support for security roles in web.xml
hi all, I want to know whether Security Role assignment is supported in web.xml As in Release Notes - Apache Geronimo - Version 1.0-M2 under ** Unimplemented and Unsupported Features there is * [GERONIMO-174] - Support for security-roles in web.xml says its not supported. i have the following entries in my web.xml. Will the follwoing work in Geronimo. If it works please mail me what are changes i need to make and where. security-constraint web-resource-collection web-resource-nameMySecureBit0/web-resource-name url-pattern/AdminRequestProcessor/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-nameadministrator/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method realm-namedefault/realm-name form-login-config form-login-page/login.jsp/form-login-page form-error-page/error.jsp/form-error-page /form-login-config /login-config security-role role-nameadministrator/role-name /security-role The things i configured to get this working 1 . Created a realm plan. configuration xmlns=http://geronimo.apache.org/xml/ns/deployment; configId=org/apache/geronimo/petstore parentId=org/apache/geronimo/Server gbean name=geronimo.security:type=SecurityRealm,realm=petstore-realm class=org.apache.geronimo.security.realm.providers.PropertiesFileSecurityRealm attribute name=realmName type=java.lang.Stringpetstore-realm/attribute attribute name=maxLoginModuleAge type=long1/attribute attribute name=usersURI type=java.net.URIvar/security/petstore.users.properties/attribute attribute name=groupsURI type=java.net.URIvar/security/petstore.groups.properties/attribute reference name=ServerInfogeronimo.system:role=ServerInfo/reference /gbean gbean name=geronimo.security:type=ConfigurationEntry,jaasId=default class=org.apache.geronimo.security.jaas.ConfigurationEntryRealmLocal attribute name=applicationConfigName type=java.lang.Stringdefault/attribute attribute name=realmName type=java.lang.Stringpetstore-realm/attribute attribute name=controlFlag type=org.apache.geronimo.security.jaas.LoginModuleControlFlagREQUIRED/attribute /gbean !-- Jetty Realm that points to the Geronimo Demo Properties File Realm -- gbean name=geronimo.jetty:role=JaasRealm class=org.apache.geronimo.jetty.JAASJettyRealm reference name=JettyContainergeronimo.server:type=WebContainer,container=Jetty/reference attribute name=name type=java.lang.Stringdefault/attribute attribute name=loginModuleName type=java.lang.Stringdefault/attribute /gbean /configuration 2. I included this plan in incubator-geronimo/modules/assembly/maven.xml under this tag. ant:echoBuilding petstore configuration/ant:echo ant:java fork=true jar=${distDir}/bin/deployer.jar failonerror=true ant:jvmarg value=-ea/ ant:arg value=--install/ ant:arg value=--plan/ ant:arg value=target/plan/petstore-plan.xml/ /ant:java 3. i ran the maven file. 4. i deployed petstore and petstoreAdmin on Geronimo Srever. Problem , 1. When i tried to login under admin application , it gave the following error. java.lang.NullPointerException at org.apache.geronimo.jetty.JettyServer$RealmDelegate.authenticate(JettyServer.java:95) at org.mortbay.jetty.servlet.FormAuthenticator$FormCredential.authenticate(FormAuthenticator.java:287) at org.mortbay.jetty.servlet.FormAuthenticator.authenticate(FormAuthenticator.java:13 at org.mortbay.jetty.servlet.ServletHttpContext.jSecurityCheck(ServletHttpContext.java:114) at org.mortbay.jetty.servlet.ServletHttpContext.checkSecurityConstraints(ServletHttpContext.java:130) at org.mortbay.jetty.servlet.WebApplicationHandler.dispatch(WebApplicationHandler.java:411) at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:512) at org.mortbay.http.HttpContext.handle(HttpContext.java:1442) at org.mortbay.jetty.servlet.WebApplicationContext.handle(WebApplicationContext.java:490) at org.apache.geronimo.jetty.JettyWebAppContext.handle(JettyWebAppContext.java:173) at org.mortbay.http.HttpContext.handle(HttpContext.java:1394) at org.mortbay.http.HttpServer.service(HttpServer.java:879) at org.mortbay.http.HttpConnection.service(HttpConnection.java:821) at org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:98 at org.mortbay.http.HttpConnection.handle(HttpConnection.java:83 at org.mortbay.http.SocketListener.handleConnection(SocketListener.java:212) at
Re: securiy role mapping in openejb-jar.xml ?
