On Dec 18, 2007, at 2:07 PM, Brian Dellert wrote:
Thanks for the prompt response.
Could you elaborate a bit on how to "Deploy this plan into your geronimo
server", or point me to some documentation which describes how to
package and deploy a "config module"? I'm relatively new to geronimo,
and haven't deployed artifacts other than ear files, war files, etc.
Thanks.
Yup, my response was a bit hard to follow ... even the plan I told you to
modify is hard to find in 2.0.2 unless you build geronimo yourself. I
tried this out using a new moduleId of o.a.g.configs/
server-security-config2/2.0.2/car. Here's the plan with a few comments
marked with "DAJ" about what to change:
<?xml version="1.0" encoding="UTF-8"?>
<!--Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version
2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied.
See the License for the specific language governing permissions and
limitations under the License.-->
<!--$Rev: 554977 $ $Date: 2007-07-10 08:32:56 -0700 (Tue, 10 Jul 2007)
$-->
<module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2";>
<environment>
<!--DAJ Change the module ID to something related to your project -->
<moduleId>
<groupId>org.apache.geronimo.configs</groupId>
<artifactId>server-security-config</artifactId>
<version>2.0.2</version>
<type>car</type>
</moduleId>
<dependencies>
<dependency>
<groupId>org.apache.geronimo.configs</groupId>
<artifactId>j2ee-security</artifactId>
<type>car</type>
</dependency>
<!--DAJ include a dependency on your jar here; you'll need to put your
jar somewhere in the geronimo repo so this will point to something that
exists. This would look just like what you tried in the
geronimo-application.xml -->
</dependencies>
<hidden-classes/>
<non-overridable-classes/>
</environment>
<!--DAJ include your security realm gbean here -->
<gbean name="CredentialStore"
class="org.apache.geronimo.security.credentialstore.SimpleCredentialStor
eImpl">
<xml-attribute name="credentialStore">
<credential-store xmlns="http://geronimo.apache.org/xml/ns/
credentialstore-1.0">
<!--uncomment this and the default subject in the jettty console
plan gives you admin console permissions-->
<!--<realm name="geronimo-admin">
<subject>
<id>default</id>
<credential>
<type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</
type>
<value>system</value>
</credential>
<credential>
<type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandl
er</type>
<value>manager</value>
</credential>
</subject>
</realm>-->
</credential-store>
</xml-attribute>
</gbean>
<!--DAJ you may want to replace this with something related to your
installation for non-toy admin console security -->
<!--Default security realm using properties files-->
<gbean name="properties-login"
class="org.apache.geronimo.security.jaas.LoginModuleGBean">
<attribute
name="loginModuleClass">org.apache.geronimo.security.realm.providers.Pro
pertiesFileLoginModule</attribute>
<attribute name="options">usersURI=var/security/users.properties
groupsURI=var/security/groups.properties</attribute>
<attribute name="loginDomainName">geronimo-admin</attribute>
</gbean>
<gbean name="geronimo-admin"
class="org.apache.geronimo.security.realm.GenericSecurityRealm">
<attribute name="realmName">geronimo-admin</attribute>
<reference name="LoginModuleConfiguration">
<name>properties-login</name>
</reference>
<reference name="ServerInfo">
<name>ServerInfo</name>
</reference>
</gbean>
<gbean name="properties-login"
class="org.apache.geronimo.security.jaas.JaasLoginModuleUse">
<attribute name="controlFlag">REQUIRED</attribute>
<reference name="LoginModule">
<name>properties-login</name>
</reference>
</gbean>
<gbean name="geronimo-default"
class="org.apache.geronimo.security.keystore.FileKeystoreInstance">
<attribute name="keystoreName">geronimo-default</attribute>
<attribute name="keystorePath">var/security/keystores/geronimo-
default</attribute>
<attribute name="keystorePassword">secret</attribute>
<attribute name="keyPasswords">geronimo=secret</attribute>
<reference name="ServerInfo">
<name>ServerInfo</name>
</reference>
</gbean>
</module>
This will end up as a file named say mysecurity-plan.xml.
