On Aug 25, 2008, at 11:43 AM, Karel Gardas wrote:
Thank you both for your answers pointing to JACC guide. To be honest
I've
already gone thorough it, but it looked more like how to implement
JACC
provider than how to integrate already existing JACC provider into
Geronimo.
thats why I said there were a few hints rather than actual
instructions :-/
What puzzles me most is sentence ``So now your JACC provider is
installed
and configured and your app is running ...'' in ``Runtime permissions
decisions'' paragraph when before it it was not discussed how to
install and
configure the JACC.
The kind of information I'm looking forward to reading is like: set
system
property x.y.z to your Policy implementation and a.b.c to your
PolicyConfigurationFactory implementation. Put your JACC jars and
dependencies into lib XXX and restart Geronimo. Or start Geronimo,
log into
the admin console, go to the node XYZ and add new JACC provider
there and
your JACC jars into lib AAAA.
That's what I'm looking for, since my JACC provider is already
working with
GlassFish and WebLogic and now I just need to configure it for
Geronimo.
In the absence of actual documentation and time to write any today....
The policy and jacc setup are done in SecurityServiceImpl. Here's how
to configure them in a geronimo plan:
<gbean name="SecurityService"
class="org.apache.geronimo.security.SecurityServiceImpl">
<reference name="ServerInfo"><name>ServerInfo</name></
reference>
<attribute
name
=
"policyConfigurationFactory
">
org
.apache
.geronimo
.security.jacc.mappingprovider.GeronimoPolicyConfigurationFactory</
attribute>
<attribute
name
=
"policyProvider
">org.apache.geronimo.security.jacc.mappingprovider.GeronimoPolicy</
attribute>
</gbean>
Probably the easiest way to get your jacc implementation in is to copy
the j2ee-security config from framework/configs, rename it (maybe the
groupId?), include your jacc implementation jars as dependencies, set
the properties as needed, and include a line so your plugin replaces
the normal one. You'll need to build this with maven2. The car-maven-
plugin configuration would look something like this (this is modified
from our j2ee-security configuration):
<plugin>
<groupId>org.apache.geronimo.buildsupport</groupId>
<artifactId>car-maven-plugin</artifactId>
<configuration>
<category>Security</category>
<instance>
<plugin-artifact>
<config-xml-content>
<gbean name="JMXService">
<attribute name="protocol">rmi</
attribute>
<attribute
name="host">#{ServerHostname}</attribute>
<attribute name="port">#{JMXPort
+ PortOffset}</attribute>
<attribute name="urlPath">/jndi/
rmi://#{ServerHostname}:#{NamingPort + PortOffset}/JMXConnector</
attribute>
</gbean>
</config-xml-content>
<config-substitution key="JMXPort">9999</
config-substitution>
<artifact-alias
key="org.apache.geronimo.framework/j2ee-security//car">org.karel//
replacement-security/${pom.version}/car</artifact-alias>
<artifact-alias
key="org.apache.geronimo.framework/j2ee-security/2.1.2/car">org.karel//
replacement-security/${pom.version}/car</artifact-alias>
</plugin-artifact>
</instance>
</configuration>
</plugin>
You'll also need to turn off the standard j2ee-security which can be
done in other ways but unless you need automated installation you can
just manually edit var/config/config.xml and add the attribute
load='false" to the entry for j2ee-security.
You'll almost certainly need to do something so that the identity to
role association can be installed, but without knowing what your jacc
implementation expects I can't give much advice. This part is not
covered by the jacc spec and is not standardized. In geronimo we have
an explicit principal to (application) role mapping in the geronimo
plans that is pushed into the jacc system through a geronimo specific
interface. You may be able to adapt your jacc provider to accept the
same information in which case you only need to implement this
interface and make it available. Otherwise we'll have to talk about
what to do.
thanks
david jencks
Thanks!
Karel
djencks wrote:
This has been done successfully before :-). I recommend working with
geronimo 2.1.2; things may change a bit in trunk.
There are a few hints at http://cwiki.apache.org/GMOxDEV/jacc-guide.html
You may well have lots of questions after reading this, and please
feel free to ask. In particular it may not be clear how to provide
the identity to role association to your jacc implementation.
Hopefully I will have time to improve the docs as your questions get
answered :-)
thanks
david jencks
On Aug 25, 2008, at 10:51 AM, Karel Gardas wrote:
Hello,
I do have custom JACC provider which is working well with GlassFish
and
WebLogic and I would like to port it to Geronimo too. I've tried to
search
internet for hint/howto do this, but have not found any. Is there
any such
document available?
Thanks!
Karel
--
View this message in context:
http://www.nabble.com/How-to-integrate-custom-JACC-provider-into-Geronimo--tp19148519s134p19148519.html
Sent from the Apache Geronimo - Users mailing list archive at
Nabble.com.
--
View this message in context:
http://www.nabble.com/How-to-integrate-custom-JACC-provider-into-Geronimo--tp19148519s134p19149382.html
Sent from the Apache Geronimo - Users mailing list archive at
Nabble.com.