On Thu, 02 Sep 2004 10:22:03 -0400, Alan Cabrera [EMAIL PROTECTED] wrote: -Original Message- From: Prem kalyan [mailto:[EMAIL PROTECTED] Sent: Thursday, September 02, 2004 10:04 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: securiy role mapping in openejb-jar.xml ? hi all, I have few questions on security role mappings. Before that i want to put my understanding about security mappings.If there is anything wrong in my understanding please let me know. I think , 1 . In ejb-jar.xml we declare security roles in security-role tags. 2 . In ejb-jar we specify which methods are accessed by which roles using role-name in method-permission. 3 . In openejb-jar.xml we asscocite principals to security roles , by this we are allowing all the principals in a role to access those methods which the role can access . So far so good. Qn :- Why role mappings is part of each EJB.Since we already defined what permissions does each role have on each ejb(using method-permissions) why doing it here again. Isn't it sifficient to map principals to roles in openejb.jar? This level of indirection allows you to take your beans and use them in an application server of another vendor, e.g. WebLogic. The mapping of principals to roles is an OpenEJB specific mechanism, hence it is in the openejb-jar.xml file. Alan still my question is not answered or i haven't got ur point I got why role mapping have to be inside openejb-jar.xml . but why it has to inside every EJB in openejb-jar.xml. if i have 10 beans do i have to declare my role mapping in each and every bean. Aren't role mappings independent of ejb security. I mean we define the ejb security in method-permissions using role names.And role mappings is just to bind principals with a role names. Regards, Alan - Visit our Internet site at http://www.reuters.com Get closer to the financial markets with Reuters Messaging - for more information and to register, visit http://www.reuters.com/messaging Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. thanx in advance -- regards, prem
Re: securiy role mapping in openejb-jar.xml ?
thanx Alan, I have small question. Just out of curiosity, i may be wrong On Thu, 02 Sep 2004 10:54:57 -0400, Alan Cabrera [EMAIL PROTECTED] wrote: -Original Message- From: Prem kalyan [mailto:[EMAIL PROTECTED] On Thu, 02 Sep 2004 10:22:03 -0400, Alan Cabrera [EMAIL PROTECTED] wrote: -Original Message- From: Prem kalyan [mailto:[EMAIL PROTECTED] Sent: Thursday, September 02, 2004 10:04 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: securiy role mapping in openejb-jar.xml ? hi all, I have few questions on security role mappings. Before that i want to put my understanding about security mappings.If there is anything wrong in my understanding please let me know. I think , 1 . In ejb-jar.xml we declare security roles in security-role tags. 2 . In ejb-jar we specify which methods are accessed by which roles using role-name in method-permission. 3 . In openejb-jar.xml we asscocite principals to security roles , by this we are allowing all the principals in a role to access those methods which the role can access . So far so good. Qn :- Why role mappings is part of each EJB.Since we already defined what permissions does each role have on each ejb(using method-permissions) why doing it here again. Isn't it sifficient to map principals to roles in openejb.jar? This level of indirection allows you to take your beans and use them in an application server of another vendor, e.g. WebLogic. The mapping of principals to roles is an OpenEJB specific mechanism, hence it is in the openejb-jar.xml file. Alan still my question is not answered or i haven't got ur point I got why role mapping have to be inside openejb-jar.xml . but why it has to inside every EJB in openejb-jar.xml. if i have 10 beans do i have to declare my role mapping in each and every bean. Aren't role mappings independent of ejb security. I mean we define the ejb security in method-permissions using role names.And role mappings is just to bind principals with a role names. If you only declare the principal to role mappings once, regardless of the number of beans in your jar. Then why role-mapping entries part of ejb.Won't it be nice to have it outside EJB's , as an independent entry.If it has anyother advantage plz let me know thanx in advance, Regards, Alan - Visit our Internet site at http://www.reuters.com Get closer to the financial markets with Reuters Messaging - for more information and to register, visit http://www.reuters.com/messaging Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. -- regards, prem
