Resent-From: <[EMAIL PROTECTED]>
From: [EMAIL PROTECTED]
Date: June 11, 2008 5:03:59 AM PDT
To: [EMAIL PROTECTED]
Subject: Antwort: Re: Antwort: Re: Using OpenEJB Security for JAAS
LoginModule
Reply-To: [EMAIL PROTECTED]
Hi David,
thank you very much for your assistance. If I understand you right
the
Realm-Name of the Default Security Service is called
"PropertiesLogin".
If I could change that to "vesuv-db-sha256", my problems are solved.
definition of the realm 'vesuv-db-sha256' in Geronimo 2.1.1:
<module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2";>
<environment>
<moduleId>
<groupId>console.realm</groupId>
<artifactId>vesuv-db-sha256</artifactId>
<version>1.0</version>
<type>car</type>
</moduleId>
<dependencies>
<dependency>
<groupId>org.apache.geronimo.framework</groupId>
<artifactId>j2ee-security</artifactId>
<type>car</type>
</dependency>
<dependency>
<groupId>console.dbpool</groupId>
<artifactId>Postgres.postgres.vesuv</artifactId>
<version>1.0</version>
<type>rar</type>
</dependency>
</dependencies>
</environment>
<gbean name="vesuv-db-sha256"
class="org.apache.geronimo.security.realm.GenericSecurityRealm"
xsi:type="dep:gbeanType" xmlns:dep="
http://geronimo.apache.org/xml/ns/deployment-1.2"; xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance";>
<attribute name="realmName">vesuv-db-sha256</attribute>
<reference name="ServerInfo">
<name>ServerInfo</name>
</reference>
<xml-reference name="LoginModuleConfiguration">
<log:login-config xmlns:log="
http://geronimo.apache.org/xml/ns/loginconfig-2.0";>
<log:login-module control-flag="REQUIRED"
wrap-principals="false">
<log:login-domain-name>vesuv-db-sha256</log:login-domain-name>
<log:login-module-
class>org.apache.geronimo.security.realm.providers.SQLLoginModule</
log:login-module-class>
<log:option
name="dataSourceName">Postgres.postgres.vesuv</log:option>
<log:option name="encoding">hex</log:option>
<log:option
name="dataSourceApplication">null</log:option>
<log:option name="digest">SHA-256</log:option>
<log:option name="groupSelect">select bla
bla</log:option>
<log:option name="userSelect">select bla
bla</log:option>
</log:login-module>
<log:login-module control-flag="OPTIONAL"
wrap-principals="false">
<log:login-domain-name>vesuv-db-sha256-Audit</log:login-domain-name>
<log:login-module-
class
>
org.apache.geronimo.security.realm.providers.FileAuditLoginModule</
log:login-module-class>
<log:option
name="file">var/log/vesuv-login.log</log:option>
</log:login-module>
<log:login-module control-flag="REQUISITE"
wrap-principals="false">
<log:login-domain-name>vesuv-db-sha256-Lockout</log:login-domain-
name>
<log:login-module-
class
>
org
.apache
.geronimo
.security.realm.providers.RepeatedFailureLockoutLoginModule</
log:login-module-class>
<log:option name="failureCount">3</log:option>
<log:option name="failurePeriodSecs">180</
log:option>
<log:option
name="lockoutDurationSecs">1800</log:option>
</log:login-module>
</log:login-config>
</xml-reference>
</gbean>
</module>
Session Bean LoginManagerImpl.java
import javax.ejb.*;
import javax.security.auth.login.LoginContext;
import de.nrw.hagen.ggrz.Exception.StdAppException;
import de.nrw.hagen.ggrz.bv.bo.BenutzerKontext;
import de.nrw.hagen.ggrz.bv.benutzer.*;
import de.nrw.hagen.ggrz.log.Logger;
import javax.security.auth.login.*;
....
/**
* Login beim Container durchfhren lassen mit JAAS.
