On May 14, 2007, at 2:24 PM, Christopher Blythe wrote:
David...
Thanks for the reply... Here are some more specifics. I am working
with Geronimo 1.1.1 and attempting to add role-based security to
DayTrader (with the help of Surya Duggirala). He has added the
necessary security tags to the web.xml and ejb-jar.xml and I am
simply trying to figure out the deployment plans for Geronimo.
Thus far I have done the following...
Added the security realm to the <web-app> portion of the deployment
plan to secure a URL in the web archive.
<security-realm-name>daytrader-realm</security-realm-name>
I have also added the following to the <openejb-jar> portion of the
plan to secure one of the session EJBs.
<security>
<default-principal realm-name="daytrader-realm">
<principal name="anonymous"
class="org.apache.geronimo.security.realm.providers.GeronimoUserPrinci
pal"/>
</default-principal>
<role-mappings>
<role role-name="grp1">
<realm realm-name="daytrader-realm">
<principal name="group1" class="
org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/>
</realm>
</role>
</role-mappings>
</security>
You can only specify one <security> element in all the geronimo plans
for an app, and it doesn't really matter where you put it. The
security deployer is supposed to object if it finds more than one,
but it's possible this feature isn't working in that geronimo version.
When I access the secured URL, I am asked to provide my credentials
as expected. So, that appears to be working correctly. However, I'm
not really sure how to verify that my method level permissions on
the secured Session bean are being respected.
I can access the session bean via a non-secured URL that bypasses
the security configuration in the war. If the security
configuration for my ejb was being used, I would expect some form
of exception to be thrown when I try to access it via my non-
secured URL (since I have not provided my credentials), but I do
not. This leads me to believe that I'm missing something.
That sounds fishy, but it's hard to tell without all the security
configuration stuff to look at. Are the secured dds in svn? If not
can you supply them, perhaps attached to a daytrader jira together
with the plan(s) you are trying?
thanks
david jencks
Any thoughts?
Thanks again...
Chris
On 5/14/07, David Jencks <[EMAIL PROTECTED] > wrote:
On May 14, 2007, at 10:33 AM, Christopher Blythe wrote:
> Was wondering if there are any samples or tests for Geronimo that
> use role-based authentication for EJB methods?
>
> More specifically, I was wondering how to configure the role
> mappings in the Geronimo deployment plan. Most of the samples out
> there revolve around the war, but I have not found anything
> relating to the EJB jar.
The role>> permission mapping is specified in the spec dd or via
annotations.
The part in the geronimo plan is a principal<< role mapping which
works the same way for wars and ejb jars.
I don't know if there are easy to find examples. If this doesn't
clear it up can you ask a more specific question?
thanks
david jencks
>
> Thanks...
>
> Chris
>
> --
> "I say never be complete, I say stop being perfect, I say let...
> lets evolve, let the chips fall where they may." - Tyler Durden
--
"I say never be complete, I say stop being perfect, I say let...
lets evolve, let the chips fall where they may." - Tyler Durden
