Re: Geronimo role security

[David Jencks]

As you can probably tell from my actions re GERONIMO-3357, I can't  
reproduce this problem, and I even wrote a test app to look into it.   
Can you compare what you are doing and the results you are getting to  
the testsuite/enterprise-testsuite/sec-test app now present in g. 2.0  
and trunk?

My experience is that to build the ear you have to run
mvn -Pchild
and then you can run the tests with
mvn

which runs the tests and then rebuilds the ear (???!?!!!?!??)

thanks
david jencks

On Jul 26, 2007, at 12:01 PM, Aman Nanner/MxI Technologies wrote:

Ok, the "hiccup" during EAR deployment goes away if the security  
realm is
first deployed "system-wide" outside of the EAR.

However, the TomcatGeronimoRealm still doesn't seem to access the  
run-as
subject....


David Jencks <[EMAIL PROTECTED]> wrote on 07-19-2007 12:24:21 PM:


On Jul 19, 2007, at 9:06 AM, Aman Nanner/MxI Technologies wrote:

The fake EAR did start ok.

I can try deploying the realm as a plain GBean plan, but I'm not
sure how
to go about doing this as I've only been deploying J2EE modules to
this
point (EAR, WAR, etc.).  Is there some good documentation on how to
deploy
a plain GBean to the 2.0 server according to a plan file?

What ought to work, although I haven't checked it in a very very long
time is...

1. copy the dependency jars into appropriate places in the  
geronimo repo
2a. deploy using the command line deployer just listing the plan
or
2b. deploy using the console only filling in the plan box

If either one of these doesn't work we should fix it before 2.0 IMO.

thanks
david jencks


Thanks,
Aman



David Jencks <[EMAIL PROTECTED]> wrote on 07-18-2007  
05:00:23 PM:

it should be able to, but maybe I'm missing something.  The "fake"
ear started ok?

I was thinking you could just deploy a plain gbean plan with
dependencies on the jars that have the security classes, similar to
the built in server-security-config.

If you can get on IRC we might be able to make faster progress,
although email is fine if you can't.

thanks
david jencks


On Jul 18, 2007, at 1:43 PM, Aman Nanner/MxI Technologies wrote:

I declared the security realm in a separate EAR, and then put a
dependency
on that EAR from my real EAR, but it didn't solve the problem.  In
fact,
the realm lookup failed both the first time and the second time
(instead of
succeeding the second time).  Can an EAR access a Realm declared
within
another EAR when the first EAR is dependent upon the second EAR?


David Jencks <[EMAIL PROTECTED]> wrote on 07-18-2007
04:08:09 PM:

Urrk, I'm trying to do too many things at once today :-(

Could you try putting the security realm in a separate
configuration
and putting that in as a dependency for the ear?  If we can  
see if
that eliminates the hiccup and whether that helps find the run-as
subject it would be very helpful

then we'll know how many problems there are to solve :-)

thanks
david jencks

On Jul 18, 2007, at 12:30 PM, Aman Nanner/MxI Technologies wrote:

I tried out the solution, but I'm still having problems in that
the
JSP is
not running under the desired "run-as" role.  I cannot see in  
the
TomcatGeronimoRealm where this "run-as" role is being set, or if
it is
accessing the credential store to get the run-as subject.

The actual configuration of the credential store seemed to work
fine,
except for one hiccup.

I am deploying a custom security realm as part of my EAR that I
call
"TestingRealm".  It seems that the getSubject(...) method on the
CredentialStore GBean is called twice.  The first time it is
called, fails
because the LoginModule for my custom realm is not "registered".
The
second time the getSubject(...) method is called, the login
succeeds
because my LoginModule IS registered at this time.

This is the stack trace the first time when the call fails:

