Re: JACC and JAAS configuration for ClearTrust

2007-02-12 Thread lthall2 
Thanks, David.

The confirmation that this should be configurable is exactly what I was 
hoping for.  The explanation and gbean/ example are very helpful - as is 
the advice about JACC and upcoming versions of Geronimo.

After I get this working, I will gladly provide the relevant working plan 
fragments to this thread as you suggest; but I'm ignorant of how to make a 
useful contribution to the geronimoplugins site.

- Lee




David Jencks [EMAIL PROTECTED] 
02/12/2007 11:56 AM
Please respond to
user@geronimo.apache.org


To
user@geronimo.apache.org
cc

Subject
Re: JACC and JAAS configuration for ClearTrust







On Feb 12, 2007, at 4:52 AM, [EMAIL PROTECTED] wrote:


Trying to use JACC and JAAS configuration for ClearTrust (Access Manager) 
5.5 in Geronimo 1.1 - looks like it should work; but not sure where to 
start. 

Is anyone already using ClearTrust (aka RSA Access Manager)?  I'm hoping 
that someone has already accomplished configuring Geronimo to use 
ClearTrust using just config.xml - or if someone could advise whether 
there is new code I need to implement, and what the correct way is to 
deploy it (surely not in my application archive). 

Having successfully implemented a web application using a properties 
realm, the time has come for us to deploy to a secured production 
environment.  In preparation for this, our ClearTrust administrator has 
provisioned our IDs and we have groups set up that match the roles we 
need.  Since the principals are named as the application uses, no role 
mapping should be required (I think). 

After perusing the general JAAS and JACC documentation, as well as that 
which is specific to Geronimo on the wiki (and the little bit of JAAS info 
provided for ClearTrust) - it is not clear how to configure the 
GeronimoLoginConfiguration GBean for the GeronimoSecurityRealm with 
JaasLoginService (or JaasLoginCoordinator) to replace what we were doing 
with the properties realm. 

From what I understand, there is no login.conf in Geronimo because the 
configurations are identified in the GBean; but the details of the 
deployment plan are unclear.  For example, where do I tell the 
configuration which ClearTrust JAAS class is the LoginModule?  Do I use 
LoginModuleGBean (or JaasLoginModuleUse) to do that?  Do I configure 
parameters such as the ClearTrust host name and port in the options 
attribute?  Is this all declarative or do I implement the 
ConfigurationEntryFactory interface in a jar to be deployed apart from the 
application?  Can or should the login-config be used instead? 

Chapter 15 of the Wrox book Professional Apache Geronimo gives rather 
thorough coverage of JAAS and JACC and discusses the theory of gbean 
configuation as it applies to JAAS, but it doesn't give specifics that are 
similar enough to my needs for me to make the mental connection.  Having 
just enough information I'm naively tempted to write some code; but it 
seems like its an administration component that someone coulda/shoulda 
done by now and that could keep us from complicating the deployment by 
adding custom code where it is not required.  Further, it seems to me that 
I could waste a lot of time if I try to write a JACC adapter for the 
ClearTrust JAAS implementation without asking the Geronimo community if 
this is the right thing to do.  If someone has already done this - great, 
I'm sure I'm not the only one who would like to see your responses in the 
mail archives.  If not... cool, I get to write some code! 

Although the primary and urgent need is for basic web security of our 
application, it would be great to extend this to Geronimo's web console 
admin access too. 

If it matters in this context, our deployment stack is Win2003/IBM Java 
5/WAS CE 1.1.0.1/web app 2.4 

I'm not familiar with ClearTrust, but from your description it sounds like 
it provides one or more login modules where the result of using them is 
that you get a Subject populated with principals each of whose name 
represents a role ClearTrust knows about.

If this is the case you should not need to write any code, just 
configuration.

Lets assume you only need one login module, of class com.ct.LoginModule, 
and the principals are of class com.ct.RolePrincipal.  Lets further assume 
that the possible options for the login module are host and port.

To set up a security realm that uses ClearTrust you'd include something 
like this to an appropriate geronimo plan, either a web app plan if you 
use only one web app, or a separate security module if you plan to use 
this for more than one application (as it appears you do from the comment 
about the admin console):

gbean name=cleartrust-realm
class=org.apache.geronimo.security.realm.GenericSecurityRealm
attribute name=realmNamecleartrust-realm/attribute
xml-reference name=LoginModuleConfiguration
lc:login-config xmlns:lc=
http://geronimo.apache.org/xml/ns/loginconfig-1.1;
lc:login-module control

Re: JACC and JAAS configuration for ClearTrust

2007-02-12 Thread David Jencks 


On Feb 12, 2007, at 4:52 AM, [EMAIL PROTECTED] wrote:



Trying to use JACC and JAAS configuration for ClearTrust (Access  
Manager) 5.5 in Geronimo 1.1 - looks like it should work; but not  
sure where to start.