*
* @param benutzer
* @param kennwort
* @return
*/
public boolean loginContainer(String benutzer, String
kennwort) {
logger.info("Login EJB Container:" + benutzer + "/" +
kennwort);
try {
LoginCallback logcb = new
LoginCallback(benutzer,
kennwort);
LoginContext lc = new
LoginContext("vesuv-db-sha256",logcb);
lc.login();
subject = lc.getSubject();
}
catch (LoginException ex) {
logger.error("Exception bei login:" +
ex.getMessage());
//if (ex.getMessage().equals("SQL error"))
//throw ex;
throw new StdAppException("Exception bei
Login",
ex);
}
}
JUnit-Test Class:
....
import java.util.Properties;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import org.junit.After;
import de.nrw.hagen.ggrz.bv.bo.BenutzerKontext;
import de.nrw.hagen.ggrz.login.LoginManager;
import de.nrw.hagen.ggrz.security.Subject;
public class BaseTest {
private String benutzer = "sys";
private String passwort = "chief";
private Subject user = null;
private BenutzerKontext benutzerKontext = null;
private InitialContext initialContext;
public BaseTest() {
initEnvironment();
}
public void initEnvironment() {
System.out.println("------------------
initEnvironment--------------------------");
Properties properties = new Properties();
properties.setProperty(Context.INITIAL_CONTEXT_FACTORY,
"org.apache.openejb.client.LocalInitialContextFactory");
// Minimum required for login
properties.setProperty(Context.SECURITY_PRINCIPAL,
benutzer);
properties.setProperty(Context.SECURITY_CREDENTIALS, passwort);
// Optional param for specifying a specific
Geronimo security realm
properties.put("openejb.authentication.realmName",
"vesuv-db-sha256");
properties.put("openejb.home",
"/home/user/workspace/VesuvUnit/openejb");
properties.put("Postgres.postgres.vesuv",
"new://Resource?type=DataSource");
properties.put("Postgres.postgres.vesuv.JdbcDriver",
"org.postgresql.Driver");
properties.put("Postgres.postgres.vesuv.JdbcUrl",
"jdbc:postgresql://localhost/bgsdev1");
properties.put("Postgres.postgres.vesuv.UserName",
"bgsdev1");
properties.put("Postgres.postgres.vesuv.Password",
"bgsdev1");
properties.put("openjpa.jdbc.SynchronizeMappings",
"false");
properties.put("openjpa.jdbc.Schema", "vesuv");
try {
initialContext = new
InitialContext(properties);
user = readUserFromLogin();
} catch (Exception e) {
e.printStackTrace();
}
}
private Subject readUserFromLogin() {
LoginManager loginManager = null;
try {
loginManager = (LoginManager)
initialContext.lookup("LoginManagerImplLocal");
loginManager.loginContainer(benutzer,
passwort);
} catch (NamingException e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
try {
benutzerKontext =
loginManager.bestimmeBenutzerKontext(benutzer);
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return new
Subject(benutzerKontext,loginManager.getSubject());
}
....
}
Mit freundlichen Grüßen / Kind regards
Josef Eisele
Direkt: +49 (0) 6131 / 914-180
David Blevins <[EMAIL PROTECTED]>
09.06.2008 22:55
Bitte antworten an
[EMAIL PROTECTED]
An
[EMAIL PROTECTED]
Kopie
Thema
Re: Antwort: Re: Using OpenEJB Security for JAAS LoginModule
On Jun 9, 2008, at 5:26 AM, [EMAIL PROTECTED] wrote:
Hi David,
thank you very much for the link. I got it twice and I read it
twice ;-)
but it doesn't help concerning my actual problem.
To run our business code it is necessary to login into an
'SecurityService' with user/password/realm and as result there must
be a
Secuity-Object (javax.security.auth.Subject). This Security-
Object is
nessary to invoke our business code. The magic
@RunAs("Employee")won't
work in our case.
If you could give me some more detail here, that'd be great. Both
login and runas result in a javax.security.auth.Subject being
created
by and enforced by the SecurityService. The creation is slightly
different, but the subject is tracked and enforced by the
SecurityService in exactly the same way.
If you have any sample code on what doesn't work that would also be
helpful.
The default implementation from the security service with the
parameters
user/password is fine, but we miss the realm-Parameter. And if we
add it,
the Security Service says
Exception bei Login:Fr vesuv-db-sha256 sind keine Anmeldemodule
konfiguriert.
Anmeldemodule = Login module
The realm in OpenEJB refers to the JAAS LoginModule. The login
module
that is setup in the SecurityServices login.config file is called
"PropertiesLogin". This is the default value for realm when left
unspecified.
If you have a custom javax.security.auth.spi.LoginModule there is a
way to set one up. Let me know if that is what you're trying to do
and I'll see if I can get an example working.
