geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Field, John" <jfi...@gopivotal.com>
Subject Support for <distinguished-name> in geronimo-web.xml
Date Fri, 24 May 2013 17:47:02 GMT
Greetings,

I have a Geronimo 3 deployment and I have configured my application to use the LDAPLoginModule
against Fortress (i.e. OpenLDAP).  

I have included a security role as part of the web.xml, and I've successfully mapped that
abstract role to LDAP groups using 

<principal name="myAbstractRoleName" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal/>


in my geronimo-web.xml.

However, the configuration option for a <distinguished-name> here does not seem to work.
 

Does anyone know i this is implemented in the runtime, or perhaps there is something wrong
in my configuration?

Below is a simple geronimo-web.xml configuration that I've done against one of the sample
EJB applications to demonstrate the problem.

TIA,
John


<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-2.0"  xmlns:sec="http://geronimo.apache.org/xml/ns/security-2.0">

	<dep:environment xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2">
		<dep:moduleId>
			<dep:artifactId>MyTimeWeb</dep:artifactId>
			<dep:version>1.0</dep:version>
			<dep:type>war</dep:type>
		</dep:moduleId>
		<dep:dependencies>
			<dep:dependency>
				<dep:groupId>console.realm</dep:groupId>
				<dep:artifactId>FortressRealm</dep:artifactId>
				<dep:version>1.0</dep:version>
				<dep:type>car</dep:type>
			</dep:dependency>
		</dep:dependencies>
	</dep:environment>

	<context-root>/mytime</context-root>

	<security-realm-name>FortressRealm</security-realm-name>

	<sec:security>
		<sec:default-principal>
			<sec:principal name="anonymous"
				class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" />
		</sec:default-principal>
		<sec:role-mappings>
			<sec:role role-name="EnmasseSuperUserRole">
			
				<sec:principal name="EnmasseSuperUser" 
					class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" />
				<sec:principal name="role1" 
					class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" />

				<!-- Support for this does not seem to be implemented: -->				 			
				<sec:distinguished-name name="uid=johnfield,ou=People,dc=jts,dc=us"></sec:distinguished-name>

				<sec:distinguished-name name="cn=EnmasseSuperUser,ou=Roles,ou=RBAC,dc=jts,dc=us"></sec:distinguished-name>
				<sec:distinguished-name name="cn=role1,ou=Roles,ou=RBAC,dc=jts,dc=us"></sec:distinguished-name>
 
				<!-- This works, but is not my preferred approach. -->				
 				<sec:principal name="johnfield" class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
/>	
 
				</sec:role>
		</sec:role-mappings>
	</sec:security>


</web-app>


Mime
View raw message