[
https://issues.apache.org/jira/browse/GERONIMO-4553?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12680535#action_12680535
]
David Jencks commented on GERONIMO-4553:
----------------------------------------
I haven't looked at what joe's patch does yet.
My goal at this point is mostly to nofity the user that there is a problem that
needs further investigation when a duplicate security realm name is defined.
Supplying them with hints about how to fix it would be even better. IMO
however we can't automatically fix the problem they have caused. On the other
hand we do need to let them create a duplicate realm because they may need to
switch from one to another. After doing so, they will have to edit some
configuration files by hand. We could try to automate switching but I don't
think it is worth the effort because it is too likely that the user will be
left with no way at all to log on as the old realm has stopped and the new one
not started in case of any error.
Forrest-- server-security-config is designed to contain everything you will
want to change if you want to customize the admin security for geronimo. As
such it should not have anything removed. We might want to create a way of
creating a plugin with everything that is in server-security-config from the
console.
For trunk I actually have a different plan in mind. I think we should make the
security realms scoped to the ancestor plugins of whatever needs the realm,
just like we do with gbean searches for references. When I first worked on the
code I didn't realize it was possible to pass the LoginConfiguration in to the
LoginContext constructor; however we can use this to prevent interference
between realms.
> Admin console does not show error when creating duplicate security realm
> ------------------------------------------------------------------------
>
> Key: GERONIMO-4553
> URL: https://issues.apache.org/jira/browse/GERONIMO-4553
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: console, security
> Affects Versions: 2.1.4, 2.2
> Reporter: David Jencks
> Assignee: Joe Bohn
> Fix For: 2.1.4, 2.2
>
>
> If you create a security realm with a duplicate name (such as geronimo-admin)
> using the admin console, everything appears to work in the ui however the
> command line console shows the error:
> 2009-02-24 09:47:11,123 ERROR [ProxyCollection] Listener threw exception
> java.lang.IllegalArgumentException: ConfigurationEntry named: geronimo-admin
> already registered
> at
> org.apache.geronimo.security.jaas.GeronimoLoginConfiguration.addConfiguration(GeronimoLoginConfiguration.java:112)
> at
> org.apache.geronimo.security.jaas.GeronimoLoginConfiguration.memberAdded(GeronimoLoginConfiguration.java:97)
> at
> org.apache.geronimo.gbean.runtime.ProxyCollection.addTarget(ProxyCollection.java:102)
> at
> org.apache.geronimo.gbean.runtime.GBeanCollectionReference.targetAdded(GBeanCollectionReference.java:96)
> at
> org.apache.geronimo.gbean.runtime.GBeanCollectionReference.addTarget(GBeanCollectionReference.java:180)
> at
> org.apache.geronimo.gbean.runtime.GBeanCollectionReference$1.running(GBeanCollectionReference.java:110)
> at
> org.apache.geronimo.kernel.basic.BasicLifecycleMonitor.fireRunningEvent(BasicLifecycleMonitor.java:175)
> at
> org.apache.geronimo.kernel.basic.BasicLifecycleMonitor.access$300(BasicLifecycleMonitor.java:44)
> at
> org.apache.geronimo.kernel.basic.BasicLifecycleMonitor$RawLifecycleBroadcaster.fireRunningEvent(BasicLifecycleMonitor.java:253)
> at
> org.apache.geronimo.gbean.runtime.GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:295)
> at
> org.apache.geronimo.gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:103)
> at
> org.apache.geronimo.gbean.runtime.GBeanInstance.start(GBeanInstance.java:524)
> at
> org.apache.geronimo.gbean.runtime.GBeanDependency.attemptFullStart(GBeanDependency.java:110)
> at
