> -----Original Message----- > From: David Blevins [mailto:[EMAIL PROTECTED] > Sent: Monday, August 16, 2004 7:55 PM > To: [EMAIL PROTECTED] > Subject: Security providers > > Is the securtiy stuff hooked up by default? If not, what does it take > to get a Provider plugged in? Or how do you change from one to the other? > > -David
The security stuff is setup in configuration plan org/apache/geronimo/Server but you may not find a useful security realm configured. Walking through the GBean names, I will briefly explain what they do: geronimo.security:type=SecurityRealm,realm=geronimo-properties-realm This is a security realm named "geronimo-properties-realm". It is implemented by the security realm provider PropertiesFileSecurityRealm which uses two properties files, one for users and one for groups. I think that Jeremy uses this realm to provide security for remote JMX. geronimo.security:type=ConfigurationEntry,jaasId=JMX This registers a JAAS configuration entry for the above security realm. Its application configuration name is "JMX" and this is what you pass to a LoginContext. geronimo.security:type=LoginConfiguration This bean's sole purpose is to register Geronimo's LoginConfiguration handler. geronimo.security:type=SecurityService This is Geronimo's JACC default implementation. I intend to refactor it so that it's obvious that this is not an all encompassing service but is just a default JACC implementation. Third party vendors can swap in their own JACC implementations here. geronimo.security:type=LoginService This is Geronimo's login service. Geronimo LoginModules speak to this service to obtain their secure, hopefully spoof-proof, identification. If you want to use a different security realm, you'll need to configure two new beans, one for the security realm itself, the other for its JAAS configuration entry. These would be similar to the two beans listed above. Here's an example; you can see it in action in org.apache.geronimo.security.jaas. LoginSQLTest. Let's say that I work for POOKIE Corporation and we have a SQL DB with users in it. The schema looks roughly like: CREATE TABLE Users(UserName VARCHAR(16), Password VARCHAR(16)) CREATE TABLE Groups(GroupName VARCHAR(16), UserName VARCHAR(16)) Its GBean security realm configuration could look like: <gbean name="geronimo.security:type=SecurityRealm,realm=pookie-realm" class="org.apache.geronimo.security.realm.providers.SQLSecurityRealm"> <attribute name="realmName" type="java.lang.String">pookie-realm</attribute> <attribute name="maxLoginModuleAge" type="long">10000</attribute> <attribute name=" connectionURL" type="java.lang.String">jdbc:hsqldb:target/database/LoginSQLTest</attrib ute> <attribute name="user" type="java.lang.String">dbid</attribute> <attribute name="password" type="java.lang.String">dbpw</attribute> <attribute name="userSelect" type="java.lang.String">SELECT UserName, Password FROM Users</attribute> <attribute name="groupSelect" type="java.lang.String">SELECT GroupName, UserName FROM Groups</attribute> </gbean> Here, I've configured the realm name, "pookie-realm". The attribute maxLoginModuleAge says how long to keep the login module around when someone attempts to login, I've given them ten seconds. The attribute connectionURL is the JDBC connection URL. User and password are the login credentials to login to the DB. Finally there are the two select statements to use to obtain a list of users and the groups that they belong in. Finally, we need to configure a JAAS configuration entry for it. Let's say that we want to use the application configuration name of "BEAR": <gbean name="geronimo.security:type=ConfigurationEntry,jaasId=BEAR" class="org.apache.geronimo.security.jaas.ConfigurationEntryRealmLocal"> <attribute name="applicationConfigName" type="java.lang.String">BEAR</attribute> <attribute name="realmName" type="java.lang.String">pookie-realm</attribute> <attribute name="controlFlag" type="org.apache.geronimo.security.jaas.LoginModuleControlFlag">REQUIRED </attribute> </gbean> I hope you found this helpful. Regards, Alan
