support for security roles in web.xml
hi all,
I want to know whether Security Role assignment is supported in web.xml
As in
Release Notes - Apache Geronimo - Version 1.0-M2
under
** Unimplemented and Unsupported Features
there is
* [GERONIMO-174] - Support for security-roles in web.xml
says its not supported.
i have the following entries in my web.xml. Will the follwoing work in
Geronimo. If it works please mail me what are changes i need to make
and where.
security-constraint
web-resource-collection
web-resource-nameMySecureBit0/web-resource-name
url-pattern/AdminRequestProcessor/url-pattern
http-methodGET/http-method
http-methodPOST/http-method
/web-resource-collection
auth-constraint
role-nameadministrator/role-name
/auth-constraint
user-data-constraint
transport-guaranteeNONE/transport-guarantee
/user-data-constraint
/security-constraint
login-config
auth-methodFORM/auth-method
realm-namedefault/realm-name
form-login-config
form-login-page/login.jsp/form-login-page
form-error-page/error.jsp/form-error-page
/form-login-config
/login-config
security-role
role-nameadministrator/role-name
/security-role
The things i configured to get this working
1 . Created a realm plan.
configuration
xmlns=http://geronimo.apache.org/xml/ns/deployment;
configId=org/apache/geronimo/petstore
parentId=org/apache/geronimo/Server
gbean name=geronimo.security:type=SecurityRealm,realm=petstore-realm
class=org.apache.geronimo.security.realm.providers.PropertiesFileSecurityRealm
attribute name=realmName
type=java.lang.Stringpetstore-realm/attribute
attribute name=maxLoginModuleAge type=long1/attribute
attribute name=usersURI
type=java.net.URIvar/security/petstore.users.properties/attribute
attribute name=groupsURI
type=java.net.URIvar/security/petstore.groups.properties/attribute
reference name=ServerInfogeronimo.system:role=ServerInfo/reference
/gbean
gbean name=geronimo.security:type=ConfigurationEntry,jaasId=default
class=org.apache.geronimo.security.jaas.ConfigurationEntryRealmLocal
attribute name=applicationConfigName
type=java.lang.Stringdefault/attribute
attribute name=realmName
type=java.lang.Stringpetstore-realm/attribute
attribute name=controlFlag
type=org.apache.geronimo.security.jaas.LoginModuleControlFlagREQUIRED/attribute
/gbean
!-- Jetty Realm that points to the Geronimo Demo Properties File Realm
--
gbean name=geronimo.jetty:role=JaasRealm
class=org.apache.geronimo.jetty.JAASJettyRealm
reference
name=JettyContainergeronimo.server:type=WebContainer,container=Jetty/reference
attribute name=name
type=java.lang.Stringdefault/attribute
attribute name=loginModuleName
type=java.lang.Stringdefault/attribute
/gbean
/configuration
2. I included this plan in incubator-geronimo/modules/assembly/maven.xml
under this tag.
ant:echoBuilding petstore configuration/ant:echo
ant:java fork=true jar=${distDir}/bin/deployer.jar
failonerror=true
ant:jvmarg value=-ea/
ant:arg value=--install/
ant:arg value=--plan/
ant:arg value=target/plan/petstore-plan.xml/
/ant:java
3. i ran the maven file.
4. i deployed petstore and petstoreAdmin on Geronimo Srever.
Problem ,
1. When i tried to login under admin application , it gave the following error.
java.lang.NullPointerException
at
org.apache.geronimo.jetty.JettyServer$RealmDelegate.authenticate(JettyServer.java:95)
at
org.mortbay.jetty.servlet.FormAuthenticator$FormCredential.authenticate(FormAuthenticator.java:287)
at
org.mortbay.jetty.servlet.FormAuthenticator.authenticate(FormAuthenticator.java:13
at
org.mortbay.jetty.servlet.ServletHttpContext.jSecurityCheck(ServletHttpContext.java:114)
at
org.mortbay.jetty.servlet.ServletHttpContext.checkSecurityConstraints(ServletHttpContext.java:130)
at
org.mortbay.jetty.servlet.WebApplicationHandler.dispatch(WebApplicationHandler.java:411)
at
org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:512)
at org.mortbay.http.HttpContext.handle(HttpContext.java:1442)
at
org.mortbay.jetty.servlet.WebApplicationContext.handle(WebApplicationContext.java:490)
at
org.apache.geronimo.jetty.JettyWebAppContext.handle(JettyWebAppContext.java:173)
at org.mortbay.http.HttpContext.handle(HttpContext.java:1394)
at org.mortbay.http.HttpServer.service(HttpServer.java:879)
at org.mortbay.http.HttpConnection.service(HttpConnection.java:821)
at org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:98
at org.mortbay.http.HttpConnection.handle(HttpConnection.java:83
at
org.mortbay.http.SocketListener.handleConnection(SocketListener.java:212)
at
Re: securiy role mapping in openejb-jar.xml ?