Is anyone already using ClearTrust (aka RSA Access Manager)?  I'm  
hoping that someone has already accomplished configuring Geronimo  
to use ClearTrust using just config.xml - or if someone could  
advise whether there is new code I need to implement, and what the  
correct way is to deploy it (surely not in my application archive).


Having successfully implemented a web application using a  
properties realm, the time has come for us to deploy to a secured  
production environment.  In preparation for this, our ClearTrust  
administrator has provisioned our IDs and we have groups set up  
that match the roles we need.  Since the principals are named as  
the application uses, no role mapping should be required (I think).


After perusing the general JAAS and JACC documentation, as well as  
that which is specific to Geronimo on the wiki (and the little bit  
of JAAS info provided for ClearTrust) - it is not clear how to  
configure the GeronimoLoginConfiguration GBean for the  
GeronimoSecurityRealm with JaasLoginService (or  
JaasLoginCoordinator) to replace what we were doing with the  
properties realm.


From what I understand, there is no login.conf in Geronimo because  
the configurations are identified in the GBean; but the details of  
the deployment plan are unclear.  For example, where do I tell the  
configuration which ClearTrust JAAS class is the LoginModule?  Do I  
use LoginModuleGBean (or JaasLoginModuleUse) to do that?  Do I  
configure parameters such as the ClearTrust host name and port in  
the options attribute?  Is this all declarative or do I implement  
the ConfigurationEntryFactory interface in a jar to be deployed  
apart from the application?  Can or should the login-config be  
used instead?


Chapter 15 of the Wrox book Professional Apache Geronimo gives  
rather thorough coverage of JAAS and JACC and discusses the theory  
of gbean configuation as it applies to JAAS, but it doesn't give  
specifics that are similar enough to my needs for me to make the  
mental connection.  Having just enough information I'm naively  
tempted to write some code; but it seems like its an administration  
component that someone coulda/shoulda done by now and that could  
keep us from complicating the deployment by adding custom code  
where it is not required.  Further, it seems to me that I could  
waste a lot of time if I try to write a JACC adapter for the  
ClearTrust JAAS implementation without asking the Geronimo  
community if this is the right thing to do.  If someone has already  
done this - great, I'm sure I'm not the only one who would like to  
see your responses in the mail archives.  If not... cool, I get to  
write some code!


Although the primary and urgent need is for basic web security of  
our application, it would be great to extend this to Geronimo's web  
console admin access too.


If it matters in this context, our deployment stack is Win2003/IBM  
Java 5/WAS CE 1.1.0.1/web app 2.4


I'm not familiar with ClearTrust, but from your description it sounds  
like it provides one or more login modules where the result of using  
them is that you get a Subject populated with principals each of  
whose name represents a role ClearTrust knows about.


If this is the case you should not need to write any code, just  
configuration.


Lets assume you only need one login module, of class  
com.ct.LoginModule, and the principals are of class  
com.ct.RolePrincipal.  Lets further assume that the possible options  
for the login module are host and port.


To set up a security realm that uses ClearTrust you'd include  
something like this to an appropriate geronimo plan, either a web app  
plan if you use only one web app, or a separate security module if  
you plan to use this for more than one application (as it appears you  
do from the comment about the admin console):


gbean name=cleartrust-realm
 
class=org.apache.geronimo.security.realm.GenericSecurityRealm

attribute name=realmNamecleartrust-realm/attribute
xml-reference name=LoginModuleConfiguration
lc:login-config xmlns:lc=http://geronimo.apache.org/ 
xml/ns/loginconfig-1.1
lc:login-module control-flag=REQUIRED server- 
side=true
lc:login-domain-namecleartrust-domain/ 
lc:login-domain-name
lc:login-module-classcom.ct.LoginModule/ 
lc:login-module-class

lc:option name=hostlocalhost/lc:option
lc:option name=port/lc:option
/lc:login-module
/lc:login-config
/xml-reference
reference name=ServerInfo
nameServerInfo/name
/reference
reference name=LoginService
nameJaasLoginService/name