14:29:13,782 ERROR [GBeanInstanceState] Error while starting;
GBean
is now
in the FAILED state:
abstractName="Mxi/Testing/1/ear?J2EEApplication=Mxi/Testing/1/
ear,j2eeType=JACCManager,name=JACCManager"
javax.security.auth.login.LoginException: No LoginModules
configured for
TestingRealm
      at javax.security.auth.login.LoginContext.init
(LoginContext.java:256)
      at
javax.security.auth.login.LoginContext.<init>(LoginContext.java:
367)
      at
javax.security.auth.login.LoginContext.<init>(LoginContext.java:
444)
      at
org.apache.geronimo.security.credentialstore.SimpleCredentialSto 
re
Im
pl
.getSubject(SimpleCredentialStoreImpl.java:82)
      at
org.apache.geronimo.security.credentialstore.SimpleCredentialSto 
re
Im
pl
$$FastClassByCGLIB$$ebe13f46.invoke(<generated>)
      at net.sf.cglib.reflect.FastMethod.invoke(FastMethod.java:
53)
      at
org.apache.geronimo.gbean.runtime.FastMethodInvoker.invoke
(FastMethodInvoker.java:38)
      at
org.apache.geronimo.gbean.runtime.GBeanOperation.invoke
(GBeanOperation.java:127)
      at
org.apache.geronimo.gbean.runtime.GBeanInstance.invoke
(GBeanInstance.java:830)
      at
org.apache.geronimo.gbean.runtime.RawInvoker.invoke
(RawInvoker.java:
57)
      at
org.apache.geronimo.kernel.basic.RawOperationInvoker.invoke
(RawOperationInvoker.java:35)
      at
org.apache.geronimo.kernel.basic.ProxyMethodInterceptor.intercep 
t
(ProxyMethodInterceptor.java:96)
      at
org.apache.geronimo.security.credentialstore.CredentialStore$
$EnhancerByCGLIB$$c06097c7.getSubject(<generated>)
      at
org.apache.geronimo.security.jacc.ApplicationPolicyConfiguration 
Ma
na
ge
r.<init>(ApplicationPolicyConfigurationManager.java:121)
      at sun.reflect.NativeConstructorAccessorImpl.newInstance0
(Native
Method)
      at
sun.reflect.NativeConstructorAccessorImpl.newInstance
(NativeConstructorAccessorImpl.java:39)
      at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance
(DelegatingConstructorAccessorImpl.java:27)
      at java.lang.reflect.Constructor.newInstance
(Constructor.java:
494)
      at
org.apache.geronimo.gbean.runtime.GBeanInstance.createInstance
(GBeanInstance.java:946)
      at
org.apache.geronimo.gbean.runtime.GBeanInstanceState.attemptFull 
St
ar
t(
GBeanInstanceState.java:268)
      at
org.apache.geronimo.gbean.runtime.GBeanInstanceState.start
(GBeanInstanceState.java:102)
      at
org.apache.geronimo.gbean.runtime.GBeanInstance.start
(GBeanInstance.java:539)
      at
org.apache.geronimo.gbean.runtime.GBeanDependency.attemptFullSta 
rt
(GBeanDependency.java:111)
      at
org.apache.geronimo.gbean.runtime.GBeanDependency.addTarget
(GBeanDependency.java:146)
      at
org.apache.geronimo.gbean.runtime.GBeanDependency$1.running
(GBeanDependency.java:120)
      at
org.apache.geronimo.kernel.basic.BasicLifecycleMonitor.fireRunni 
ng
Ev
en
t(BasicLifecycleMonitor.java:176)
      at
org.apache.geronimo.kernel.basic.BasicLifecycleMonitor.access 
$300
(BasicLifecycleMonitor.java:44)
      at
org.apache.geronimo.kernel.basic.BasicLifecycleMonitor
$RawLifecycleBroadcaster.fireRunningEvent
(BasicLifecycleMonitor.java:254)
      at
org.apache.geronimo.gbean.runtime.GBeanInstanceState.attemptFull 
St
ar
t(
GBeanInstanceState.java:294)
      at
org.apache.geronimo.gbean.runtime.GBeanInstanceState.start
(GBeanInstanceState.java:102)
      at
org.apache.geronimo.gbean.runtime.GBeanInstanceState.startRecurs 
iv
e
(GBeanInstanceState.java:124)
      at
org.apache.geronimo.gbean.runtime.GBeanInstance.startRecursive
(GBeanInstance.java:553)
      at
org.apache.geronimo.kernel.basic.BasicKernel.startRecursiveGBean
(BasicKernel.java:379)
      at
org.apache.geronimo.kernel.config.ConfigurationUtil.startConfigu 
ra
ti
on
GBeans(ConfigurationUtil.java:448)
      at
org.apache.geronimo.kernel.config.KernelConfigurationManager.sta 
rt
(KernelConfigurationManager.java:187)
      at
org.apache.geronimo.kernel.config.SimpleConfigurationManager.sta 
rt
Co
nf
iguration(SimpleConfigurationManager.java:530)
               ......


The call succeeds the second time.  It seems that the
ApplicationPolicyConfigurationManager GBean is started twice  
which
results
in the two calls?