On Thu, 02 Sep 2004 10:22:03 -0400, Alan Cabrera [EMAIL PROTECTED] wrote: -Original Message- From: Prem kalyan [mailto:[EMAIL PROTECTED] Sent: Thursday, September 02, 2004 10:04 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: securiy role mapping in openejb-jar.xml ? hi all, I have few questions on security role mappings. Before that i want to put my understanding about security mappings.If there is anything wrong in my understanding please let me know. I think , 1 . In ejb-jar.xml we declare security roles in security-role tags. 2 . In ejb-jar we specify which methods are accessed by which roles using role-name in method-permission. 3 . In openejb-jar.xml we asscocite principals to security roles , by this we are allowing all the principals in a role to access those methods which the role can access . So far so good. Qn :- Why role mappings is part of each EJB.Since we already defined what permissions does each role have on each ejb(using method-permissions) why doing it here again. Isn't it sifficient to map principals to roles in openejb.jar? This level of indirection allows you to take your beans and use them in an application server of another vendor, e.g. WebLogic. The mapping of principals to roles is an OpenEJB specific mechanism, hence it is in the openejb-jar.xml file. Alan still my question is not answered or i haven't got ur point I got why role mapping have to be inside openejb-jar.xml . but why it has to inside every EJB in openejb-jar.xml. if i have 10 beans do i have to declare my role mapping in each and every bean. Aren't role mappings independent of ejb security. I mean we define the ejb security in method-permissions using role names.And role mappings is just to bind principals with a role names. Regards, Alan - Visit our Internet site at http://www.reuters.com Get closer to the financial markets with Reuters Messaging - for more information and to register, visit http://www.reuters.com/messaging Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. thanx in advance -- regards, prem
Re: securiy role mapping in openejb-jar.xml ?
thanx Alan, I have small question. Just out of curiosity, i may be wrong On Thu, 02 Sep 2004 10:54:57 -0400, Alan Cabrera [EMAIL PROTECTED] wrote: -Original Message- From: Prem kalyan [mailto:[EMAIL PROTECTED] On Thu, 02 Sep 2004 10:22:03 -0400, Alan Cabrera [EMAIL PROTECTED] wrote: -Original Message- From: Prem kalyan [mailto:[EMAIL PROTECTED] Sent: Thursday, September 02, 2004 10:04 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: securiy role mapping in openejb-jar.xml ? hi all, I have few questions on security role mappings. Before that i want to put my understanding about security mappings.If there is anything wrong in my understanding please let me know. I think , 1 . In ejb-jar.xml we declare security roles in security-role tags. 2 . In ejb-jar we specify which methods are accessed by which roles using role-name in method-permission. 3 . In openejb-jar.xml we asscocite principals to security roles , by this we are allowing all the principals in a role to access those methods which the role can access . So far so good. Qn :- Why role mappings is part of each EJB.Since we already defined what permissions does each role have on each ejb(using method-permissions) why doing it here again. Isn't it sifficient to map principals to roles in openejb.jar? This level of indirection allows you to take your beans and use them in an application server of another vendor, e.g. WebLogic. The mapping of principals to roles is an OpenEJB specific mechanism, hence it is in the openejb-jar.xml file. Alan still my question is not answered or i haven't got ur point I got why role mapping have to be inside openejb-jar.xml . but why it has to inside every EJB in openejb-jar.xml. if i have 10 beans do i have to declare my role mapping in each and every bean. Aren't role mappings independent of ejb security. I mean we define the ejb security in method-permissions using role names.And role mappings is just to bind principals with a role names. If you only declare the principal to role mappings once, regardless of the number of beans in your jar. Then why role-mapping entries part of ejb.Won't it be nice to have it outside EJB's , as an independent entry.If it has anyother advantage plz let me know thanx in advance, Regards, Alan - Visit our Internet site at http://www.reuters.com Get closer to the financial markets with Reuters Messaging - for more information and to register, visit http://www.reuters.com/messaging Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. -- regards, prem
