Thanks, David.
The confirmation that this should be configurable is exactly what I was
hoping for. The explanation and gbean/ example are very helpful - as is
the advice about JACC and upcoming versions of Geronimo.
After I get this working, I will gladly provide the relevant working plan
fragments to this thread as you suggest; but I'm ignorant of how to make a
useful contribution to the geronimoplugins site.
- Lee
David Jencks [EMAIL PROTECTED]
02/12/2007 11:56 AM
Please respond to
user@geronimo.apache.org
To
user@geronimo.apache.org
cc
Subject
Re: JACC and JAAS configuration for ClearTrust
On Feb 12, 2007, at 4:52 AM, [EMAIL PROTECTED] wrote:
Trying to use JACC and JAAS configuration for ClearTrust (Access Manager)
5.5 in Geronimo 1.1 - looks like it should work; but not sure where to
start.
Is anyone already using ClearTrust (aka RSA Access Manager)? I'm hoping
that someone has already accomplished configuring Geronimo to use
ClearTrust using just config.xml - or if someone could advise whether
there is new code I need to implement, and what the correct way is to
deploy it (surely not in my application archive).
Having successfully implemented a web application using a properties
realm, the time has come for us to deploy to a secured production
environment. In preparation for this, our ClearTrust administrator has
provisioned our IDs and we have groups set up that match the roles we
need. Since the principals are named as the application uses, no role
mapping should be required (I think).
After perusing the general JAAS and JACC documentation, as well as that
which is specific to Geronimo on the wiki (and the little bit of JAAS info
provided for ClearTrust) - it is not clear how to configure the
GeronimoLoginConfiguration GBean for the GeronimoSecurityRealm with
JaasLoginService (or JaasLoginCoordinator) to replace what we were doing
with the properties realm.
From what I understand, there is no login.conf in Geronimo because the
configurations are identified in the GBean; but the details of the
deployment plan are unclear. For example, where do I tell the
configuration which ClearTrust JAAS class is the LoginModule? Do I use
LoginModuleGBean (or JaasLoginModuleUse) to do that? Do I configure
parameters such as the ClearTrust host name and port in the options
attribute? Is this all declarative or do I implement the
ConfigurationEntryFactory interface in a jar to be deployed apart from the
application? Can or should the login-config be used instead?
Chapter 15 of the Wrox book Professional Apache Geronimo gives rather
thorough coverage of JAAS and JACC and discusses the theory of gbean
configuation as it applies to JAAS, but it doesn't give specifics that are
similar enough to my needs for me to make the mental connection. Having
just enough information I'm naively tempted to write some code; but it
seems like its an administration component that someone coulda/shoulda
done by now and that could keep us from complicating the deployment by
adding custom code where it is not required. Further, it seems to me that
I could waste a lot of time if I try to write a JACC adapter for the
ClearTrust JAAS implementation without asking the Geronimo community if
this is the right thing to do. If someone has already done this - great,
I'm sure I'm not the only one who would like to see your responses in the
mail archives. If not... cool, I get to write some code!
Although the primary and urgent need is for basic web security of our
application, it would be great to extend this to Geronimo's web console
admin access too.
If it matters in this context, our deployment stack is Win2003/IBM Java
5/WAS CE 1.1.0.1/web app 2.4
I'm not familiar with ClearTrust, but from your description it sounds like
it provides one or more login modules where the result of using them is
that you get a Subject populated with principals each of whose name
represents a role ClearTrust knows about.
If this is the case you should not need to write any code, just
configuration.
Lets assume you only need one login module, of class com.ct.LoginModule,
and the principals are of class com.ct.RolePrincipal. Lets further assume
that the possible options for the login module are host and port.
To set up a security realm that uses ClearTrust you'd include something
like this to an appropriate geronimo plan, either a web app plan if you
use only one web app, or a separate security module if you plan to use
this for more than one application (as it appears you do from the comment
about the admin console):
gbean name=cleartrust-realm
class=org.apache.geronimo.security.realm.GenericSecurityRealm
attribute name=realmNamecleartrust-realm/attribute
xml-reference name=LoginModuleConfiguration
lc:login-config xmlns:lc=
http://geronimo.apache.org/xml/ns/loginconfig-1.1;
lc:login-module control