-David
cu Josef
David Blevins <[EMAIL PROTECTED]>
06.06.2008 23:06
Bitte antworten an
[EMAIL PROTECTED]
An
[EMAIL PROTECTED]
Kopie
Thema
Re: Using OpenEJB Security for JAAS LoginModule
Hi Josef,
Looks this post arrived at about the same time as my last
response, so
this might be repeat information :)
This example shows a good technique for unit testing various
security
permissions.
http://openejb.apache.org/3.0/testing-security-example.html
The JNDI login approach isn't really optimal as there is no
"logout"
option and it tends to make a mess of things. With the above
approach
you can wrap your calls with any security context you like and test
accessing your bean via secured and unsecured "clients" and check
that
permissions for various roles are as they need to be.
-David
On Jun 6, 2008, at 1:24 AM, [EMAIL PROTECTED] wrote:
Hi All,
we use embedded openejb to test our JavaEE-5 (Geronimo App.server)
Application. With the great help of David Blevins the JUNIT-
Tests can
invoke our session beans and even Transaction Handling is working
fine.
At the moment I use a trick to avoid the Login-Procedure, but this
won't
work on the long run.
With Geronimo 2.1.1 we use the JAAS API. Our usage is described in
http://cwiki.apache.org/GMOxDOC10/geronimo-and-jaas.html. For my
junit-testcase I need therefore anything which can provide me a
javax.security.auth.Subject after successful login. With the
default -
Security Service
<SecurityService id="Default Security Service"/>
and the configuration in users.properties and groups.properties I
get the
error:
Exception bei Login:Fr vesuv-db-sha256 sind keine Anmeldemodule
konfiguriert.
(Anmeldemodule = security realm, I think...)
I tried also PseudoSecurityService, but I got an exception as
well.
JUNIT-Testcase
Properties properties = new
Properties();
....
// Minimum required for login
properties.setProperty(Context.SECURITY_PRINCIPAL,
benutzer);
properties.setProperty(Context.SECURITY_CREDENTIALS,
passwort);
// Optional param for specifying a specific Geronimo
security realm
properties.put("openejb.authentication.realmName",
"vesuv-db-sha256");
properties.put("mySecurityService",
"new://PseudoSecurityService");
....
loginManager = (LoginManager)
initialContext.lookup("LoginManagerImplLocal");
loginManager.loginContainer(benutzer,
passwort);
....
LoginManager-Session Bean:
...
try {
LoginCallback logcb = new
LoginCallback(benutzer,
passwort);
LoginContext lc = new
LoginContext("vesuv-db-sha256",logcb);
lc.login();
subject = lc.getSubject();
}
...
The realm "vesuv-db-sha256" is defined under
Geronimo-Applicationserver-Console Security - Security Realms.
I read http://openejb.apache.org/3.0/security.html, but I don't
understand how to configure the Security for embedded openejb.
Thanx in advance for any help on this.
Mit freundlichen Grüßen / Kind regards
Josef Eisele
Direkt: +49 (0) 6131 / 914-180
BGS Beratungsgesellschaft
Software Systemplanung AG Niederlassung Rhein/Main
Robert-Koch-Straße 41
55129 Mainz
Fon: +49 (0) 6131 / 914-0
Fax: +49 (0) 6131 / 914-400
www.bgs-ag.de Geschäftssitz Mainz
Registergericht
Amtsgericht Mainz
HRB 62 50
Aufsichtsratsvorsitzender
Dr. Wolfgang Trommer
Vorstand
Hanspeter Gau
Hermann Kiefer
Nils Manegold
Heinz-Jörg Zimmermann
BGS Beratungsgesellschaft
Software Systemplanung AG
Niederlassung Rhein/Main
Robert-Koch-Straße 41
55129 Mainz
Fon: +49 (0) 6131 / 914-0
Fax: +49 (0) 6131 / 914-400
www.bgs-ag.de
Geschäftssitz Mainz
Registergericht
Amtsgericht Mainz
HRB 62 50
Aufsichtsratsvorsitzender
Dr. Wolfgang Trommer
Vorstand
Hanspeter Gau
Hermann Kiefer
Nils Manegold
Heinz-Jörg Zimmermann
BGS Beratungsgesellschaft
Software Systemplanung AG Niederlassung Rhein/Main
Robert-Koch-Straße 41
55129 Mainz
Fon: +49 (0) 6131 / 914-0
Fax: +49 (0) 6131 / 914-400
www.bgs-ag.de Geschäftssitz Mainz
Registergericht
Amtsgericht Mainz
HRB 62 50
Aufsichtsratsvorsitzender
Dr. Wolfgang Trommer
Vorstand
Hanspeter Gau
Hermann Kiefer
Nils Manegold
Heinz-Jörg Zimmermann