Deploy this using the console "deploy new" page, unchecking the "Start
app after install" checkbox.
Stop geronimo.
Edit var/config/config.xml so you have:
<module load="false" name="org.apache.geronimo.configs/server-
security-config/2.0.2/car"/>
<!-- replace this with the actual moduleId you used in the plan -->
<module name="org.apache.geronimo.configs/server-security-
config2/2.0.2/car"/>
at the end.
Edit var/config/artifact_aliases.properties to include lines
org.apache.geronimo.configs/server-security-config//
car=org.apache.geronimo.configs/server-security-config2/2.0.2/car
org.apache.geronimo.configs/server-security-config/2.0.2/
car=org.apache.geronimo.configs/server-security-config2/2.0.2/car
(again using the actual moduleId from your plan)
Now you should be able to start geronimo and it will use your security
config instead of the supplied one.
You should be able to deploy the plan using the command line tool but I
didn't try that. Note that you can have only one of the original config
and your replacement running at once since they have security realms with
the same name (they are supposed to replace each other).
Hope this helps and please ask if there are more problems
david jencks
- Brian
----- Original Message ----- From: "David Jencks"
<[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Tuesday, December 18, 2007 4:38 PM
Subject: Re: Custom LoginModule classloading issue in gernimo 2.0.2
My guess is that Aaron is right and this is an openejb bug.
The only way I can think to fix it is to replace the server- security-
config module with one that is identical except also including the jar
containing your login module as a dependency and the security realm
configuration you want. Deploy this plan into your geronimo server.
Also, while geronimo is stopped, add a line like
org.apache.geronimo.configs/server-security-config/2.0.2/ car=com.myco/
myserver-security-config/1.0/car
and another similar line without the 2.0.2 to var/config/
artifact_aliases.properties (where com.myco/myserver-security- config/
1.0/car is the moduleId of your replacement plan). When you restart
geronimo the realm should work.
I actually recommend doing this for any non-toy geronimo installation.
The provided server-security-config is really an example that's easy
to set up, but on a real installation you probably want access to the
admin console controlled by your enterprise security system, not a
couple of property files stuck in a geronimo directory.
let us know how this works
david jencks
On Dec 18, 2007, at 12:46 PM, Aaron Mulder wrote:
It's curious that, from the error, it appears to be looking for the
security realm in the OpenEJB class loader (which I guess is receiving
the remote call) instead of the application's class loader. Perhaps
the context class loader should be set by e.g.
EjbDaemon.processAuthRequest?
Thanks,
Aaron
On Dec 18, 2007 2:55 PM, Brian Dellert <[EMAIL PROTECTED]> wrote:
Hi.
I have created a simple custom login module which uses the principal
created
by the standard PropertiesFileLoginModule and adds a principal
containing a
group (which is looked up in a DB). I have configured a security
realm in
the geronimo-application.xml contained in my application ear file
including
both of these login modules as follows:
<gbean name="my-realm"
class="org.apache.geronimo.security.realm.GenericSecurityRealm"
xsi:type="dep:gbeanType"
xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
<attribute name="realmName">my-realm</attribute>
<reference name="ServerInfo">
<name>ServerInfo</name>
</reference>
<xml-reference name="LoginModuleConfiguration">
<log:login-config
xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0";>
<log:login-module control-flag="REQUISITE"
wrap-principals="false">
<log:login-domain-name>my-properties-file</
log:login-domain-name>
<log:login-module-
class>org.apache.geronimo.security.realm.providers.PropertiesFileLo gi
nModule</log:login-module-class>
<log:option
name="usersURI">var/security/users.properties</log:option>
<log:option
name="groupsURI">var/security/groups.properties</log:option>
</log:login-module>
<log:login-module control-flag="OPTIONAL"
wrap-principals="false">
<log:login-domain-name>my-sql-role</ log:login-
domain-name>
<log:login-module-
class>my.company.security.realm.providers.SqlRoleLoginModule</
log:login-module-class>
<log:option name="roleSelect">SELECT username,
group_name FROM user_groups WHERE username=?</log:option>
<log:option
name="dataSourceApplication">null</log:option>
<log:option name="dataSourceName">MyPool</
log:option>
</log:login-module>
</log:login-config>
</xml-reference>
</gbean>
Further, I have packaged the
"my.company.security.realm.providers.SqlRoleLoginModule" class in a
jar file
(my-login-module-1.0.jar). I have tried the following approaches to
get
this login module to load:
- Added my-login-module-1.0.jar to the root of my ear file.
