Aaron,
I am running Tomcat within Geronimo, as a GBean. The configuration of Tomcat is occuring through GBeans. I had to make a few changes to the current Tomcat GBean as Catalina does not like relative paths to the conf file, so I made some internal changes to use an absolut path.
Yes I already changed the tests and am working on them now. I noticed the changes when I did an update, so I made the alterations to my unit tests and am testing them now.
I am aware of the geronimo-tomcat.xml. That is what I am striving for. I first want to get this working within a server.xml which is easiest to get it operating. Once I have that running, this will validate that its interoperating with Geronimo. Then I will write the Context Interceptor that will use a geronimo-tomcat.xml file, for dynamic Realm and Context reference within each individual web app (like Jetty does).
Thanks for the info on the subject stuff. I will try to change the JAAS code on the Tomcat side as you suggested.
Jeff
Aaron Mulder wrote:
Are you trying to run Tomcat within Geronimo, or run both Tomcat and Geronimo on the same box separately but talking to each other?
In any case, unfortunately, you'll have to change your tests, because the properties file realm just went away. If you look at the Jetty test you based your stuff on, you'll see how to replace that with a PropertiesFileLoginModule and a GenericSecurityRealm (two GBeans).
The problem you're having with authorization may be due to the
Subject you're getting as a result of the login. It's not actually
populated with all the principals that the server generates, because the
server only gives the "client" a single ID to identify itself as of now. There's a change on the table to return more of the principals to the
client, and you'll have to wait for that if you can't change the JAAS code
on the Tomcat side. Otherwise, you can insert a call like "subject =
ContextManager.getServerSideSubject(subject);" to get the fully-populated
Subject.
But it kind of sounds like you're runing tomcat inside Geronimo, in which case you've got a ways yet to go -- I think we want to configure Tomcat fully through GBeans and geronimo-tomcat.xml (or whatever), and not used server.xml, a JAAS config file, or anything like that. If you were at ApacheCon this week, there was a pretty detailed talk about embedding Tomcat. Anyway, I'm not sure if you're working toward this but not there yet, or trying to get it to work in a different configuration.
Aaron
On Sat, 20 Nov 2004, Jeff Genender wrote:
I have semi-successfully gotten Tomcat to use the Geronimo JAAS component. I say semi-successful because I wrote some unit tests, got Tomcat running along with some other security base GBeans, and was able to protect resources in a web application, and access them with the org.apache.geronimo.security.realm.providers.PropertiesFileSecurityRealm.
However, what does not seem to be working is the group/role side of things. If I protect the resources in teh web.xml with the following:
<auth-constraint> <role-name>*</role-name> </auth-constraint>
Then it works as planned. But if I state a particular role/group, it does not work. So I need see why Tomcat is accepting the authentication piece of this, but not the authorization.
For a synopsis of what I did, I essentially took the BasicSecurityTest and SecurityTest unit tests from Jetty and altered them to work with Tomcat. I then used the war3 test-resource for Jetty to use as a protected web application.
Most of getting this to work was setting configuration files (i.e the server.xml with an appropriate context and ensuring the -Djava.security.auth.login.config is set to point at a proper login.config file.
Right now, the context needs to be declared in the server.xml. I don't like this. I need to write a ContextInterceptor so the context can be dynamically loaded from a geronimo-web.xml in the WEB-INF. Hence, after I get the role/group to work, I will write the interceptor, and I think Geronimo JAAS will dynamically work with Tomcat.
