geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Field <jfi...@gopivotal.com>
Subject Re: Support for <distinguished-name> in geronimo-web.xml
Date Fri, 07 Jun 2013 19:58:44 GMT
Answering my own post here.....

I now understand that the <sec:distingushed-name> element is meant to be
used with X.509 client certificate support, and is not intended as an
integration with a (back-end) LDAP realm.

These can co-exist, with the LDAP realm configuration being independent of
any DN as presented via X.509 certificates.

Sorry for the confusion.

Thanks,
John


On Fri, May 24, 2013 at 1:47 PM, Field, John <jfield@gopivotal.com> wrote:

> Greetings,
>
> I have a Geronimo 3 deployment and I have configured my application to use
> the LDAPLoginModule against Fortress (i.e. OpenLDAP).
>
> I have included a security role as part of the web.xml, and I've
> successfully mapped that abstract role to LDAP groups using
>
> <principal name="myAbstractRoleName"
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal/>
>
> in my geronimo-web.xml.
>
> However, the configuration option for a <distinguished-name> here does not
> seem to work.
>
> Does anyone know i this is implemented in the runtime, or perhaps there is
> something wrong in my configuration?
>
> Below is a simple geronimo-web.xml configuration that I've done against
> one of the sample EJB applications to demonstrate the problem.
>
> TIA,
> John
>
>
> <?xml version="1.0" encoding="UTF-8"?>
> <web-app xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-2.0"
> xmlns:sec="http://geronimo.apache.org/xml/ns/security-2.0">
>
> <dep:environment xmlns:dep="
> http://geronimo.apache.org/xml/ns/deployment-1.2">
> <dep:moduleId>
> <dep:artifactId>MyTimeWeb</dep:artifactId>
> <dep:version>1.0</dep:version>
> <dep:type>war</dep:type>
> </dep:moduleId>
> <dep:dependencies>
> <dep:dependency>
> <dep:groupId>console.realm</dep:groupId>
> <dep:artifactId>FortressRealm</dep:artifactId>
> <dep:version>1.0</dep:version>
> <dep:type>car</dep:type>
> </dep:dependency>
> </dep:dependencies>
> </dep:environment>
>
> <context-root>/mytime</context-root>
>
> <security-realm-name>FortressRealm</security-realm-name>
>
> <sec:security>
> <sec:default-principal>
> <sec:principal name="anonymous"
> class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
> />
> </sec:default-principal>
> <sec:role-mappings>
> <sec:role role-name="EnmasseSuperUserRole">
>
>
> <sec:principal name="EnmasseSuperUser"
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> />
> <sec:principal name="role1"
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> />
>
> <!-- Support for this does not seem to be implemented: -->
> <sec:distinguished-name
> name="uid=johnfield,ou=People,dc=jts,dc=us"></sec:distinguished-name>
> <sec:distinguished-name
> name="cn=EnmasseSuperUser,ou=Roles,ou=RBAC,dc=jts,dc=us"></sec:distinguished-name>
> <sec:distinguished-name
> name="cn=role1,ou=Roles,ou=RBAC,dc=jts,dc=us"></sec:distinguished-name>
>
>
> <!-- This works, but is not my preferred approach. -->
>   <sec:principal name="johnfield"
> class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
> />
>
>
> </sec:role>
> </sec:role-mappings>
> </sec:security>
>
>
> </web-app>
>
>


-- 

John P. Field | Security Architect | Pivotal

Direct: (908) 962-3394 | jfield@gopivotal.com

*[image: cid:332B1A9B-BFB1-42CC-8C13-5949BB4B8266]*
*goPivotal.com <http://www.goPivotal.com>*

Mime
View raw message