- Added my-login-module-1.0.jar to the root of my ear file and
added this
jar file to the MANIFEST classpath of an ejb-jar file which is also
in the
ear file.
- Added my-login-module-1.0.jar to the geronimo repository by
placing it
in the repository/my/company/my-login-module/1.0/my-login-
module-1.0.jar
and added the following dependency to the dependency list in the
environment section of my geronimo-application.xml file:
<dependency>
<groupId>my.company</groupId>
<artifactId>my-login-module</artifactId>
<version>1.0</version>
<type>jar</type>
</dependency>
I am attempting to connect/authenicate in a remote JVM by setting up
the
JNDI context and performing an EJB lookup as follows:
Properties p = new Properties();
p.put(Context.INITIAL_CONTEXT_FACTORY,
"org.openejb.client.RemoteInitialContextFactory");
p.put(Context.PROVIDER_URL, "ejbd://localhost:4201");
p.put("openejb.authentication.realmName", "my-realm");
p.put(Context.SECURITY_PRINCIPAL, "my_username");
p.put(Context.SECURITY_CREDENTIALS, "my_password");
InitialContext ctx = new InitialContext(p);
Object obj = ctx.lookup("MyBusinessBeanRemote");
In all cases, I get the following error:
Caused by: javax.security.auth.login.LoginException: unable to find
LoginModule class:
my.company.security.realm.providers.SqlRoleLoginModule in
classloader org.apache.geronimo.configs/openejb/2.0.2/car
[INFO] at
javax.security.auth.login.LoginContext.invoke(LoginContext.java: 808)
[INFO] at
javax.security.auth.login.LoginContext.access$000
(LoginContext.java:186)
[INFO] at
javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
[INFO] at java.security.AccessController.doPrivileged(Native Method)
[INFO] at
javax.security.auth.login.LoginContext.invokePriv
(LoginContext.java:680)
[INFO] at
javax.security.auth.login.LoginContext.login(LoginContext.java:579)
[INFO] at
org.apache.geronimo.security.ContextManager.login
(ContextManager.java:77)
[INFO] at
org.apache.geronimo.openejb.GeronimoSecurityService.login
(GeronimoSecurityService.java:52)
[INFO] at
org.apache.openejb.server.ejbd.AuthRequestHandler.processRequest
(AuthRequestHandler.java:56)
[INFO] at
org.apache.openejb.server.ejbd.EjbDaemon.processAuthRequest
(EjbDaemon.java:172)
[INFO] at
org.apache.openejb.server.ejbd.EjbDaemon.service(EjbDaemon.java: 130)
[INFO] at
org.apache.openejb.server.ejbd.EjbDaemon.service(EjbDaemon.java:84)
[INFO] at
org.apache.openejb.server.ejbd.EjbServer.service(EjbServer.java:60)
[INFO] at
org.apache.openejb.server.ServiceLogger.service (ServiceLogger.java:
73)
[INFO] at
org.apache.openejb.server.ServiceAccessController.service
(ServiceAccessController.java:55)
[INFO] at
org.apache.openejb.server.ServiceDaemon$1.run(ServiceDaemon.java: 117)
[INFO] at java.lang.Thread.run(Thread.java:619)
I know that the dependency is getting at least recognized at ear
deployment
time since, if I remove the login module jar file from the geronimo
repository, the deployment of the ear fails.
The only way I have been able to get the class to load is by placing
it in
the lib/ext directory of my JRE installation, which doesn't seem
like the
correct approach. I am using geronimo 2.0.2 on Windows XP and the
1.6.0_03
Sun JVM. Any help with resolving this issue, and getting geronimo to
correctly load this login module class, would be greatly
appreciated. If
any additional information is needed, please let me know. Thanks.
- Brian
