On Nov 10, 2008, at 9:28 AM, Markku Saarela wrote:
After removing <container-managed-security /> from geronimo-ra.xml
and res-auth element from jackrabbit resource-ref in web.xml it works.
Excellent!
jackrabbit in my case is running in-vm so i remove any pooling.
Thanks to all for help.
- markku
ps. still my ultimate goal is to go for container managed security,
so i look for code to realize that.
I'm happy to provide advice but I'm not subscribed to the jackrabbit
lists (and can't deal with any more mailing lists). If you ask
questions here on the g. user list I'll do my best to answer.
My impression from the link you gave earlier was that jackrabbit
currently uses the supplied username and password to log into a JAAS
realm to get a Subject which is then used for authorization. If this
is correct then you ought to be able to simply pass the Subject from
container managed security directly through to the authorization
code. This is not exactly what is envisaged by the J2CA spec but I
expect it would work better than what is normally done. In this case
you wouldn't need to set up the special ManagedConnectionFactory-aware
login module.
The other possibility I can see is to use the spec-recommended
approach and extract the username/password from the MCF-specific
Credential in the container-managed-security Subject.
thanks
david jencks
David Jencks wrote:
On Nov 8, 2008, at 2:27 AM, Markku Saarela wrote:
Here is configuration documentation:
http://jackrabbit.apache.org/jackrabbit-configuration.html#JackrabbitConfiguration-Securityconfiguration
After read this documentation i thought that i do not need to use
jaas, but now i realize that there is jaas available and in
geronimo-ra.xml i found element <container-managed-security /> so
i'm actually using container managed security.
So how to configure that (geronimo documentation is little bit
confusing)?
I looked around the somewhat confusingly organized jackrabbit svn
(j2ca stuff seems to be present only in branches???) and found http://svn.eu.apache.org/viewvc/jackrabbit/branches/1.5/jackrabbit-jca
which seems like it might bear some resemblance to the code you
are using. This code does not support container managed security
at all. Unless you want to add this capability to jackrabbit you
need to stop configuring container managed security in your
geronimo plan.
If you do want to add this capability to jackrabbit, the place to
start is in http://svn.eu.apache.org/viewvc/jackrabbit/branches/1.5/jackrabbit-jca/src/main/java/org/apache/jackrabbit/jca/JCAManagedConnectionFactory.java?annotate=703899
162 : public ManagedConnection
createManagedConnection(Subject subject, ConnectionRequestInfo cri)
163 : throws ResourceException {
164 : dpfister 510465 165 : if (cri ==
null) {
166 : return new AnonymousConnection();
167 : }
168 : dpfister 230772 return
createManagedConnection((JCAConnectionRequestInfo) cri);
169 : }
and
182 : public ManagedConnection
matchManagedConnections(Set set, Subject subject,
ConnectionRequestInfo cri)
183 : throws ResourceException {
184 : for (Iterator i = set.iterator();
i.hasNext();) {
185 : Object next = i.next();
186 : 187 : if (next instanceof
JCAManagedConnection) {
188 : JCAManagedConnection mc =
(JCAManagedConnection) next;
189 : if (equals(mc.getManagedConnectionFactory())) {
190 : JCAConnectionRequestInfo otherCri =
mc.getConnectionRequestInfo();
191 : if (equals(cri, otherCri)) {
192 : return mc;
193 : }
194 : }
195 : }
196 : }
197 : 198 : return null;
199 : }
where the Subject supplied from container managed security is
ignored.
Out of curiousity, does jackrabbit run in-vm or are connections to
a remote server? If in-vm it might be better to run with pooling
turned off as it is likely that creating a new managed connection
is lighter weight than the synchronization involved in pooling
existing connections.
thanks
david jencks
- markku
David Jencks wrote:
Could you point to some documentation on the JCARepositoryHandle
and the ra.xml for this connector?
For container managed security you need to use something like the
plugins/connector/geronimo-connector/src/main/java/org/apache/
geronimo/connector/outbound/security/
CallerIdentityPasswordCredentialLoginModule.java which you can
deploy in a JAAS configuration using the
PasswordCredentialLoginModuleWrapperGBean.java
Since you are trying to supply the credentials in what appears to
be a "get connection" call I wonder if you actually want
container managed security?
thanks
david jencks
On Nov 7, 2008, at 11:17 PM, Markku Saarela wrote:
Hi,
Jackrabbit 1.4 (1.4.1 core) JCA deployed to Geronimo 2.1.1. Web
application or ejb session bean failed with repository login.
InitialContext lookup find Repository but calling
repository.login( new SimpleCredentials( "system",
"manager".toCharArray() ) ); method results exception:
Caused by: javax.resource.ResourceException: No subject for
container managed security
at
org
.apache
.geronimo
.connector
.outbound.SubjectInterceptor.getConnection(SubjectIntercepto
r.java:51)
at
org
.apache
.geronimo
.connector
.outbound.ConnectionHandleInterceptor.getConnection(Connecti
onHandleInterceptor.java:43)
at
org
.apache
.geronimo
.connector
.outbound.TCCLInterceptor.getConnection(TCCLInterceptor.java
:39)
at
org
.apache
.geronimo
.connector
.outbound.ConnectionTrackingInterceptor.getConnection(Connec
tionTrackingInterceptor.java:66)
at
org
.apache
.geronimo
.connector
.outbound.AbstractConnectionManager.allocateConnection(Abstr
actConnectionManager.java:87)
at
org
.apache
.jackrabbit
.jca.JCARepositoryHandle.login(JCARepositoryHandle.java:98)
So how to configure Geronimo to provide subject to connector?
rgds,
Markku