Below is the fragment of my geronimo-application.xml where I
define
the
security policy:

----------
   <security:security>
         <security:credential-store>
             <security:pattern>
                 <sys:name
xmlns="http://geronimo.apache.org/xml/ns/
deployment-1.2">MyCredentialStore</sys:name>
             </security:pattern>
         </security:credential-store>
      <security:role-mappings>
         <security:role role-name="TESTSYSTEM">
            <security:run-as-subject>
             <security:realm>TestingRealm</security:realm>
             <security:id>test-system</security:id>
            </security:run-as-subject>
            <security:realm realm-name="TestingRealm">
               <security:principal
class="org.apache.geronimo.security.realm.providers.GeronimoGrou 
pP
ri
nc
ipal"
name="TESTSYSTEM" />
            </security:realm>
         </security:role>
      </security:role-mappings>
   </security:security>
   <sys:gbean name="TestingRealm"
class="org.apache.geronimo.security.realm.GenericSecurityRealm">
      <sys:attribute name="realmName">TestingRealm</ 
sys:attribute>
      <sys:reference name="ServerInfo">
         <sys:name>ServerInfo</sys:name>
      </sys:reference>
      <sys:xml-reference name="LoginModuleConfiguration">
         <log:login-config
xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0";>
            <log:login-module control-flag="REQUIRED"
wrap-principals="false">
               <log:login-domain-name>TestingRealm</log:login-
domain-name>

<log:login-module- 
class>com.testing.security.TestingLoginModule</
log:login-module-class>
               <log:option name="userSelect">SELECT username,
password FROM
utl_user WHERE username=?</log:option>
               <log:option
name="dataSourceApplication">Mxi/Testing/1/ear</log:option>
               <log:option name="groupSelect">SELECT name,
'TESTSYSTEM' as
role_name FROM dual</log:option>
               <log:option
name="dataSourceName">com/testing/jdbc/TestDS</log:option>
            </log:login-module>
         </log:login-config>
      </sys:xml-reference>
   </sys:gbean>
   <sys:gbean name="MyCredentialStore"
class="org.apache.geronimo.security.credentialstore.SimpleCreden 
ti
al
St
oreImpl">
      <xml-attribute name="credentialStore">
         <credential-store
xmlns="http://geronimo.apache.org/xml/ns/credentialstore-1.0";>
            <!-- uncomment this and the default subject in the
jettty> console plan gives you admin console permissions -->
            <realm name="TestingRealm">
               <subject>
                   <id>test-system</id>
                   <credential>

<type>org.apache.geronimo.security.credentialstore.NameCallbackH 
an
dl
er
</type>
                      <value>ananner</value>
                   </credential>
                   <credential>

<type>org.apache.geronimo.security.credentialstore.PasswordCallb 
ac
kH
an
dler</type>
                      <value>password</value>
                   </credential>
               </subject>
            </realm>
         </credential-store>
      </xml-attribute>
   </sys:gbean>
----------



David Jencks <[EMAIL PROTECTED]> wrote on 07-18-2007
03:57:36 AM:

run-as handling is completely different in 2.0.  Instead of
constructing a subject out of xml, the run-as subject comes  
from
logging into a login module just like any other subject.  You
have to
do several things:

-- set up a security realm so the desired subject can in  
fact be
created by logging in as someone
-- set up a gbean that describes how to login as this subject,
such as

     <gbean name="CredentialStore"
class="org.apache.geronimo.security.credentialstore.SimpleCrede 
nt
ia
lS
tor
eImpl">
         <xml-attribute name="credentialStore">
             <credential-store xmlns="http:// 
geronimo.apache.org/
xml/
ns/credentialstore-1.0">
                 <!-- uncomment this and the default subject
in>>>> the>> jettty console plan gives you admin console  
permissions -->
                 <realm name="geronimo-admin">
                     <subject>
                         <id>default</id>
                         <credential>

<type>org.apache.geronimo.security.credentialstore.NameCallback 
Ha
nd
le
r</
type>
                             <value>system</value>
                         </credential>
                         <credential>

<type>org.apache.geronimo.security.credentialstore.PasswordCall 
ba
ck
Ha
ndl
er</type>
                             <value>manager</value>
                         </credential>
                     </subject>
                 </realm>
             </credential-store>
         </xml-attribute>
     </gbean>

Note that you have to supply the password here.  You can
override the
existing CredentialStore gbean in server-security-config in
config.xml or create your own, perhaps in the geronimo plan for
your
app.

-- in the geronimo security configuration for the role,  
indicate
the
run-as subject (and default subject if you want one) by its
realm and
id as indicated in the CredentialStore gbean:

     <security>
         <credential-store>
             <pattern>
                 <name xmlns="http://geronimo.apache.org/xml/ 
ns/
deployment-1.2">MyCredentialStore</name>
             </pattern>
         </credential-store>
         <!--<default-subject>-->
             <!--<realm>geronimo-admin</realm>-->
             <!--<id>default</id>-->
         <!--</default-subject>-->
         <role-mappings>
             <role role-name="admin">
                 <run-as-subject>
                     <realm>geronimo-admin</realm>
                     <id>default</id>
                 </run-as-subject>
                 <realm realm-name="geronimo-admin">
                     <principal
class="org.apache.geronimo.security.realm.providers.GeronimoGro 
up
Pr
in
cip
al" name="admin"/>
                 </realm>
             </role>
         </role-mappings>
     </security>

I think that other than myself you are the first person to try
this
out so your comments would be definitely appreciated.