Security Realm deployment
hi All, I am trying to configure and deploy a security realm on geronimo. With the help of archive mails on dev list i am able to configure my own security realm. for deploying i went through the files in the directory incubator-geronimo-1.0-M1/modules/assembly/src/plan/ now , the j2ee-server-plan.xml talks about the Default security realm Qn 1 : how can i use other security realm for other applications option 1 : do i have to make another entry into j2ee-server-plan.xml defining new . . security realm. or option 2 : is there another way of deploying it. Qn 2 : What is the role of j2ee-secure-plan.xml it also has another security realm defined what is the use of that realm? thanx in advance. -- regards, prem
Re: help ! security realms
hi Alan , Gianny Thanks for the suggestions and the direction. I went through the security Providers thread but that didn't clear my questions. As far as my understanding of Realm goes it is logical grouping of Users, Groups, ACLs, and permissions , is it the same in geronimo or something else. When i went through http://nagoya.apache.org/eyebrowse/[EMAIL PROTECTED]msgNo=8168 this message archive , the security realm basically talks about JAAS modules (LoginContext , LoginModules and Gbeans etc) , users . 1 . What about permissions and the ACL context. 2. Where do we specify all that stuff that went into the Gbean( i mean do we specify it in DD or do we need to write policy files and config files for JAAS) 3. What entries do we need to make in Deployment descriptors. 4. How are role names related to realm-names (WHY realm PART OF role-name) in openejbjar.xml's XSD. On Wed, 25 Aug 2004 09:01:18 -0400, Alan Cabrera [EMAIL PROTECTED] wrote: Thanks Gianny. Prem, you should also visit irc://irc.freenode.net/Geronimo. This is where the Geronimo developers hang out. Regards, Alan -Original Message- From: Gianny Damour [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 25, 2004 8:04 AM To: [EMAIL PROTECTED] Subject: Re: help ! security realms On 25/08/2004 2:43 AM, Prem kalyan wrote: hi all, I am going through the security part of geronimo and the corresponding deployment descriptor elements.I have few questions in this regard 1. What are all the different security realms supported in geronimo. 2. What values does the attribute 'realm-name' in tag realm takes. Hi Prem, I think that you should have a look to a previous thread named Security providers. Alan is describing how the security layer is implemented and covers more or less these questions. 3. What is the equivalent in geronimo for filerealm in weblogic. If you have a look in var/security of a Geronimo installation, you will see for instance a users.properties file. This guy is to Geronimo what fileRealm.properties is for WebLogic (OK, the WebLogic one does not store the password in clear). Cheers, Gianny - Visit our Internet site at http://www.reuters.com Get closer to the financial markets with Reuters Messaging - for more information and to register, visit http://www.reuters.com/messaging Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. -- regards, prem
geronimo-ejb-jar.xsd ??
hi, 1 . I want to know is there anything called geronimo-ejb-jar.xsd. 2 . If yes , where can i find it. 3 . does geronimo use open-ejb-jar.xsd or geronimo-ejb-jar.xsd? i am asking all these questions bcoz i came across ejb-jar xmlns=http://java.sun.com/xml/ns/j2ee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xmlns:ger=http://geronimo.apache.org/xml/schema/j2ee; xsi:schemaLocation=http://geronimo.apache.org/xml/schema/j2ee http://geronimo.apache.org/xml/schema/1.0/j2ee14/geronimo-ejb-jar.xsd; version=2.1 class-space name=geronimo.system:role=ClassSpace,name=Testparent=geronimo.system:role=ClassSpace,name=System/ security use-context-handler=true default-principal realm-name=System principal class=org.apache.geronimo.security.DefaultPrincipal name=default/ /default-principal role-mappings role role-name=ONE realm realm-name=Foo . .. in the file geronimo-ejb-jar-testRead.xml . which is distributed with incubator-geronimo-1.0-M1at modules/security/src/test-data/xml/deployment. -- regards, prem