-2.0.1>application-name="test-geronimo">
>     <dep:environment>
>         <dep:moduleId>
>             <dep:groupId>test</dep:groupId>
>             <dep:artifactId>test-geronimo</dep:artifactId>
>             <dep:version>1.0</dep:version>
>             <dep:type>ear</dep:type>
>         </dep:moduleId>
>         <dep:dependencies>
>             <dep:dependency>
>                 <dep:groupId>org.apache.geronimo.framework</dep:groupId>
>                 <dep:artifactId>j2ee-security</dep:artifactId>
>                 <dep:type>car</dep:type>
>             </dep:dependency>
>             <dep:dependency>
>                 <dep:groupId>console.dbpool</dep:groupId>
>                 <dep:artifactId>SecurityDatabasePool</dep:artifactId>
>                 <dep:version>1.0</dep:version>
>                 <dep:type>car</dep:type>
>             </dep:dependency>
>      </dep:dependencies>
>     </dep:environment>
>     <dep:gbean name="my_security_realm"
> class="org.apache.geronimo.security.realm.GenericSecurityRealm"
> xsi:type="dep:gbeanType" xmlns:dep=
> "http://geronimo.apache.org/xml/ns/deployment-1.2"<http://geronimo.apache.org/xml/ns/deployment-1.2>xmlns:xsi=
> "http://www.w3.org/2001/XMLSchema-instance"<http://www.w3.org/2001/XMLSchema-instance>
> >
>         <dep:attribute name="realmName">my_security_realm</dep:attribute>
>         <dep:attribute name="global">false</dep:attribute>
>         <dep:reference name="ServerInfo">
>             <dep:name>ServerInfo</dep:name>
>         </dep:reference>
>         <dep:xml-reference name="LoginModuleConfiguration">
>             <log:login-config xmlns:log=
> "http://geronimo.apache.org/xml/ns/loginconfig-2.0"<http://geronimo.apache.org/xml/ns/loginconfig-2.0>
> >
>                 <log:login-module control-flag="REQUIRED"
> wrap-principals="false">
>
> <log:login-domain-name>my_security_realm</log:login-domain-name>
>
> <log:login-module-class>org.apache.geronimo.security.realm.providers.SQLLoginModule</log:login-module-class>
>                     <log:option name="groupSelect">select username,
> groupname from groups where username=?</log:option>
>                     <log:option
> name="dataSourceApplication">null</log:option>
>                     <log:option name="userSelect">select username, password
> from users where username=?</log:option>
>                     <log:option
> name="dataSourceName">SecurityDatabasePool</log:option>
>                 </log:login-module>
>                 <log:login-module control-flag="OPTIONAL"
> wrap-principals="false">
>
> <log:login-domain-name>eusoda_security_realm-Audit</log:login-domain-name>
>
> <log:login-module-class>org.apache.geronimo.security.realm.providers.FileAuditLoginModule</log:login-module-class>
>                     <log:option
> name="file">var/log/eusoda_security_log.log</log:option>
>                 </log:login-module>
>             </log:login-config>
>         </dep:xml-reference>
>     </dep:gbean>
>
> </app:application>
>
> for my war I added this to geronimo-web.xml :
>
>     <web:security-realm-name>my_security_realm</web:security-realm-name>
>      <sec:security>
>         <sec:role-mappings>
>             <sec:role role-name="admin">
>                 <sec:principal name="administrators"
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> />
>                 <sec:principal name="root"
> class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
> />
>             </sec:role>
>         </sec:role-mappings>
>     </sec:security>
>
> What am I'm doing wrong?
>
> regards,
> Andreas
>
>
>    David Jencks <david_jencks@yahoo.com>
> 21. Februar 2011 08:10
>
> It's not entirely clear what you want to do.
>
> The documentation you point to is still fairly accurate but not really
> relevant IIUC.
>
> In servlet 3.0 (implemented in geronimo 3.0, not yet released but this part
> is working), there are new methods on HttpServletRequest where you can
> either force a login (e.g. form or basic) that has been otherwise configured
> for the web app or login using username and password you have collected
> yourself somehow. After this login all container managed security will work
> just as if the user had tried to access a protected resource and been logged
> in automatically.
>
> Before servlet 3.0 you can always get some credentials and login but the
> resulting subject won't automatically be known to the container and
> container managed security won't work at all unless you do something to
> register the result.
>
> I think I've given some advice on how to do this on the user list in the
> past. IIRC you want to do something like
>
> LoginContext lc = org.apache.geronimo.security.ContextManager.login(realm,
> callbackHandler);
> ContextManager.registerSubject(lc.getSubject());
> ContextManager.setCallers(lc.getSubject(), lc,getSubject());
> //do work
>
> ContextManager.clearCallers();
> ContextManager.unregisterSubject(lc.getSubject());
> lc.logout();
>
> hope this helps
> david jencks
>
>  .
> ------------------------------
>
>    Andreas Bohnert <abo@weberhofer.at>
> 21. Februar 2011 07:26
>
> dear list,
>
> there is an example (time report) on how to configure a form based login
> (j_security_check) but how am I'm doing a programmatic login with geronimo?
> I can not find any references on how to do this with geronimo 2.x
>
> I found this, but I wonder if it is still up to date:
> http://docs.huihoo.com/apache/geronimo/1.0/geronimo-and-jaas.html
>
> If the above documentation is obsolet:
> Do I need to write a login-config.xm and how does it look like?
> Are there any callbackhandler implementations that I can pass to a
> LoginContext?
>
> Any help is very much appreciated.
>
> Andreas
>
> ------------------------------
>
>    Andreas Bohnert <abo@online.de>
> 21. Februar 2011 00:28
>
> dear list,
>
> there is an example (time report) on how to configure a form based login
> (j_security_check) but how am I'm doing a programmatic login with geronimo?
> I can not find any references on how to do this with geronimo 2.x
>
> I found this:
> http://docs.huihoo.com/apache/geronimo/1.0/geronimo-and-jaas.html
> Is this still up to date?
>
> If the documentation is obsolet:
> Do I need to write a login-config.xm and how does it look like?
> Are there any callbackhandler implementations that I can pass to a
> LoginContext?
>
> Any help is very much appreciated.
>
> Andreas
>
> ------------------------------
>
>
>
>
>

Mime
View raw message