See also https://issues.apache.org/jira/browse/GERONIMO-2687

thanks
david jencks

On Jul 17, 2007, at 8:15 PM, Aman Nanner/MxI Technologies  
wrote:

It would appear that the
TomcatGeronimoRealm.hasResourcePermission
(...)
method does not apply the <run-as> role if one is defined.  If
this
indeed
the case, then I believe this is a bug....

Aman Nanner/MxI Technologies <[EMAIL PROTECTED]> wrote on
07-17-2007
10:55:23 PM:


Hi,

I'm using the latest Geronimo 2.0 snapshot from the
codebase.  I
understand
that security has changed somewhat from Geronimo 1.2.  I'm
running
into
an
issue where I have a JSP with a specific "run-as" role
calling a
secured
EJB.  This JSP has its run-as role defined in the web.xml as
follows:

----
   <servlet>
      <servlet-name>MessagePage</servlet-name>
      <jsp-file>/common/Message.jsp</jsp-file>
      <run-as>
         <role-name>TESTSYSTEM</role-name>
      </run-as>
   </servlet>
----


 I have a default run-as role mapped in my geronimo-
application.xml in my
EAR as follows:

----
   <security:security>
      <security:default-principal>
         <security:principal

class="org.apache.geronimo.security.realm.providers.GeronimoUs 
er
Pr
in
ci
pal"
name="" />
      </security:default-principal>
      <security:role-mappings>
         <security:role role-name="TESTSYSTEM">
            <security:principal

class="org.apache.geronimo.security.realm.providers.GeronimoUs 
er
Pr
in
ci
pal"
name="test-system" designated-run-as="true" />
         </security:role>
      </security:role-mappings>
   </security:security>
----

This used to work in Geronimo 1.2, but it appears now that  
the
JSP
does
not
run with the run-as principal; rather it seems that it runs
with no
principals.  Therefore, the call to the secured EJB causes a
security
access exception.  Is this supposed to work the same way in
Geronimo 2.0?
If so, then maybe this is a problem in Tomcat ....

Thanks,
Aman


______________________________________________________________ 
__
__
__
__
____________

* This message is intended only for the use of the
individual or
entity to which it is addressed, and may contain information
that is
privileged, confidential and exempt from disclosure under
applicable
law. Unless you are the addressee (or authorized to receive
for the
addressee), you may not use, copy or disclose the message or
any
information contained in the message. If you have received  
this
message in error, please advise the sender by reply e-mail ,
and
delete the message, or call (collect) 001 613 747 4698. *


______________________________________________________________ 
__
__
__
__
____________
* This message is intended only for the use of the  
individual or
entity to which it is addressed, and may contain information
that
is privileged, confidential and exempt from disclosure under
applicable law. Unless you are the addressee (or authorized to
receive for the addressee), you may not use, copy or disclose
the
message or any information contained in the message. If you  
have
received this message in error, please advise the sender by
reply e-
mail , and delete the message, or call (collect) 001 613 747
4698. *



________________________________________________________________ 
__
__
__
____________
* This message is intended only for the use of the individual or
entity to which it is addressed, and may contain information  
that
is privileged, confidential and exempt from disclosure under
applicable law. Unless you are the addressee (or authorized to
receive for the addressee), you may not use, copy or disclose  
the
message or any information contained in the message. If you have
received this message in error, please advise the sender by
reply e-
mail , and delete the message, or call (collect) 001 613 747
4698. *



__________________________________________________________________ 
__
__
____________
* This message is intended only for the use of the individual or
entity to which it is addressed, and may contain information that
is privileged, confidential and exempt from disclosure under
applicable law. Unless you are the addressee (or authorized to
receive for the addressee), you may not use, copy or disclose the
message or any information contained in the message. If you have
received this message in error, please advise the sender by  
reply e-
mail , and delete the message, or call (collect) 001 613 747  
4698. *



____________________________________________________________________ 
__
____________
* This message is intended only for the use of the individual or
entity to which it is addressed, and may contain information that
is privileged, confidential and exempt from disclosure under
applicable law. Unless you are the addressee (or authorized to
receive for the addressee), you may not use, copy or disclose the
message or any information contained in the message. If you have
received this message in error, please advise the sender by reply e-
mail , and delete the message, or call (collect) 001 613 747 4698. *



______________________________________________________________________ 
____________
* This message is intended only for the use of the individual or  
entity to which it is addressed, and may contain information that  
is privileged, confidential and exempt from disclosure under  
applicable law. Unless you are the addressee (or authorized to  
receive for the addressee), you may not use, copy or disclose the  
message or any information contained in the message. If you have  
received this message in error, please advise the sender by reply e- 
mail , and delete the message, or call (collect) 001 613 747 4698. *