> org.apache.geronimo.gbean.runtime.GBeanDependency.addTarget(GBeanDependency.java:145)
> at
> org.apache.geronimo.gbean.runtime.GBeanDependency$1.running(GBeanDependency.java:119)
> at
> org.apache.geronimo.kernel.basic.BasicLifecycleMonitor.fireRunningEvent(BasicLifecycleMonitor.java:175)
> at
> org.apache.geronimo.kernel.basic.BasicLifecycleMonitor.access$300(BasicLifecycleMonitor.java:44)
> at
> org.apache.geronimo.kernel.basic.BasicLifecycleMonitor$RawLifecycleBroadcaster.fireRunningEvent(BasicLifecycleMonitor.java:253)
> at
> org.apache.geronimo.gbean.runtime.GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:295)
> at
> org.apache.geronimo.gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:103)
> at
> org.apache.geronimo.gbean.runtime.GBeanInstance.start(GBeanInstance.java:524)
> at
> org.apache.geronimo.gbean.runtime.GBeanDependency.attemptFullStart(GBeanDependency.java:110)
> at
> org.apache.geronimo.gbean.runtime.GBeanDependency.addTarget(GBeanDependency.java:145)
> at
> org.apache.geronimo.gbean.runtime.GBeanDependency$1.running(GBeanDependency.java:119)
> at
> org.apache.geronimo.kernel.basic.BasicLifecycleMonitor.fireRunningEvent(BasicLifecycleMonitor.java:175)
> at
> org.apache.geronimo.kernel.basic.BasicLifecycleMonitor.access$300(BasicLifecycleMonitor.java:44)
> at
> org.apache.geronimo.kernel.basic.BasicLifecycleMonitor$RawLifecycleBroadcaster.fireRunningEvent(BasicLifecycleMonitor.java:253)
> at
> org.apache.geronimo.gbean.runtime.GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:295)
> at
> org.apache.geronimo.gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:103)
> at
> org.apache.geronimo.gbean.runtime.GBeanInstanceState.startRecursive(GBeanInstanceState.java:125)
> at
> org.apache.geronimo.gbean.runtime.GBeanInstance.startRecursive(GBeanInstance.java:538)
> at
> org.apache.geronimo.kernel.basic.BasicKernel.startRecursiveGBean(BasicKernel.java:377)
> at
> org.apache.geronimo.kernel.config.ConfigurationUtil.startConfigurationGBeans(ConfigurationUtil.java:456)
> at
> org.apache.geronimo.kernel.config.KernelConfigurationManager.start(KernelConfigurationManager.java:190)
> at
> org.apache.geronimo.kernel.config.SimpleConfigurationManager.startConfiguration(SimpleConfigurationManager.java:546)
> at
> org.apache.geronimo.kernel.config.SimpleConfigurationManager.startConfiguration(SimpleConfigurationManager.java:527)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at
> org.apache.geronimo.gbean.runtime.ReflectionMethodInvoker.invoke(ReflectionMethodInvoker.java:34)
> at
> org.apache.geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:130)
> at
> org.apache.geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:815)
> at
> org.apache.geronimo.gbean.runtime.RawInvoker.invoke(RawInvoker.java:57)
> at
> org.apache.geronimo.kernel.basic.RawOperationInvoker.invoke(RawOperationInvoker.java:35)
> at
> org.apache.geronimo.kernel.basic.ProxyMethodInterceptor.intercept(ProxyMethodInterceptor.java:96)
> at
> org.apache.geronimo.kernel.config.EditableConfigurationManager$$EnhancerByCGLIB$$150f4df4.startConfiguration(<generated>)
> at
> org.apache.geronimo.deployment.plugin.local.StartCommand.run(StartCommand.java:67)
> at java.lang.Thread.run(Thread.java:613)
> IMO we should allow users to create such duplicate realms but not try to
> start them but rather show instructions on how to substitute their realm for
> the existing one, namely:
> - edit var/config/config.xml to have load="false" for the plugin with the
> existing security realm
> - edit var/config/artifact-aliases.properties to use the new plugin instead
> of the old plugin
> - edit var/config/config.xml to start the new plugin (this is probably
> unnecessary as the new one will probably be started due to dependencies)
> I tried this on trunk and a user found it on 2.1.2.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
