Hello David,
Thanks for your Response.
It runs with the following constellation:
1. Create an own Securityrealm called myRealm
2. using myRealm in geronimo-web.xml
3. Using LoginContext and a custom CallbackHandler which knows the
required username and password
MyCallbackHandler handler = new MyCallbackHandler();
handler.setUsername( req.getUser() );
handler.setPassword( req.getPass() );
LoginContext loginCtx = new LoginContext("myRealm", handler);
loginCtx.login();
Subject s = loginCtx.getSubject();
Set<Principal> principals = s.getPrincipals();
This works fine. But I am wondering about the rolemapping part in
geronimo-web.xml. I expected, that the principal users, defined in myRealms
Database would be mapped to test1 (See the end of my text for
geronimo-web.xml). The GroupPrincipal of the Subject is named users and not
test1, as I expected. Does this mechanism only works in combination with
security configuration in web.xml? Or is an error in my Configuration?
security part in geronimo-web.xml
<security-realm-name>myrealm</security-realm-name>
<security>
<default-principal realm-name="myrealm">
<principal name="anonymous"
class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"/>
</default-principal>
<role-mappings>
<role role-name="test1">
<realm realm-name="myrealm">
<principal name="users"
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/>
</realm>
</role>
<role role-name="test2">
<realm realm-name="myrealm">
<principal name="admins"
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/>
</realm>
</role>
<role role-name="test3">
<realm realm-name="myrealm">
<principal name="superadmins"
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/>
</realm>
</role>
</role-mappings>
</security>
Regards and thanks a lot!!
Jochen
> -----Ursprüngliche Nachricht-----
> Von: "David Jencks" <[email protected]>
> Gesendet: 08.01.09 00:37:51
> An: [email protected]
> Betreff: Re: Security and WebServices
>
> On Jan 7, 2009, at 5:03 AM, Jochen Zink wrote:
>
> > Hello,
> >
> > I want to use geronimos securitysystem together with a JAX-WS 2.1
> > WebService (WAR-File).
> >
> > My vision ;):
> > - standard security configuration: all URLs like /services/* are
> > secure
> > - Using a standard LoginModule (A Geronimo one or a self written for
> > BinarySecurityTokens)
> >
> > Is it possible to secure a WebService with the standard
> > Securitymechanism or must the application handle the ws-security
> > header? If the application has to handle it, is it possible to get
> > access to a LoginModule and how does this work?
>
> Can i check that you want to send the credentials inside the xml
> message? At the moment we don't have any support for that. In the
> future it may be possible to handle this with a JASPI authentication
> module.
>
> You can get the credentials yourself and log in to a JAAS realm using
> org.apache.geronimo.security.ContextManager.login(realmName,
> callbackHandler) where realmName is the name of a security realm
> you've set up in geronimo and callbackHandler is a callback handler
> you've stuffed the credentials into. This will log in and install the
> user in the geronimo security framework. However if your code to do
> this is in the application (such as a filter or servlet) you can't use
> javaee web security constraints because they will have already been
> evaluated by the time control gets to your auth code. You ought to be
> able to use javaee ejb security with the logged in Subject although I
> haven't tested this for problems I haven't thought of.
>
> hope this helps. please supply more details if appropriate. I'm
> running into several similar situations recently and more info on what
> people would like to be able to do would be great to figure out how to
> support this.
>
> thanks
> david jencks
>
> >
> >
> > Thanks a lot!
> > Regards
> > Jochen
> >
> > __________________________________________________________________
> > Deutschlands größte Online-Videothek schenkt Ihnen 12.000 Videos!*
> > http://entertainment.web.de/de/entertainment/maxdome/index.html
> >
>
>
____________________________________________________________________
Psssst! Schon vom neuen WEB.DE MultiMessenger gehört?
Der kann`s mit allen: http://www.produkte.web.de/messenger/?did=3123