Security Realm deployment
hi All, I am trying to configure and deploy a security realm on geronimo. With the help of archive mails on dev list i am able to configure my own security realm. for deploying i went through the files in the directory incubator-geronimo-1.0-M1/modules/assembly/src/plan/ now , the j2ee-server-plan.xml talks about the Default security realm Qn 1 : how can i use other security realm for other applications option 1 : do i have to make another entry into j2ee-server-plan.xml defining new . . security realm. or option 2 : is there another way of deploying it. Qn 2 : What is the role of j2ee-secure-plan.xml it also has another security realm defined what is the use of that realm? thanx in advance. -- regards, prem
Re: help ! security realms
hi Alan , Gianny Thanks for the suggestions and the direction. I went through the security Providers thread but that didn't clear my questions. As far as my understanding of Realm goes it is logical grouping of Users, Groups, ACLs, and permissions , is it the same in geronimo or something else. When i went through http://nagoya.apache.org/eyebrowse/[EMAIL PROTECTED]msgNo=8168 this message archive , the security realm basically talks about JAAS modules (LoginContext , LoginModules and Gbeans etc) , users . 1 . What about permissions and the ACL context. 2. Where do we specify all that stuff that went into the Gbean( i mean do we specify it in DD or do we need to write policy files and config files for JAAS) 3. What entries do we need to make in Deployment descriptors. 4. How are role names related to realm-names (WHY realm PART OF role-name) in openejbjar.xml's XSD. On Wed, 25 Aug 2004 09:01:18 -0400, Alan Cabrera [EMAIL PROTECTED] wrote: Thanks Gianny. Prem, you should also visit irc://irc.freenode.net/Geronimo. This is where the Geronimo developers hang out. Regards, Alan -Original Message- From: Gianny Damour [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 25, 2004 8:04 AM To: [EMAIL PROTECTED] Subject: Re: help ! security realms On 25/08/2004 2:43 AM, Prem kalyan wrote: hi all, I am going through the security part of geronimo and the corresponding deployment descriptor elements.I have few questions in this regard 1. What are all the different security realms supported in geronimo. 2. What values does the attribute 'realm-name' in tag realm takes. Hi Prem, I think that you should have a look to a previous thread named Security providers. Alan is describing how the security layer is implemented and covers more or less these questions. 3. What is the equivalent in geronimo for filerealm in weblogic. If you have a look in var/security of a Geronimo installation, you will see for instance a users.properties file. This guy is to Geronimo what fileRealm.properties is for WebLogic (OK, the WebLogic one does not store the password in clear). Cheers, Gianny - Visit our Internet site at http://www.reuters.com Get closer to the financial markets with Reuters Messaging - for more information and to register, visit http://www.reuters.com/messaging Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. -- regards, prem
geronimo-ejb-jar.xsd ??
hi, 1 . I want to know is there anything called geronimo-ejb-jar.xsd. 2 . If yes , where can i find it. 3 . does geronimo use open-ejb-jar.xsd or geronimo-ejb-jar.xsd? i am asking all these questions bcoz i came across ejb-jar xmlns=http://java.sun.com/xml/ns/j2ee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xmlns:ger=http://geronimo.apache.org/xml/schema/j2ee; xsi:schemaLocation=http://geronimo.apache.org/xml/schema/j2ee http://geronimo.apache.org/xml/schema/1.0/j2ee14/geronimo-ejb-jar.xsd; version=2.1 class-space name=geronimo.system:role=ClassSpace,name=Testparent=geronimo.system:role=ClassSpace,name=System/ security use-context-handler=true default-principal realm-name=System principal class=org.apache.geronimo.security.DefaultPrincipal name=default/ /default-principal role-mappings role role-name=ONE realm realm-name=Foo . .. in the file geronimo-ejb-jar-testRead.xml . which is distributed with incubator-geronimo-1.0-M1at modules/security/src/test-data/xml/deployment. -- regards, prem