For the security experts, please have a look at my unit test and configs below and see if you think I missed anything relative to getting the group to work:
Here is the login.config used by java.security.auth.login.config:
jaasTest { org.apache.geronimo.security.jaas.JaasLoginCoordinator required realm="demo-properties-realm" kernel="geronimo.kernel"; };
In the server.cml:
<Context path="/test" docBase="war3" debug="99" reloadable="true"> <Logger className="org.apache.catalina.logger.FileLogger" prefix="test_log." suffix=".txt" timestamp="true"/>
<Realm className="org.apache.catalina.realm.JAASRealm" debug="99"
appName="jaasTest" userClassNames="org.apache.geronimo.security.realm.providers.PropertiesFileUserPrincipal"
roleClassNames="org.apache.geronimo.security.realm.providers.PropertiesFileGroupPrincipal"
/> </Context>
I used the following code to fire up the necessary GBeans ina unit test:
containerName = new ObjectName("geronimo.tomcat:role=Container"); containerPatterns = Collections.singleton(containerName); appName = new ObjectName("geronimo.tomcat:app=test");
tmName = new ObjectName("geronimo.test:role=TransactionManager");
tcmName = new ObjectName("geronimo.test:role=TransactionContextManager");
tcaName = new ObjectName("geronimo.test:role=ConnectionTrackingCoordinator");
kernel = new Kernel("geronimo.kernel"); kernel.boot();
serverInfoGBean = new GBeanMBean(ServerInfo.GBEAN_INFO); serverInfoName = new ObjectName("geronimo.system:role=ServerInfo"); serverInfoGBean.setAttribute("baseDirectory", ".");
container = new GBeanMBean(TomcatGBean.GBEAN_INFO); container.setAttribute("CatalinaHome","target/var/catalina"); container.setAttribute("CatalinaBase","target/var/catalina"); container.setAttribute("CatalinaConfig","target/var/catalina/conf/server.xml"); container.setReferencePatterns("ServerInfo",Collections.singleton(serverInfoName));
securityServiceGBean = new GBeanMBean("org.apache.geronimo.security.SecurityService");
securityServiceName = new ObjectName("geronimo.security:type=SecurityService");
securityServiceGBean.setReferencePatterns("Realms", Collections.singleton(new ObjectName("geronimo.security:type=SecurityRealm,*")));
securityServiceGBean.setAttribute("policyConfigurationFactory", "org.apache.geronimo.security.jacc.GeronimoPolicyConfigurationFactory");
loginServiceGBean = new GBeanMBean("org.apache.geronimo.security.jaas.JaasLoginService");
loginServiceName = new ObjectName("geronimo.security:type=JaasLoginService");
loginServiceGBean.setReferencePatterns("Realms", Collections.singleton(new ObjectName("geronimo.security:type=SecurityRealm,*")));
// loginServiceGBean.setAttribute("reclaimPeriod", new Long(1000 * 1000));
loginServiceGBean.setAttribute("algorithm", "HmacSHA1");
loginServiceGBean.setAttribute("password", "secret");
propertiesRealmGBean = new GBeanMBean("org.apache.geronimo.security.realm.providers.PropertiesFileSecurityRealm");
propertiesRealmName = new ObjectName("geronimo.security:type=SecurityRealm,realm=demo-properties-realm");
propertiesRealmGBean.setReferencePatterns("ServerInfo", Collections.singleton(serverInfoName));
propertiesRealmGBean.setAttribute("realmName", "demo-properties-realm");
propertiesRealmGBean.setAttribute("defaultPrincipal", "metro");
propertiesRealmGBean.setAttribute("maxLoginModuleAge", new Long(1 * 1000));
propertiesRealmGBean.setAttribute("usersURI", (new File(new File("."), "src/test-resources/data/users.properties")).toURI());
propertiesRealmGBean.setAttribute("groupsURI", (new File(new File("."), "src/test-resources/data/groups.properties")).toURI());
start(serverInfoName, serverInfoGBean); start(propertiesRealmName, propertiesRealmGBean); start(containerName, container); start(securityServiceName, securityServiceGBean); start(loginServiceName, loginServiceGBean);
tm = new GBeanMBean(GeronimoTransactionManager.GBEAN_INFO); tm.setAttribute("defaultTransactionTimeoutSeconds", new Integer(10)); Set patterns = new HashSet(); patterns.add(ObjectName.getInstance("geronimo.server:j2eeType=JCAManagedConnectionFactory,*")); tm.setReferencePatterns("ResourceManagers", patterns); start(tmName, tm); tcm = new GBeanMBean(TransactionContextManager.GBEAN_INFO); tcm.setReferencePattern("TransactionManager", tmName); start(tcmName, tcm); ctc = new GBeanMBean(ConnectionTrackingCoordinator.GBEAN_INFO); start(tcaName, ctc);
