On Dec 27, 2006, at 11:15 AM, [EMAIL PROTECTED] wrote:
Thanks for the response. I'm using geronimo 1.1.1 so the password
hashing will have to wait for now. That just leaves me with the
mapping
in the geronimo-web.xml.
Hopefully I'll get this right and won't have to step backward to stand
alone Tomcat.
So here goes.
I have three roles defined in my web.xml: PublicAccessRole,
RestrictedAccessRole, ApplicationAdministrativeRole. The
RestrictedAccessRole will expand to a more granular makeup over time.
These roles have been utilized in the web.xml to define
security-constraints on the specific URL patterns.
I have a users table, with user names and passwords, along with a
user_roles table that defines the user and role combination. Do the
roles defined in the SQL table need to be the same as the role names
used in the web.xml, or is this the whole point of defining the role
mappings in the geronimo.xml? (A layer of abstraction between the web
app and the container) I think this is what you are saying happens:)
exactly
At that point I can easily define the mappings between my web app and
tables. Do I only need to do this role mapping for the
GeronimoGroupPrincipal?
yes
The examples I've followed from DeveloperWorks
also utilize GeronimoUserPrinicipal which is what initially
confused me.
I think they may have been defining hard coded users in the
geronimo-web.xml at that point that circumvent the database table
users. Do I need to define any GeronimoUserPrincipal definitions in
the geronimo-web.xml?
Not unless you want to give particular users particular app roles.
Also, I presume that I should probably define my PublicAccessRole or a
NoAccessRole as the default-principal.
that sounds reasonable.
Where can I find documentation on the Group/User roles and there usage
in the geronimo containers?
It's a bit difficult to figure out how to document in general since
the principal-role mapping is completely generic and our provided
login modules, while working fine, are not particularly
sophisticated. In particular there isn't very good management of the
identity store in back of our login modules (e.g. the tables the jndi
login module uses). We've sort of assumed that most users will have
a corporate identity management solution in place that comes with one
or more login modules that provide non-geronimo-centric principals
that need to be mapped to the app roles, so that's what the geronimo
security principal-role mapping xml is for.
There's also (theoretically) an option to completely replace the jacc
subsystem with another jacc provider. I've been looking at adapting
the apache directory triplesec project for this purpose.
Thanks for the help. I'd be interesting in putting together a public
tutorial on this after I get it completely figured out.
All documentation is more than welcome!!
thanks
david jencks
-------- Original Message --------
Subject: Re: JDBC Realms and geronimo-web.xml
From: "Vamsavardhana Reddy" <[EMAIL PROTECTED]>
Date: Tue, December 26, 2006 8:01 pm
To: [email protected]
Hi Mark,
Which version of Geronimo are you using? The "digest=..." option
is supported in 1.2 and not in any previous versions.
Regarding the security constraints, you will typically define one
group per role for each the roles defined in web.xml and use a
GeronimoGroupPrincipal with the group name in the role-mapping
section of geronimo-web.xml . The role-mapping section in your
geronimo-web.xml will look similar to the following:
<security>
<role-mappings>
<role role-name="admin"> <!-- This role-name is
defined in web.xml -->
<principal
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrin
cipal" name="admin-group"/> <!-- This value in the name attribute
is from group mapping in your JDBC realm, i.e., from the entries
in groups table. -->
</role>
</role-mappings>
</security>
Let me know if this helps or if you need more details.
Vamsi
On 12/27/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: Hi
All. A relatively novice geronimo user here. i'm woking on using a
security realm to define access in a web application. I've
successfully
installed geronimo (tomcat web container), configured a database
pool to
a MySQL database, and configured a JDBC Realm to the databse pool
that
succesfully authenticated at the completion of the security realm
wizard.
I have my Security Roles and Constraints along with the Login-Config
defined in my web.xml. I'm kind of lost on how the app roles defined
in the web.xml and the roles defined in the user role table get tied
together in the geronimo-web.xml. Can someone point me to a
tutorial/documentation on this? I've looked in the geronimo
docmentation without success. Also, I've been following the IBM
DeveloperWorks articles on this, but they don't cover this aspect.
Additionally, what's the appropriate method to turn on password
digest
hashing when using the JDBC Realm wizard? I presume that a
configuration option property like digest=MD5 might work?
Thanks to all! I'm really enjoying working with Geronimo.
Mark Aufdencamp
[EMAIL PROTECTED]
